An “ATM skimmer” is a malicious device criminals attach to an ATM. When you use an ATM that’s been compromised in such a way, the skimmer will create a copy of your card and capture your PIN.
If you use ATMs, you should be aware of these attacks. It’s often possible to spot ATM skimmers, or at least to protect your PIN so ATM skimmers won’t be able to capture it.
How ATM Skimmers Work
An ATM skimmer has two components. The first is a small device that’s generally inserted over the ATM card slot. When you insert your ATM card, the device creates a copy of the data on the magnetic strip of your card. The card passes through the device and enters the machine, so everything will appear to be functioning normally –but your card data has just been copied.
The second part of the device is a camera. A small camera is placed somewhere it can see the keypad — perhaps at the top of the ATM’s screen, just above the number pad, or to the side of the pad. The camera is pointed at the keypad and it captures you entering your PIN. The ATM appears to be functioning normally, but the attackers just copied your card’s magnetic strip and your PIN.
The attackers can use this data to program a bogus ATM card with the magnetic strip data and use it in ATM machines, entering your PIN and withdrawing money from your bank accounts.
ATM skimmers are becoming more and more sophisticated. Instead of a device fitted over a card slot, a skimmer may be a small, unnoticeable device inserted into the card slot itself.
Instead of a camera pointed at the keypad, the attackers may be using an overlay — a fake keyboard fitted over the real keypad. When you press a button on the fake keypad, it logs the button you pressed and presses the real button underneath. These are harder to detect. Unlike a camera, they’re also guaranteed to capture your PIN.
ATM skimmers generally store the data they capture on the device itself. The criminals have to come back and retrieve the skimmer to get the data it’s captured. However, more ATM skimmers are now transmitting this data wirelessly over Bluetooth or even cellular data connections.
How to Spot ATM Skimmers
Here are some tricks for spotting ATM skimmers. You can’t spot every ATM skimmer, but it won’t hurt to take a quick look around before withdrawing money.
Jiggle the Card Reader: If the card reader moves around when you try to jiggle it with your hand, something probably isn’t right. A real card reader should be attached to the ATM so well that it won’t move around — a skimmer overlaid over the card reader may move around.
Look at the ATM Machine: Take a quick look at the ATM machine. Does anything look a bit out-of-place? Perhaps the bottom panel is a different color from the rest of the machine because it’s a fake piece of plastic placed over the real bottom panel and the keypad. Perhaps there’s an odd-looking object that contains a camera.
Examine the Keypad: Does the keypad look a bit too thick, or different from how it usually looks if you’ve used the machine before? It may be an overlay over the real keypad.
Check for Cameras: Consider where an attacker might hide a camera — somewhere above the screen or keypad, or even in the brochure holder on the machine.
If you find something seriously wrong — a card reader that moves, a hidden camera, or a keypad overlay — be sure to alert the bank or business in charge of the ATM. If something just doesn’t seem right with the machine, go find another ATM machine.
Basic Security Precautions
You can find common, cheap ATM skimmers with tricks like attempting to jiggle the card reader. But here’s what you should always do to protect yourself when using any ATM machine:
Shield Your PIN With Your Hand: When you type your PIN into an ATM machine, shield the PIN pad with your hand. Yes, this won’t protect you against the most sophisticated skimmers that use keypad overlays, but you’re much more likely to run into an ATM skimmer that uses a camera — they’re much cheaper for criminals to purchase. This is the number one tip you can use to protect yourself.
Monitor Your Bank Account Transactions: You should regularly check your bank accounts and credit card accounts online. Check for suspicious transactions and notify your bank as quickly as possible. You want to catch these problems as soon as possible — don’t wait until your bank mails you a printed statement a month after money has been withdrawn from your account by a criminal.
Tools like Mint.com — or an alert system your bank might offer — can also help here, notifying you when unusual transactions take place.
It doesn’t take a lot to fool a hurried small business owner. Case in point: The Federal Trade Commission just announced a series of legal actions against three Montreal operations accused of talking U.S. small business owners into paying millions of dollars for local yellow page listings the merchants neither bought nor received.
