After hack, LivingSocial tells 50M users to reset passwords
Users’ names, email addresses and passwords may have been accessed, CEO Tim O’Shaughnessy said
Computer World by Zack Miners April 26, 2013
IDG News Service –
More than 50 million users of the daily deals site LivingSocial are being asked to reset their passwords after hackers attacked the company’s servers and potentially made off with personal data.
The cyberattack “resulted in authorized access to some customer data on our servers,” including names, email addresses, dates of birth and encrypted passwords, LivingSocial CEO Tim O’Shaughnessy said in an email to employees and in a separate email being sent to customers.
The database that stores customer credit card information was not affected, nor was the database that stores merchants’ financial and banking information, the Washington, D.C.-based company said.
Although decoding users’ passwords “would be difficult,” the site says it is taking “every precaution” by expiring its users’ passwords and asking them to create a new one. Emails are being sent this afternoon to the more than 50 million users whose data may have been compromised, a LivingSocial spokesman said.
LivingSocial says it has 70 million members worldwide. Customers in Korea, Thailand, Indonesia and the Philippines aren’t being contacted because the company uses different computer systems in those countries, it said.
The group behind the attack has not been identified. “We are actively working with law enforcement to investigate this issue,” LivingSocial said on its website.
The hack may have resulted in users’ accounts on other sites being compromised. “We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s),” O’Shaughnessy said.
“We need to do the right thing for our customers who place their trust in us,” O’Shaughnessy said in the employee email, adding, “We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.”
The hack follows a slew of attacks on Twitter, Facebook, Microsoft and other companies. LivingSocial said it is “redoubling” its efforts to prevent future breaches.
“With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account,” wrote Eric Doerr, Microsoft Account group program manager, in a blog entry announcing the secondary authentication. “It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.”
With two-factor authentication, a user logging in to a service or device supplies a second piece of information in addition to a password, thus making it impossible for another party to gain illicit access to the user’s accounts without all the separate pieces of information. Microsoft is using additional verification methods such as a short code sent to the user’s mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.
Microsoft Account, formerly called Windows Live ID, is a single sign-on Web service to authenticate users of Outlook.com, SkyDrive, Skype, and other Microsoft services. It can also be used as an authentication mechanism for Windows PCs, the Xbox and Microsoft Office. Overall, Microsoft has over 700 million users registered to Microsoft Account.
Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user’s mobile phone, the number of which Microsoft will keep on file, each time the user logs on.
As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.
Microsoft can also keep a list of trusted devices designated by the user. With such devices, users enter a security code once and have that device remembered in future visits, eliminating the need to enter the security code for each log in. Microsoft currently offers this capability, but only with Internet Explorer and the use of additional software. Users can manage their list of trusted devices through their account settings page.
Doerr cautioned that, though more secure, two-factor authentication can be more difficult to manage. Losing a security code results in a 30 day wait for a new code. And Microsoft is asking for at least two pieces of information on file, in case one of the pieces is lost or forgotten. And if the user loses both the password and all the security information, he or she will not be able to access the account again.
The 40 requests, which were tallied by the union that represents rank-and-file officers, have come in the two months since Dorner sought revenge for his 2009 firing by targeting police officers and their families in a killing rampage that left four dead and others injured.
Dorner’s allegations of a department plagued by racism and special interests left Chief Charlie Beck scrambling to stem a growing chorus of others who condemned Dorner’s violence but said his complaints about the department were accurate. To assuage concerns, Beck vowed to re-examine the cases of other former officers who believed they had been wrongly expelled from the force.
Now, details of how the department plans to make good on Beck’s offer are becoming clear. And, for at least some of the disgruntled ex-officers, they will be disappointing.
In letters to those wishing to have their case reviewed, department officials explain that the city’s charter, which spells out the authority granted to various public officials, prevents the police chief from opening new disciplinary proceedings for an officer fired more than three years ago.
“Therefore the Department does not have the power to reinstate officers whose terminations occurred more than three years ago,” wrote Gerald Chaleff, the LAPD’s special assistant for constitutional policing. “You are being informed of this to forestall any misconceptions about the power of the department.”
The reviews remain one of the unsettled postscripts to the Dorner saga. In February, three years after he was fired for allegedly fabricating a story about his partner inappropriately kicking a handcuffed suspect, Dorner resurfaced in violent fashion, bent on seeking revenge for his ouster.
After killing the daughter of the attorney who defended him at his disciplinary hearing and her fiance, Dorner killed two police officers and wounded three other people as he evaded capture during a massive manhunt. After more than a week on the run, Dorner was chased into a cabin in the mountains near Big Bear, where he died from what appeared to be a self-inflicted gunshot wound.
Dorner had posted online an angry manifesto of sorts in which he claimed that he had been a victim of a racist, corrupt police organization that protects its favored officers at the expense of those trying to report abuses. Those accusations tapped into deep wells of discontent and distrust that officers and minority communities have felt toward the department. Beck sought to reassure doubters that years of reforms had changed the department and buried the “ghosts” of the past. He then offered to review past discipline cases.
