Investigative & Security Professionals for Legislative Action

Security Related Topics

<< First  < Prev   1   2   3   4   Next >  Last >> 
  • 12 Jun 2017 10:13 AM | Anonymous member (Administrator)

    ISPLA is grateful to Stratfor for providing the following item by Scott Stewart, VP of Tactical Analysis. He is a former U.S. Department of State Special Agent and supervises Stratfor's analysis of terrorism and security issues.


    If you're an American, you don't want to be taken hostage. Since 2001, 90 Westerners have been kidnapped and killed overseas, and according to a January study from New America, 41 of them were Americans. That American deaths are disproportional to the number of total hostages raises the question: Why not negotiate?

    In the study titled "To Pay Ransom or Not to Pay Ransom? An Examination of Western Hostage Policies," authors Christopher Mellon, Peter Bergen and David Sterman examined the cases of 1,185 Westerners kidnapped overseas by terrorist, militant and pirate groups since Sept. 11, 2001. The study reached two conclusions: "First, countries that do not make concessions experience far worse outcomes for their kidnapped citizens than countries that do. Second, there is no evidence that American and British citizens are more protected than other Westerners by the refusal of their governments to make concessions."

    The study then made the following policy recommendations:

    1. The United States should clarify its stance on granting immunity from prosecution to third parties that assist the families and friends of hostages held by terrorists.
    2. The United States should facilitate prisoner exchanges for its citizens kidnapped abroad.
    3. The United States should encourage more data-driven study of hostage taking.
    4. The United States should evaluate the degree to which the rise of digital media has changed the cost-benefit analysis underlying its hostage policy.

    I had the privilege of debating one of the authors, Mellon, on the efficacy of these policy recommendations at a May 24 meeting of the Faith-Based Organizations Working Group, which is part of the Overseas Security Advisory Council. While deliberating a topic isn't normally within the scope of this column, U.S. hostage policy is of keen interest to nongovernmental organizations (NGOs), corporations, families of current hostages and private negotiators.

    Examining the Recommendations

    First, I agree with the study's recommendation of granting immunity from prosecution to third parties that assist families. A public uproar arose after senior officials in U.S. President Barack Obama's administration threatened to prosecute the families of James Foley and Steven Sotloff, both journalists captured in Syria, if they paid a ransom to the Islamic State. So in June 2015 the Obama administration altered the policy, saying families would not be prosecuted — a welcome change. Such prosecutions have zero jury appeal, and it is unconscionable to threaten American families as they endure the anxiety of trying to free a kidnapped child.

    Furthermore, there is a great deal of disparity in the way the U.S. law applied to families depending on who the kidnappers were. For example, if al Shabaab, a designated foreign terrorist organization, kidnapped a family member in Somalia, a person could be charged with material support of a terrorist group if he or she paid a ransom. However, if Somali pirates kidnapped the family member, there would be no fear of being charged because pirates are not designated as terrorists. The only problem with the updated policy is that it is not a law and can be changed on a whim. Consequently, it needs to be codified. The policy, moreover, is unclear when it comes to companies, NGOs and private negotiators. There has never been a clear-cut statement on whether a company, NGO or private negotiator will be charged after paying a ransom to a terrorist group to free a kidnapped employee (American or otherwise).

    Finally, I have no qualms with the third and fourth policy suggestions. More research on the subject is always a good thing.

    A Critical Look at the Study

    One problem with the methodology of the study arises when the authors fail to account for the cases in which Americans were abducted, but nothing reasonable — or nothing at all — was demanded for their release. For example, a demand to "release all Iraqi captives and completely pull all American troops out of Iraq" is not reasonable, and the captors certainly did not expect it to be met. This means that many (we count at least 14) of the 41 Americans who died in captivity were killed strictly for propaganda purposes.

    As the sole global superpower, the United States is seen as the "Great Satan" by Iran and its militant proxies, and jihadists single out America for special hatred because it is viewed as the "head of the snake," or the leader of the crusader coalition. Al Qaeda believes it cannot establish a caliphate until the United States is driven from the Muslim world by terrorism and guerrilla warfare. Killing Americans in propaganda videos is seen as a way to achieve this end.

    Some examples of the propaganda executions of Americans include Daniel Pearl, Nicholas Berg, Paul Johnson, Cydney Mizell and Owen Armstrong. Several British citizens have been killed for the same reason as well, including Kenneth Bigley, Jason Swindlehurst, Jason Creswell, Alec MacLachlan and David Addison. It is also unclear whether the payment of a ransom would have led to the release of American hostages Sotloff, Foley, Peter Kassig and Kayla Mueller. The Islamic State may have deemed their propaganda value greater than any potential payout.

    If you remove hostages who never had a realistic chance of being freed via ransom or prisoner swap, the study's statistics begin to look quite different.

    Second, it's a bad idea for the U.S. government to exchange prisoners for hostages. Direct negotiations with terrorists give them an air of importance and parity, and government involvement inflates the value of hostages, increasing the incentive to take them. This inflation has been quite apparent in ransoms paid by governments in the Sahel over the past decade. Terrorists understand that a government has much deeper pockets than a family or NGO.   