A common version of the scam went like this: The crooks called small businesses (some nonprofits, churches, and local government agencies also fell victim) and asked to confirm the shop’s name, address, and telephone number. Then the fraudsters call again to tell the business that they owed amounts as high as $1,800. When the business owners protested, the crooks played back recordings of the earlier phone calls, doctoring recordings to make it sound like the merchant had agreed to pay.
It sounds crude, but plenty of business owners coughed up the cash. One group of scammers tricked thousands of victims out of at least $4.9 million, according to a complaint filed by the FTC in U.S. District Court in Florida.
Directory listing scams aren’t new. In 2012, an Illinois court ordered a group of companies operating out of Palma de Mallorca, Spain, to repay $10 million to small businesses shaken down for payments for listings the merchants never agreed to buy. In that version of the scheme, crooks sent faxes bearing the “walking fingers”logo associated with local yellow pages. Merchants who returned the faxes were billed for $1,000 and threatened with aggressive collection tactics.
By trading fax machines for tape recorders and audio editing, the scammers may have climbed up a rung on the ladder of low-tech schemers who prey on Main Street. They’re not as sophisticated as the tin-foil bandits who clamber on the rooftops of convenience stores with rolls of aluminum wrap in an elaborate ploy to buy cigarettes with stolen credit cards. But they’re way ahead of the crude criminals who simply call small business owners and ask for cash.
By Conner ForrestJuly 28, 2014 Amazon recently announced that it will offer customizable, 3D printed products to its customers. Will it help popularize 3D printing among the masses?
Amazon CEO Jeff Bezos.
"Shop the Future."
That's the tagline on the newest section of Amazon.com. The online retailer recently opened up a new part of its website, and what it is selling in this section can depend totally on who's buying it.
On Monday, Amazon announced the Amazon 3D Printing Storewhere customers can shop among 200 unique products that can be 3D printed on demand and shipped immediately. Customers can choose a ready made design, or they can customize it by changing the material, size, style or color, and they can add personalized text or images. Currently, customers shop for jewelry, home decor, toys, and tech accessories.
"The introduction of our 3D Printed Products Store suggests the beginnings of a shift in online retail -- that manufacturing can be more nimble to provide an immersive customer experience. Sellers, in alignment with designers and manufacturers, can offer more dynamic inventory for customers to personalize and truly make their own," said Petra Schindler-Carter, Director for Amazon Marketplace Sales. "The 3D Printed Products Store allows us to help sellers, designers and manufacturers reach millions of customers while providing a fun and creative customer experience to personalize a potentially infinite number of products at great prices across many product categories."
Customers can utilize the pre-made design templates to easily customize a design. Most 3D printing software is based on computer-aided design (CAD) software, and is typically difficult to use if you have no training or experience in design. According to Forrester analyst Michael Yamnitsky, the number of products aren't potentially infinite.
"The service itself is limited to a handful of partners, products, and customization options. We believe this is a tactful move on Amazon's part because it will limit the risk of faulty prints. Software challenges stand in the way of successfully printing any 3D model a customer chooses or creates," Yamnitsky said. "What this means is that creating a scalable service for consumers to print anything they want will remain a significant challenge for some time, and Amazon will likely move slowly in expanding partners and features of the service."
With other 3D printing sites you can go to other retail sites and you can order a piece of jewelry that is printed on demand with 3D printing technology, but most of the time it will not be customizable. Pete Basiliere, an analyst at Gartner, said that by enabling people to experience customized 3D printed output, Amazon is "nurturing growth of the consumer market." What he means by this is that Amazon is helping to give consumers a better understanding of the value of 3D printing, which could lead to more people wanting to spring for a 3D printer in their own home.
"It's exciting because it is Amazon producing truly personalized 3D printed items for consumers and others," Basiliere said. "Most of the websites and other sources for 3D printed items only enable a person to receive an item that has been made with the technology, but not personalized."
