Alleged Kelihos botmaster and spam king extradited to US

By Lisa Vaas

Peter Yuryevich Levashov – a 37-year-old Russian computer programmer, accused by the FBI of developing the Kelihos botnet and using it to stuff inboxes with Viagara and Cialis spam; to steal bitcoin wallets and other financial data; and to spew malware, including banking Trojans and ransomware, worldwide – has been deported from Spain to the US town of New Haven, Connecticut.

The US Department of Justice (DOJ) announced the extradition on Friday. In its press release, the DOJ said that besides the spam, the malware, and the harvesting of victims’ personal information, Levashov allegedly also rented out Kelihos botnet spam and malware services.

Levashov allegedly hid behind the hacker names Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov to do the dirty work.

In April 2017, the US Department of Justice indicted Levashov on one charge each of damaging a protected computer, conspiracy, accessing protected computers to commit fraud, wire fraud, aggravated identity theft, and threatening to damage a protected computer; plus two counts of fraud in connection with email.

He had been arrested in Barcelona while vacationing with his family that same month.

In March 2010, Microsoft, working with other security researchers, went after another botnet called Waledac with a combination of legal and technical takedown maneuvers. (More recently, Microsoft again used the courts, sending lawyers to fight the [likely] Russian hacking group known as Strontium, Fancy Bear or APT28. It involved seizing domains that hosted the phishing sites used to steal credentials or for botnet command & control [C&C]).

Microsoft used the same takedown techniques with the Kelihos botnet, which shared a good deal of code with Waledac.

According to the indictment, Levashov allegedly tried hard to protect his anonymity.

Read more at https://nakedsecurity.sophos.com/2018/02/07/alleged-kelihos-botmaster-and-spam-king-extradicted-to-us/

Uber and Waymo clash in court over driverless technology

By Lisa Vaas

After a delay of about two months, Uber and Waymo, the self-driving-car unit from Google, finally had their first day in court in the trade secrets lawsuit brought by Waymo a year ago.

If Day One is any indication, this suit is going to paint a picture of a vicious competition between the two companies.

The BBC wrote about the evidence Waymo presented on Monday, including emails that portrayed Uber’s then-chief executive Travis Kalanick as having been desperate to catch up with Google’s autonomous driving technology.

According to that evidence, Uber Engineering Manager John Bares, who was head of Uber’s autonomous group at the time, took notes during an 18 September 2015 teleconference in which he writes about “increasing pressure” to 1) catch up on Google’s seven-year head start in autonomous vehicle technology and to 2) deploy 100,000 driverless cars in 2020.

Notes from a subsequent meeting Bares had with Kalanick show that the former Uber CEO wanted to obtain “the cheat codes,” “all of their data” and a “pound of flesh” from Waymo.

Waymo claims that Uber, worried about Waymo beating it in the self-driving car race, ripped off Waymo’s trade secrets when it hired one of its former executives, Anthony Levandowski. Levandowski had led the driverless car project for Google since 2011. That project first began in 2009, which is about as long as Uber’s existence.

Kalanik contacted Levandowski directly in October 2015 to discuss “selling a nonexistent company.” Levandowski allegedly stole 14,000 proprietary Waymo documents just days before leaving Waymo to start that company, “Otto,” in January 2016. In August 2016 Uber then acquired Otto, a move, which Waymo alleges, was all part of a plan with Levandowski to steal Google’s technology.

Read more at https://nakedsecurity.sophos.com/2018/02/06/uber-and-waymo-clash-in-court-over-driverless-technology/

Early Google, Facebook employees band together to tame tech addiction

By Lisa Vaas

Fake news, foreign tinkering in the US 2016 presidential election, and mounting evidence about how bad technology is for kids: it’s all led to a tsunami of regret from those who helped to create the social media platforms that enable it all.

A quote from an early ex-Facebook employee, as reported by Vanity Fair:

Most of the early employees I know are totally overwhelmed by what this thing has become. They look at the role Facebook now plays in society, and how Russia used it during the election to elect Trump, and they have this sort of ‘Oh my God, what have I done’ moment.

We’ve seen ex-president of Facebook Sean Parker admit that from the get-go, the main goal has been to get and keep people’s attention, by hook, by crook or by dopamine addiction. Former vice president of Facebook user growth Chamath Palihapitiya has expressed remorse for his part.

Facebook has admitted that social media can be bad for you, Facebook founder Mark Zuckerberg has said that his platform needs fixing, Apple’s Tim Cook is keeping his nephew off social media, and, well, the list goes on.

The latest “woops!!!” news: a group of “what kind of mind-gobbling social media monster have we created?” repentants have come together to form the nonprofit Center for Humane Technology (CHT). On Sunday, the group launched a new campaign to protect young minds from what they say is “the potential of digital manipulation and addiction.”

Members include former employees and advisors to Google, Facebook, and Mozilla.

The CHT is partnering with Common Sense – a nonprofit that advocates for children and families – for the campaign, which is titled Truth About Tech.

Read more at https://nakedsecurity.sophos.com/2018/02/06/early-google-facebook-employees-band-together-to-tame-tech-addiction/

Keeping kids safe online – trying to practice what I preach

By Maria Varmazis

Being a blogger in the world of cybersecurity, I’ve rather firmly established myself in the eyes of my friends and family as the person to go to with questions about an app they heard about on the news, or what to do about some new hack or big security bug, and how to keep their information safe.

I take a great deal of pride in being able to help people like that. When I was pregnant with my first child last year, one of my family members with young kids said something along these lines to me:

I can’t keep up with all the new tech and apps that kids have access to nowadays, it’s all happening so fast. But if anyone can sort it all out, you can.

I wish I shared that confidence.

My approach to keeping my kid safe online is easy right now because she’s a baby and it’s all fully under my control. My main concern is her future privacy, and I know it only gets harder from here.

I want my kid to have the choice about what to do with her data – as much as possible, anyway – without my actions removing all choice from her before she even has a say. After all, what we do know about what social networks actively do with identity and demographic information is alarming (or impressive, if you’re a marketer who wants to sell people stuff on Facebook).

Despite all the promises these companies make about how they take data privacy and protection seriously, breaches can happen to the most well-intentioned organization. The best personal data protection is ultimately preventative: Limit what data is available to companies in the first place.

In light of this, in trying to practice what I preach about data privacy online, these are the choices I’ve made:

• I do not post my child’s name, date of birth, or any photos of her online.
• I make sure my friends and family do the same.

My hopes are that this will allow her to decide on her own, as an adult, when and how to carve out her own identity online and share her childhood photos with the world. And, though it might be futile in a world where people who had never heard of Equifax were still affected by the breach, I hope by keeping as many of her personal details off the internet for as long as possible, that I might help guard her information from being stolen and used in identity theft. After all, we know babies and children are a favorite target for this kind of thing.

Read more at https://nakedsecurity.sophos.com/2018/02/06/keeping-kids-safe-online-trying-to-practice-what-i-preach/