US law enforcement steps up security ahead of expected Mideast protests

The Law-abiding & Lawbreaking Know - "Cops Aren’t Coming to the Rescue"

Not Your Father’s Shoplifters

Criminals get bolder as American cities abandon broken-windows policing.

In U.S. cities from Los Angeles to Chicago, shoplifting has become an epidemic. The question is what’s worse: the brazenness of theft today or how what was once unthinkable is now considered unstoppable.

Thieves no longer need to hide their behavior. Today the shops themselves forbid staff to try to stop shoplifters.

At the same time, shoplifting has grown sophisticated. Smash-and-grab mobs overwhelm store employees and leave with garbage bags full of merchandise. Organized criminal enterprises recruit drug addicts to do the actual stealing and then sell the stolen goods on platforms such as eBay.

It’s all a product of a growing social dysfunction born of the abandonment of broken-windows policing. Broken windows originated in a 1982 article for the Atlantic magazine by James Q. Wilson of Harvard and George L. Kelling of Rutgers. They argued that if you sweat the small stuff that really makes city residents feel unsafe (aggressive panhandling, public urination, petty crime), you’ll catch problems before they metastasize. Their metaphor was the broken window.    Continue Reading

Uber's Ex-CISO Appeals Conviction Over 2016 Data Breach

Joe Sullivan's lawyers have claimed his conviction on two felony charges is based on tenuous theories and criminalizes the use of bug bounty programs.

Former Uber CISO Joseph Sullivan's conviction earlier this year on charges related to a 2016 data breach at the company should not be allowed to stand because it threatens the use of bug bounty programs among enterprise organizations, his lawyers argued in an appeal this week.

In a brief filed Tuesday with the US Court of Appeals for the Ninth Circuit, Sullivan's legal team described him as the victim of a "profoundly flawed" verdict that was based on tenuous theories about his responsibilities as the security chief at Uber.

A federal jury last October found Sullivan guilty of obstructing justice and misprision of a felony — or working to conceal it — in connection with a 2016 breach at Uber that exposed sensitive data of more than 50 million customers and 600,000 drivers.

The breach happened in the middle of an investigation by the Federal Trade Commission (FTC) of an earlier 2014 security incident at Uber involving the compromise of personal information belonging to some 50,000 individuals.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company's data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber's CEO at the time, and other members of the ridesharing giant's legal team.

But prosecutors described the payment and an associated nondisclosure agreement that Sullivan's team wanted the hackers to sign as an attempt to cover up what was in effect a felony breach of Uber's network.

Following the jury verdict in May 2023, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation and 200 hours of community service and ordered him to pay a $50,000 fine.

The government's response is due by Nov. 9, and Sullivan will have an opportunity to respond to that by Nov. 30. Oral arguments in the appeals case are projected to start in the spring of 2024, and a decision won't happen until mid- to late 2024, Chamberlin says.  darkreading.com

New Cyberattacks Coming - Faster - Precise - Larger Scale

Generative AI is scaring CISOs – but adoption isn’t slowing down

The march of generative AI isn't short on negative consequences, and CISOs are particularly concerned about the downfalls of an AI-powered world, according to a study released this week by IBM.

Generative AI is expected to create a wide range of new cyberattacks over the next six to 12 months, IBM said, with sophisticated bad actors using the technology to improve the speed, precision, and scale of their attempted intrusions. Experts believe that the biggest threat is from autonomously generated attacks launched on a large scale, followed closely by AI-powered impersonations of trusted users and automated malware creation.

The IBM report included data from four different surveys related to AI, with 200 US-based business executives polled specifically about cybersecurity. Nearly half of those executives -- 47% -- worry that their companies' own adoption of generative AI will lead to new security pitfalls while virtually all say that it makes a security breach more likely. This has, at least, caused cybersecurity budgets devoted to AI to rise by an average of 51% over the past two years, with further growth expected over the next two, according to the report.

Employees Will End Up Turning to Shadow AI

New front line of enterprise defences – AI apps

It is no surprise that the unparalleled rise of ChatGPT and other generative AI apps quickly drew the attention of malicious actors. The platform acquired a million users in five days and surpassed 100 million users in just two months, playing right into the hands of cyber attackers that take advantage of hype around new popular services for nefarious purposes, writes Ray Canzanese, Director of Threat Labs at the cloud security product company Netskope.