Amazon's new store will definitely help to legitimize 3D printing, but it isn't the only company offering customizable 3D printed items. Companies such as Mymo, which offers customizable jewelry at an affordable price, have been operating online for some time, but they have yet to be able to scale to the degree at which Amazon can offer the service.
While Amazon is certainly bringing 3D printing to a broader, multinational audience, it will still face the main inhibitors faced by all other online providers of 3D printed goods. According to Basiliere, one of the constraints to shopping online is customers who have never experienced a 3D printed piece; so they don't know the value of a 3D printed gift. However, that is an issue faced by every online retailer of 3D printed products.
"Physical retailers will play in this space," Yamnitsky said. "We think consumers will want to get hands-on with 3D printers, and online 3D printing marketplaces shield the customer from the experience. So there's a big opportunity for physical retailers to build and staff 3D printing kiosks for customers to design and print at physical locations."
Storefronts can educate consumers by showcasing the technology and including customers in the process. Basilier mentioned British supermarket chain ASDA, which uses a 3D scanner to scan images of willing customers and 3D prints a miniature statue of the customer.
In the middle of June, Amazon launched a specific part of its sitededicated to selling 3D printers from companies such as Makerbot, Cubify, and fabbster; as well as materials and accessories for 3D printers. In this way, Amazon is following the technology industry maxim of "disrupt yourself before someone else does."
Conner Forrest is a Staff Writer for TechRepublic. He covers Google and startups and is passionate about the convergence of technology and culture.
Lucy makes a superhuman of Scarlett Johansson. But will technology advances ever help us better use our brains?
We upload our lives to the cloud, Google pours it into the Knowledge Graph to feed the algorithm, applies natural language parsing, and the Singularity, that moment when digital devices become more intelligent than humans, draws close.
But is the real story that machines and humans are meeting in the middle? Are we evolving to become plugged into the great digital cortex to become hybrid- humanoids? It's a subject that's fascinated Luc Besson, director of the new movieLucy, for over a decade, and his film is astonishing.
Besson spent time with world-renowned neurologist Yves Agid, who co-founded the Brain & Spine Institute (ICM) in Paris, to learn how cells communicate with each other and what cerebral capacity could be unleashed if the human brain's 86 billion densely packed neurons fired at once.
Lucy(Scarlett Johansson) starts off as just another flaky student hanging out in Taiwan, going to dodgy discos with men who wear cowboy hats and tinted sunglasses. Within minutes, the story turns into a thriller. She's forced to become a drug mule, something goes horribly wrong (of course), and then suddenly we're in the realm of sci-fi with stunning FX.
As her brain capacity increases, Lucy slips through the doors of perception and into the matrix, sees mobile telephony signals rendered in 3D, defies gravity, attains telepathy, telekinesis and control over mind, matter, and time travel. Sadly there's no Trinity transformation in her outfits.
Besson goes mystic as Lucy's brain expands. She feels trees "grow," senses peoples' thoughts, and accesses their memory banks. We move, briefly, into the Buddhist realm of meditating monks who control their metabolism and experience infinite space.
Then we're thrown into a genre-melding sci-fi/Korean-gangster flick. Korean drug lords are the new Italian mob. Strong, taciturn, swift to violent reaction, clad in expensive made-to-measure suits. Their leader, Min Sik Choi, makes a superb Godfather getting tattooed while listening to Mozart with the volume up high.
Apart from Morgan Freeman's scientific hypotheses about brains and neural circuitry, the movie is surprisingly low on gadgets, (but high on military-grade weaponry). Who knew French narcotics cops still carry flip phones? Or neuroscientists are so strapped for space that they have brainstorms in rooms dominated by server stacks? And best look away at the point when the culmination of the world's knowledge is apparently contained on a sparkly thumbdrive.
Is any of this possible? Right now, performance-enhancing drugs like anabolic steroids contain synthetic forms of testosterone to build strength and increase muscle mass. People with depression are treated with mood-altering chemical combinations that target NMDA receptors in the brain, increasing serotonin levels. Parkinson's disease can be managed with electrodes implanted in the brain to keep it firing smoothly. And a company called Neural Signals in Georgia does invasive brain-machine interfacing to allow "locked-in" paraplegics to control robotic arms.