Fired officers who wish to have their terminations re-examined must first submit an affidavit or similar declaration within two months of receiving the letter from Chaleff, according to a copy obtained by The Times. The letter was sent in recent weeks to the former officers who have already come forward.
Using “clear and convincing language,” the letter instructs ex-officers to explain “the new evidence or change in circumstances that would justify a re-examination of your termination.”
LAPD Cmdr. Andrew Smith said Chaleff will conduct a review for anyone who follows the rules laid out in the letter. “We will do whatever it takes on the cases, including redoing interviews, if necessary,” he wrote in an email.
The department and the Protective League declined to release the names of former officers who have requested reviews.
Gary Ingemunson, a longtime attorney for the League, used the case reviews as an opportunity to revive the League’s perennial criticism that disciplinary hearings, called Boards of Rights, are stacked against officers.
“The Board of Rights system could be fair, but for the last few years the Department has consistently outdone itself in the attempt to completely skew the system against the officer. The Department wants to win. End of story,” Ingemunson wrote in a column in the current issue of the union’s monthly magazine.
One of the problems, Ingemunson and other union lawyers have said, is the makeup of the three-person panels that decide an officer’s fate. Two of judges are senior-level LAPD officers, while the third is a civilian.
According to the critics, that arrangement is unfair because officers are sent to boards whenever the chief wants them fired and the officers on the panel will feel pressure to do as the chief wants.
Smith rejected that idea, saying board members are completely free to decide as they see fit. He pointed to department figures showing that over the last three years, officers sent by the chief to Boards of Rights were fired in only about 60% of the cases.
Smith defended the department’s disciplinary system in general, saying it has been in place for decades and stood up under repeated scrutiny by oversight bodies.
Australian police arrest senior member of LulzSec hacking group
Yahoo News by Jane Wardell/ Reuters April 24, 2013
SYDNEY (Reuters) –
Australian Federal Police have arrested the self-proclaimed leader of the international hacking group LulzSec, the collective that claimed responsibility for infiltrating and shutting down the CIA website.
Police said the 24-year-old IT worker, who held a position of trust at an international company, was arrested in Sydney on Tuesday evening and charged with hacking offences that carry a maximum penalty of 10 years.
Glen McEwen, manager of cyber crime operations at Australian Federal Police, said the man was detained at work, where he had access to sensitive information from clients including government agencies.
LulzSec, an offshoot of the international hacking group Anonymous, has taken credit for hacking attacks on government and private sector websites, including the Central Intelligence Agency (CIA), Sony Pictures, a unit of Sony Corp, 20th Century Fox and Nintendo.
Anonymous – and LulzSec in particular – became notorious in late 2010 when they launched what they called the “first cyber war” in retaliation for attempts to shut down the Wikileaks website.
The name LulzSec is a combination of “lulz”, another way of writing “lols” or “laugh out loud”, and security.
Australian police said the unnamed Australian man, who used the online moniker “Aush0k”, was known to international law authorities.
His arrest comes a week after an American member of LulzSec, Cody Kretsinger, was sentenced in a Los Angeles court to a year in prison followed by home detention. Kretsinger, who used the online handle “Recursion”, pleaded guilty in a plea agreement with prosecutors.
Court documents in that case revealed that Anonymous leader “Sabu”, whose real name is Hector Xavier Monsegur, had provided the FBI with information on fellow hackers after pleading guilty to hacking offences.
The Australian hacker has been charged with two counts of unauthorized modification of data to cause impairment and one count of unauthorized access to a restricted data system after a government website was attacked earlier this month.
“Let me make it extremely clear to everybody out there, this is not harmless fun, this is serious,” McEwen said at a press conference.
McEwen said the man posted in online forums frequented by other members of LulzSec that he was the group’s leader.
“There were no denials of his claims of being the leader,” McEwen told reporters.
The man has been granted bail and will appear before a court next month.
LulzSec allegedly broke into Australian government department and university websites in 2011. Anonymous last year took around 10 Australian government websites offline, protesting plans to force ISPs to store more user data and make it available to security services.
(Additional reporting by Michael Sin; Editing by Paul Tait and Jeremy Laurence)
NYPD detective arrested for forging expense reports and stealing $6,000
The New York Daily News By Rocco Parascandola, Shayna Jacobs & Joe Kemp April 24, 2013
A veteran NYPD detective was arrested Wednesday on a 391-count indictment after internal affairs investigators found he fudged two years of expense reports to pocket almost $6,000 in cash, prosecutors said.
Michael Bazerman, 40, who headed a wiretap and surveillance squad for the Manhattan district attorney’s office, turned himself in at the 1st Precinct about 8:45 a.m., sources said.
The 18-year veteran was released without bail after he appeared in Manhattan Supreme Court, where he was arraigned on the indictment charging him with forgery and grand larceny.
Prosecutors from the Bronx DA’s office, who are handling the case, said the charges stem from a string of bogus petty cash reimbursement invoices the cop filed between 2009 and 2011.