While ChatGPT is undoubtedly the most popular generative AI tool – with more than 8x as many daily active users than any other AI app – Google Bard is currently growing fastest, adding users at a rate of 7.1 per cent per week. On its current trajectory, Bard is on course to catch up with ChatGPT in just over a year.

As such, the true impact of AI use in businesses is still yet to be determined. Netskope’s recent Cloud and Threat Report, which analysed habits of millions of users across thousands of enterprises, found that the number of users accessing AI applications increased by 22.5 per cent from May to June this year – and at the current rate of growth, is set to double within the next seven months.

To block or not to block - Empowering the user - Protecting sensitive information - Riding the hype   professionalsecurity.co.uk

LinkedIn Smart Links Abused in Phishing Campaign Targeting Microsoft Accounts

A recently observed phishing campaign targeting Microsoft accounts is using LinkedIn smart links to bypass defenses.

A recently identified phishing campaign is relying on LinkedIn smart links to bypass email defenses and deliver malicious lures into Microsoft users’ inboxes, email security firm Cofense reports.

A legitimate feature connected to LinkedIn’s Sales Navigator services, smart links allow businesses to promote websites and advertisements, redirecting users to specific domains.

Threat actors, however, are relying on the feature to redirect users to malicious websites that attempt to steal their credentials and personal information, abusing the inherent trust that email gateways have in LinkedIn.

While LinkedIn smart links have been abused in malicious attacks before, the recently observed phishing campaign stands out with more than 80 unique smart links embedded within over 800 phishing messages delivered to recipients from various industries, Cofense says. securityweek.com

CISO Pay Increases Are Slowing & So Are Budgets – a Look Behind the Figures

How much do CISOs make? Survey provides compensation trends for Chief Information Security Officers, but don’t take surveys at full face value.

The details are provided in a new survey provided by information security advisory specialist IANS Research and high-level recruitment firm Artico Search. In April 2023, more than 600 US and Canadian security executives were queried for the fourth annual CISO Compensation and Budget survey (PDF summary). The companies concerned varied in size, sector, and location.

The headline takeaways from this survey are: the average CISO total compensation increase was at 11% (down from 14% in the previous year); 20% of CISOs did not receive a raise (double that of the previous year); and retention and equity packages were received by only 12% (down from 21%) and 8% (down from 24%) of CISOs respectively.

It is further worth considering the 2023 Security Budget Benchmark Report that was produced by IANS/Artico partnership and compiled in September 2023. According to this report, security budgets have increased by 6% “following double-digit increases in 2020 and 2021”. In greater detail, more than one-third of CISOs (37%), “reported flat or declining security budgets, year-over-year.”

But the reality of the situation is that while CISO compensation is not increasing as fast as in previous years, it is still increasing at a faster rate than the overall security budget – and that same compensation package is taking even more out of the security budget.  securityweek.com

CISA Releases New Resources Identifying Known Exploited Vulnerabilities and Misconfigurations Linked to Ransomware

9 essential ransomware guides and checklists available for free

Serial Thief to Get 1 Yr Mandatory Federal Prison

DOJ: District Man Indicted on Enhanced Second Degree Theft for October Theft from a CVS

 WASHINGTON – Kinshasa Reddock, 40, of Washington, D.C., was indicted by a grand jury this week in the Superior Court of the District of Columbia on one count of second-degree theft stemming from the Oct. 1, 2023, theft from a CVS store.   Reddock is to be arraigned on Friday, Oct.13, 2023, at a hearing before a Superior Court judge.

According to the indictment, at about 5:35 p.m. on Oct. 1, 2023, Reddock entered the CVS store, took various items from the shelves and placed them into a bag. Reddock then promptly left the store bypassing all points of sale without paying for any of the items. He was arrested minutes later, in possession of many of the items, by members of the MPD.

Reddock has more than two prior theft convictions, though not from the same occasion, and is therefore subject to enhanced penalties for his alleged theft, including a mandatory minimum sentence of one year in prison.  justice.gov

The police chief and the mayor in suburban Lyons have shared more information about a sophisticated, high-end theft ring that spanned multiple states and amounted to millions of dollars. The investigation is centered around a warehouse in the Austin neighborhood filled with stolen merchandise. As CBS 2's Marissa Perlman reported, millions of dollars in high-end items were found inside - including shoes like Nikes and Yeezys, toys, iPads, jewelry, and jeans with a price tag of $375.