Meanwhile, neuroscientist Michael Weisend Ph.D., uses trans-cranial direct current (TCDC) to effectively "shock" subjects with healthy brains to target preferred neural networks for specific tasks, thereby significantly enhancing motor skills. Partially funded by DARPA, studies showed increased accuracy in snipers hitting targets.
So if humans are becoming advanced through pharmaceuticals and modern electro-shock techniques, while digital devices achieve levels of sophistication in "understanding" through data-mining and natural language processing, are we not meeting in the middle?
The sticking point with scientists has always been how one defines consciousness. Ray Kurzweil, now Director of Engineering at Google, has always argued that machines and people are not so different.
"Some observers have argued that Watson (the supercomputer that won Jeopardy!in 2011) does not really 'understand' the Jeopardy queries...because it is just engaging in 'statistical analysis,' (but) the mathematical techniques that have evolved in the field of artificial intelligence are mathematically very similar to the methods that biology evolved in the form of the neocortex," Kurzweil said in How To Create A Mind. "If understanding language and other phenomena through statistical analysis does not count as true understanding, then humans have no understanding either."
As we watch Lucy systematically reach superhuman levels of intelligence, she becomes, in effect, a machine. Perhaps humans are just heading towards becoming another node on the network alongside our digital cousins. Or, more optimistically, enhanced Jedi beings with expansive brains and cool new superpowers.
Sophia Stuart is a British writer and digital strategist based in Los Angeles
Jueves, Julio 24 2014 14:30 | Escrito por Redacción
More than 4,600 new multifamily rental units are under construction or planned, with the bulk of new inventory expected in the Brickell sub market.
Downtown Miami condominium prices are nearing pre-recession levels as buyers from around the world look to the market as a top-tier investment target, according to a new study by the Miami Downtown Development Authority (DDA). Prices for existing (prior cycle) resale condo units in downtown have increased 75 percent over the past two years, rising from an average of $230 per square foot to $400 per square foot. The bulk of this appreciation can be attributed to value recovery stemming from market stabilization and the launch of new projects since 2011.
All told, there were 8,700 condo units for sale or under development through June 2014. The bulk of this inventory is expected to deliver through 2017, indicating the market is in the early stages of mid-cycle development. Q2 2014 pre-construction pricing continues at $550 – $675 per square foot for current unsold inventory.
Downtown’s growing residential appeal is also driving rental demand. Between 400 and 450 leases have been completed in greater downtown each month over the past three years, with average monthly rents rising from $2,198 per unit in 2011 to $2,429 through Q2-2014. More than 4,600 new multifamily rental units are either under construction or planned, with the bulk of new inventory expected in the Brickell submarket.
The study, conducted by Integra Realty Resources (IRR), evaluated 24 current projects as well as existing supply in six submarkets comprising greater downtown Miami: Brickell, the Central Business District (CBD), Edgewater, the Arts & Entertainment District, Wynwood and Midtown. This report is a continuation of previous Miami DDA research focused on inventory from the last cycle, which was substantially absorbed by the close of 2012. The new study surveys projects that have launched this cycle through May 31, 2014 and provides a projection of future deliveries.
“Strong buyer demand, appreciating prices, and growing appeal among renters continue to fuel the downtown Miami condo market,” explains Anthony M. Graziano, Senior Managing Director for Integra Realty Resources in Miami. “While we expect price increases to slow with time, downtown is well positioned to absorb the new condo inventory currently under development should present-day buyer trends hold.”
While submarkets throughout Miami’s urban core are experiencing new development, the City’s Edgewaterneighborhood –just north of the CBD along the Biscayne Boulevard corridor–is the area’s fastest growing market. More than 1,900 new units are currently in development, representing a 67 percent increase in the submarket’s inventory.
New projects in Brickell, where more than 4,800 units are under construction, account for nearly 25 percent growth by comparison with the submarket’s existing condo inventory.
The largest newcomer is Brickell City Centre, which will include 780 condo units set amidst 5.4 million square feet of mixed-use development.
Another master-planned project, Miami World Center, will deliver a combined 2,000 units alongside retail, hotel and commercial uses in the CBD. Nearby, All Aboard Florida’s new Grand Central Miami station, will serve as a high speed rail hub connecting South and Central Florida.
The rise of new developments has placed a premium on developable properties, sending land prices to never-before-seen levels over the past three years. Multiple land transactions valued in excess of $100 million have been completed or are under contract in Brickell, the CBD and Midtown, creating a sizable barrier to entry for residential developers.
The introduction of the ‘South American Financing Model,’ whereby developers collect deposits valued at 50 percent or more of the purchase price – coupled with funding sources giving preference to experienced, well-capitalized developers – should help maintain a healthy market environment. “Elevated land costs, higher construction costs, increased market transparency, and the rise of a new, cash-heavy financing structure all stand as obstacles to the degree of oversupply that downtown Miami experienced during the last cycle,” added Graziano.
International buyers continue to dominate the downtown buyer base as Miami emerges as a global destination for business and finance, leisure travel, arts and culture. The study shows that foreign buyers account for approximately 90 percent of all sales, making Miami one of the few real estate markets in the world that enjoy the envious position of being an ‘export economy,’ meaning buyers import capital for the purpose of owning real estate.“Downtown Miami has long been viewed as a business hub, but we are quickly gaining a reputation for our lifestyle offerings, everything from the Adrienne Arsht Center for the Performing Arts and Pérez Art Museum Miami, to a growing number of high-end hotels and restaurants and the addition of luxury retail,” says Alyce Robertson, Executive Director of the Miami DDA. “Overseas buyers eyeing U.S. real estate are finding that downtown Miami has all the amenities of a major cosmopolitan city, along with competitive pricing and easy access to Latin America and Europe.”
Summary:Is Microsoft building a single version of Windows that will run on phones, tablets, PCs and gaming consoles? Nope. Here's a refresher as to what really is happening.
"We will streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes," Nadella told press and analysts listening to the call.
Wow! One Windows OS running on phone, tablet, PC and gaming console?
Not exactly. Later in the call, Nadella attempted to clarify his remarks, but not in time to stop the breathless headlines.
Here's what "one Windows" really means:
1. A single team developing all Windows variants. This team has been in place since July 2013 when Microsoft created the unified Operating System Group under Terry Myerson. This team works on the Windows Phone OS, Windows Embedded, Windows (for PCs and tablets) and the Xbox One operating systems.
2. A single "core." Windows Phone, Windows 8, Windows RT and Windows Server are all built on top of a common "core," known as the NT core. Because of Microsoft's layered architectural approach, each OS builds on top of this core using different pieces that make sense for the form factor/hardware on which it runs.
3. A unified Store and commerce model across all platforms. Microsoft has taken steps toward unifying its Windows Phone Store and Windows Store over the past year. But it still has a ways to go to reach the holy grail: A single store that spans all platforms. The next major versions of Windows Phone and Windows (both codenamed Threshold) may be where a single Store debuts. I am not sure when Xbox apps will be added to that Store.
4. A unified developer platform. Microsoft execs have been promising for years that one day, developers will be able to write once and run on any Windows variant. To get there, Microsoft is working to unify, as much as possible, the core set of application programming interfaces (APIs) and the developer tooling for building apps for Windows Phone, Windows and the Xbox operating system. Microsoft has many of the pieces in place now that allow Windows and Windows Phone developers to reuse more of their code when writing what are called "Universal Windows apps."
Here's what "one Windows" doesn't mean: There will not be one Windows SKU. Or even two. There will continue to be multiple versions of Windows. Nadella stated this quite plainly on the earnings call.
"Our SKU strategy will remain by segment," he said. "We will have multiple SKUs for enterprises, we will have for OEM, we will have for end-users.... We will be disclosing and talking about our SKUs as we get further along."