"They are referring to this as the mother lode so I don't hear that term very often," said Chief Tom Herion. There are at least five suspects, two of whom have already been arrested and charged. Lyons detectives found surveillance video that shows Erick Lujano Bautista and his employee, Edwin Aguirre Ramirez, breaking into and then stealing a semi-trailer and taking it to that warehouse in Austin to resell to retailers. Both suspects are 24 years old and are charged with burglary. Lujano-Bautista is also charged with possession of stolen property. The warehouse was used as a home base to push stolen goods across the country.

The investigation was fired up after a semi-trailer parked in a lot in Lyons was broken into last month. Inside were thousands of dollars worth of collectable figurines that were swiped. Hours later that trailer was also stolen. The thieves took the trailer to a warehouse in Chicago, unloaded the cargo, and then abandoned it at a parking lot nearby. Officials say the interstate trafficking of merchandise was fueled by rail cargo thefts -- a trend that has become a national epidemic where the stolen goods are unpackaged, then re-packaged and resold to small retailers. Detectives say this was the biggest-ever recovery for this department. More charges could be coming, and they are looking for more suspects. (cbsnews.com)

San Francisco, CA: Update: Smash-and-grab thieves target San Francisco Dior boutique in Union Square; 2 suspects arrested.

Police in San Francisco are investigating an early morning smash-and-grab burglary at the Dior store in Union Square Thursday where suspects drove a vehicle through the front of the shop and took high-end merchandise. According to the SFPD, at around 6:49 a.m., officers were dispatched to the corner of Post Street and Grant Avenue regarding a burglary in progress. A witness told that three vehicles stopped in front of a retail store -- later revealed to be the Dior store at 185 Post -- with one of the vehicles crashed into the store.

Video and photos from the scene showed the impact had smashed the exterior windows and damaged the security gate at the front of the store. Police said the witness told them multiple suspects got out of all three vehicles, entered the store, and emerged from the store with merchandise, estimated at $275.000. All three vehicles fled the area and descriptions of the vehicles were transmitted to responding officers. One officer responding to the scene spotted one of the suspect vehicles entering a freeway on ramp. The vehicle crashed and all the occupants exited the vehicle and fled the area on foot. Officers were able to locate and arrest two of the fleeing suspects. (cbsnews.com)

Pittsburgh, PA: Man wanted for cross-country retail theft operation at Home Depots arrested in Pittsburgh area.

A man wanted for a cross-country retail theft operation was arrested in Ohio Township. The call went out, and the Ohio Township Police Department answered. "They shared images of the vehicle of the suspect who had yet to be formally identified and asked us to be on the lookout for him," said Ohio Township Detective D. Ryan Ging. "They thought he was moving this way based on his pattern and movement."

An Ohio Township officer cruised through The Home Depot in Ben Avon Heights, and as luck would have it, he spotted the suspect's vehicle. "He saw the defendant, Antonio Bryant, coming back to his vehicle. Ironically enough after committing another theft," Ging said. Bryant, who is from Georgia, is now accused of stealing thousands of dollars from countless Home Depots across the nation.

"A lot of times, he would go to self-checkout and he would take smoke detectors, CO detectors or GFCI outlets and he would just under-ring them," Ging said. "He would switch the SKU codes so it would ring up as something pennies on the dollar." Police believe Bryant would then drive to another Home Depot, return all of it and convert it to cash. "We didn't find any reason ... to logically explain why he was doing this," Ging said. "We almost suspect it could be just the thrill." Cranberry police and several other Pittsburgh-area police departments plan to also file charges against Bryant. Police said they believe he was involved in similar thefts in Texas, Missouri, Kansas, Ohio, Michigan and Indiana. He is in the Allegheny County Jail. (cbsnews.com)

Los Angeles, CA: Smash-and-Grab Suspects Steal $15K in Merch From Melrose Avenue Boutique.

A small boutique on trendy Melrose Avenue in the Fairfax District within Central Los Angeles was targeted by thieves. (roundtable.io)

Pleasant Hills, CA: 11 arrested for grand, petty theft at Pleasant Hill Shopping Center (contracostaherald.com)

Irvine, CA: The Irvine Police are searching for a man who keeps stealing from a Target store (newsantaana.com)