For now, nothing new to see here, folks. Hopefully more of the promised pieces will be in place by the time Microsoft makes a public preview of Windows Threshold, which the company is hoping to do by this fall, from what I am hearing....
Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008)
Kids horsing around in the backseat? Use the mic in Toyota's new minivan for some surround-sound discipline
Family road trips just got a lot easier (or louder) with the 2015 Toyota Sienna. The minivan comes with a handful of parent-friendly perks, including a built-in microphone to shout at misbehaving kids.
Among the smart tech upgrades in the new Siena is Driver Easy Speak, which lets drivers use the car's built-in microphone to amplify their voice through rear speakers. No more shouting at the kids in the backseat or turning your eyes away from the road to glare at roughhousing children.
If that doesn't work, just turn on the dual-view Blu-ray rear-seat entertainment system to lull them into a trance.
Other high-tech options include a 7-inch touch screen display to the right of the driver, as well as a 4.2-inch display on the instrument panel, which can show things like turn-by-turn directions. A panoramic backup camera now comes standard, with virtual guidelines to help navigate.
To get the word out about its updated minivan, Toyota is going the social route, promoting its "Swagger Wagon" via a series of videos.
Dreamworks Studios after-effects artist Daniel Hashimoto, for instance, takes his son James—known to YouTube viewers as "Action Movie Kid"—on digitally enhanced adventures in the Sienna, traveling through space and underwater (video below) to show off the van's potential.
"Working with the Sienna inspired me to imagine how James might look at everyday driving adventures and share that fun perspective with other parents," Hashimoto said in a statement. "As a dad, I love watching my son explore his world, and the Sienna gave us a new adventure to check out."
For more, check out PCMag Live in the video below, which discusses Toyota's new microphone option.
Stephanie began as a PCMag reporter in May 2012. She moved to New York City from Frederick, Md., where she worked for four years as a multimedia reporter at the second-largest daily newspaper in Maryland. She interned at Baltimore magazine and graduated from Indiana University of Pennsylvania (in the town of Indiana, in the state of Pennsylvania) with a degree in journalism and mass communications
In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.
As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate.
Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.”
Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director in Charge George Venizelos. “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.
On the call at the NCCIC were experts from the Defense,Treasury, and Homeland Security departments and from the NSA and FBI. The initial assessment provided the incident team with a few sketchy details about the hackers’ identity, yet it only took them minutes to agree that the incursion was so serious that the White House should be informed.
The conference call participants reconvened at the White House the next day, joined by officials from the Justice and State departments and the Central Intelligence Agency. The group drew up a set of options to be presented to senior national security officials from the White House, the Justice Department, the Pentagon, and others. Those officials determined the questions that investigators would have to answer: Were the hackers able to access and manipulate or destabilize the trading platform? Was the incursion part of a broader attack on the U.S. financial infrastructure?
The U.S. Secret Service pushed to be the lead investigative agency. Its representatives noted that they had already gone to Nasdaq months earlier with evidence that a group of alleged Russian cybercriminals, led by a St. Petersburg man named Aleksandr Kalinin, had hacked the company and that the two events might be related. The Secret Service lost the argument and sat the investigation out.
When the FBI notified Nasdaq of the intrusion, it turned out the company had detected anomalies on its own but had yet to report the attack. After negotiations over privacy concerns, Nasdaq agreed to let U.S. officials into its networks. Investigation teams arrived at the company’s headquarters at One Liberty Plaza in New York City and its data center in Carteret, N.J., where they found multiple indications of an intelligence agency or military.
The hackers had used two zero-day vulnerabilities in combination. A zero day is a previously unknown flaw in computer code—developers have had “zero days” to address it—that allows hackers to easily take remote command of a computer. It’s a valuable commodity, sometimes selling for tens of thousands of dollars in underground markets. The use of one zero day indicates a sophisticated hacker; more than one suggests government. Stuxnet deployed four—a sign that the code’s authors had done advanced reconnaissance and knew precisely how various systems worked together.
Whoever hit Nasdaq had done similar prep work and had similar resources. The clincher was the hackers’ malware pulled from Nasdaq’s computer banks. The NSA had seen a version before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency. And it was more than spyware: Although the tool could be used to steal data, it also had a function designed to create widespread disruption within a computer network. The NSA believed it might be capable of wiping out the entire exchange.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings.
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
As the probe deepened inside Nasdaq’s headquarters and its data center, investigators had to reconstruct the path of world-class hackers whose job depended on being untraceable. The team was surprised at how vulnerable a sophisticated operation such as Nasdaq could be. “Our assumption was that, generally speaking, the financial sector had its act together much more,” says Christopher Finan, a former cybersecurity expert in the Obama White House. “It doesn’t mean that they’re perfect, but on a spectrum they’re near the top.”
What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
What one investigator referred to as “the dirty swamp” of Nasdaq’s computer banks made following the trail of the Russian malware excruciatingly slow. The agents figured the hackers first broke into Nasdaq’s computers at least three months before they were detected, but that was just a guess. There were indications that a large cache of data was stolen, though proof was scarce, and it was hard to see what was spirited out. “If someone breaks into your house, trying to figure where they went and what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”
The agencies left it to Nasdaq to characterize the attack for its customers, regulators, and the public, which it did in a brief company statement on Feb. 5 and again in a regulatory filing a few weeks later. The breach couldn’t have come at a worse time for Nasdaq. It was on the verge of trying to acquire the New York Stock Exchange (ICE) for $11 billion.
Nasdaq’s e-mailed statement gave no indication the attack was serious. The company said the malware had been discovered during “a routine scan” and that the incursion was limited to a system called Director’s Desk, which more than 230 companies used to share financial information among board members. “We have no information anything was taken,” the statement said. In an interview for this article, Nasdaq spokesman Joseph Christinat says: “Our own forensics review of the issue conducted in close cooperation with the U.S. government concluded no proof of exfiltration of data from our Director’s Desk systems. Importantly, 2010 was a watershed moment in our company’s commitment to cybersecurity resulting today in an enhanced ability to detect and protect the integrity of our systems, our technology, and market participants.”
Photograph by Mario Tama/Getty Images“We’ve seen a nation-state gain access to at least one of our stock exchanges ... and it’s not crystal clear what their final objective is”
Meanwhile, the investigation into who was behind the attack took a dramatic turn. Unlike a bomb or missile, malware can be reused. Left behind in networks, it can be grabbed by other hackers, reverse-engineered, and redeployed in the computer banks of subsequent victims to muddy the trail, like a killer using someone else’s gun. As investigators began examining data on other hacks of government and military computers, there was evidence that the Russians’ malware was being used by a sophisticated Chinese cyberspy also known to have a thriving criminal business on the side. This hacker could have been given the Russian malware or pinched it from inside another computer network and used it to disguise his identity. Some evidence inside Nasdaq supported that theory as well. Obama was briefed again as the probe turned toward Asia.
As investigators followed the new leads, more teams fanned out across the country. The Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy drew up a list of 10 major banks and U.S. stock exchanges that might be targets for a broader campaign. Not all the companies agreed to cooperate with the investigation. In those that did, agents began scouring computer logs and examining servers, aided by the companies’ security teams.
The agents found little evidence of a broader attack. What they did find were systematic security failures riddling some of the most important U.S. financial institutions. It turned out that many on the list were vulnerable to the same attack that struck Nasdaq. They were spared only because the hackers hadn’t bothered to try.
The Asia connection didn’t pan out. Investigators turnedback to Russia as the most likely suspect but kept stumbling over questions of motive. The hackers had been free to move around the Nasdaq network unmolested for several months. The exchange itself is isolated from other parts of the company’s network. It’s hard to access, but there’s no evidence that the hackers made the attempt.
Pushing for answers, the White House turned to the CIA. Unlike the NSA, which gathers intelligence solely by electronic means, the CIA is an “all source” intelligence unit and relies heavily on people. The CIA began to focus on the relationships between Russia’s intelligence agencies and organized crime. Someone in the FSB could have been running a for-profit operation on the side, or perhaps sold or gave the malware to a criminal hacking group. More analysis on the malware showed that its capabilities were less destructive than earlier believed. It couldn’t destroy computers like a wiper virus, but it could take over certain functions in order to cause a network disruption.
If the hackers’ motive was profit, Nasdaq’s Director’s Desk, the Web-based communication system where they first entered the network, offered amazing possibilities. It’s used by thousands of corporate board directors to exchange confidential information about their companies. Whoever got their hands on those could accumulate an instant fortune.
In Washington, an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened, according to two people briefed on the results.
National security officials revised the theory of the break-in once again. With encouragement from the CIA, White House officials began to conclude it was an elaborate act of cybercrime. The conclusion represented a certainty of only about 70 percent, according to one official, but there was little choice. The NSA was operating under a special authority known as a Request for Technical Assistance, or RTA, and the clock on the RTA was running out. After Obama was briefed for a third time, two people say, the intelligence establishment stood down, and by early March, the case was left in the hands of the FBI.
The bureau’s agents noticed that the hackers appeared to focus their attention on 13 servers containing Nasdaq’s most critical technology. That technology is sophisticated enough that the company has a side business licensing it to other stock exchanges around the world.
The timing of the attack had always been one of the pieces that didn’t fit. In 2008, Dmitry Medvedev had succeeded Vladimir Putin as Russia’s president, and Putin stepped into the less powerful role of prime minister. If anything, relations with the West were warming, and aggression against the global financial system didn’t make sense.
Russia might have been interested in Nasdaq for other reasons. In January 2011, Medvedev traveled to the World Economic Forum in Davos, Switzerland, to roll out a grand Russian vision for transforming Moscow into a global financial hub. The next month, Moscow’s two underperforming stock exchanges, the Micex and RTS, announced they would merge into what operators dreamed would be a world-class platform, the jewel in the crown of the globe’s newest financial capital.
To Russia’s senior leaders, the country’s national security and the success of the exchange were linked. Russian companies now mostly list on major Western exchanges, making them more vulnerable to U.S. and European economic leverage. When Putin returned to the presidency in 2012, he pressured Russian companies to list solely on the new exchange. At the same time, he poured billions of rubles into a financial hub in central Moscow that included Europe’s tallest building.
By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it, either to incorporate its technology directly into their exchange or as a model to learn from. And they dispatched an elite team of cyberspies to get it.
Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding, but one investigator directly involved in the case says it was the most convincing conclusion. There were other pieces of the puzzle that didn’t fit. Were the malware’s disruptive capabilities meant to be used as a weapon or something else? If they hadn’t been interrupted, what else would they have done? Asked to comment on the Nasdaq incident, Russian Embassy spokesman Yevgeniy Khorishko says, “It is pure nonsense that it is not even worth commenting on.”
In a speech last January, amid the scandal over the NSA’s collection of data on millions of Americans, Obama obliquely referred to the NSA’s ability to “intercept malware that targets a stock exchange” as one reason he opposed stripping the agency of its ability to intercept digital communications.
For some U.S. officials, however, the lessons of the incident are far more chilling. The U.S. national security apparatus may be dominant in the physical world, but it’s far less prepared in the virtual one. The rules of cyberwarfare are still being written, and it may be that the deployment of attack code is an act of war as destructive as the disabling of any real infrastructure. And it’s an act of war that can be hard to trace: Almost four years after the initial Nasdaq intrusion, U.S. officials are still sorting out what happened. Although American military is an excellent deterrent, it doesn’t work if you don’t know whom to use it on.
“If anybody in the federal government tells you that they’ve got this figured out in terms of how to respond to an aggressive cyber attack, then tell me their names, because they shouldn’t be there,” says Rogers, the intelligence committee chairman. “The problem is that whatever we do, the response to it won’t come back at the government, it’ll come back at the 85 percent of networks in America that are in the private sector. And they are already having a difficult time keeping up.”