    But Washington has not always had a policy of refusing to negotiate with terrorists. The administration of President Richard Nixon first adopted it during the 1973 seizure of the Saudi Embassy in Khartoum, Sudan. In the attack, U.S. Ambassador Cleo Noel Jr. was killed by the Black September Organization. Prior to the incident, Washington's policy had been to encourage governments to negotiate with terrorists in order to free American hostages.

    By confining the study to the post-9/11 era, the authors missed a significant lesson that the administration of President Ronald Reagan learned in the mid-1980s when it abandoned the no-concessions policy. Instead, it tried to follow the Israeli model of negotiation in the arms-for-hostages portion of the Iran-Contra scandal, which landed Reagan officials in hot water. Reagan’s team tried to use the money from Iranian arms sales to support the Nicaraguan Contras. The drive for negotiations was prompted by the 1984 abduction of CIA station chief William Buckley in Beirut.

    Even when separated from the Nicaraguan portion of the deal, the arms-for-hostages part of Iran-Contra was a bad policy. The arms deals succeeded in gaining the release of Benjamin Weir, Lawrence Jenco and David Jacobsen — three of the seven Western hostages then held in Lebanon. However, after their release, Hezbollah quickly restocked its supply of hostages and kidnapped eight more Westerners. In 1985, the Reagan administration sought to use the Israeli model again after the hijacking of TWA Flight 847. The United States worked with Israel to release 700 Shiite prisoners in exchange for the aircraft and its passengers. This exchange influenced Hezbollah's expectations regarding the Lebanon hostages, and it boosted the hopes of terrorists involved in later hijackings, including EgyptAir Flight 648, Pan Am Flight 73 and Kuwait Airways Flight 422.

    For some Hezbollah leaders, such as Imad Mughniyah, the kidnappings had a personal element because they helped free friends and relatives. Mughniyah’s brother-in-law and friend Mustafa Badreddine and 16 other accomplices, known as the Dawa 17, were imprisoned in Kuwait for the December 1983 bombing of the U.S. Embassy. These events convinced the U.S. government that it was time to return to its policy of no concessions.

    Government involvement in prisoner swaps can cause other problems as well, as illustrated by the case of 1st Lt. Muath al-Kaseasbeh. Al-Kaseasbeh was a Jordanian pilot who was shot down near Raqqa, Syria, on Dec. 24, 2014, and captured. The Islamic State demanded the release of Sajida Mubarak al-Rishawi, a female jihadist who participated in a failed suicide bombing in Amman in 2005 for al Qaeda in Iraq, in exchange for him and Japanese hostage Kenji Goto. The Islamic State negotiated for their release for several weeks with the Jordanian and Japanese governments; all the while al-Kaseasbeh was dead. The Islamic State had burned him to death — and had produced a long propaganda video of the gruesome execution. When a government negotiates, even the talks can be strung out and used for propaganda.

    Proving a Negative

    One challenge that all governments and security directors face is proving a negative. What events did our policies prevent? It is very difficult to prove what did not happen.

    There are some anecdotal cases in which Washington's no-concession policy helped dissuade a kidnapping. One happened shortly after El Sayyid Nosair was arrested in the November 1990 assassination of Rabbi Meir Kahane. A group of Nosair’s friends and supporters — many of whom would later go on to play significant roles in the 1993 World Trade Center bombing — explored ways to get him out of New York’s Attica prison. One idea involved kidnapping former Secretary of State Henry Kissinger and exchanging him for Nosair. Fortunately for Kissinger, the U.S. no-deal policy led them to scrap the plot.

    Finally, the government did, as the report’s authors note, conduct a prisoner swap for U.S. soldier Bowe Bergdahl. But there is a big difference between someone who voluntarily enters a war zone, such as a journalist or aid worker, and someone who is ordered to go by their government. When a soldier or diplomat is sent into a dangerous environment, the government has a special duty to do everything in its power to get the hostage released, even in the case of Bergdahl, who was captured under "murky" circumstances. As the inflation principle of government involvement suggests, however, his freedom came at a price: The United States released five senior Taliban members for one U.S. soldier who is now facing desertion charges.

  • 06 Mar 2017 3:58 PM | Anonymous member (Administrator)

    Researchers can predict terrorist behaviors with more than 90% accuracy 2017-03-02

    New framework developed by Binghamton University researchers could help understand terrorist behaviors and detect suspicious attacks

    BINGHAMTON, NY–Government agencies cannot always use social media and telecommunication to uncover the intentions of terrorists as terrorists are now more careful in utilizing these technologies for planning and preparing for attacks. A new framework developed by researchers at Binghamton University, State University of New York is able to understand future terrorist behaviors by recognizing patterns in past attacks.

    Researchers at Binghamton have proposed a comprehensive new framework, the Networked Pattern Recognition (NEPAR) Framework, by defining the useful patterns of attacks to understand behaviors, to analyze patterns and connections in terrorist activity, to predict terrorists’ future moves, and finally, to prevent and detect potential terrorist behaviors.

    Using data on more than 150,000 terrorist attacks between 1970 and 2015, Binghamton University PhD student Salih Tutun developed a framework that calculates the relationships among terrorist attacks (e.g. attack time, weapon type) and detects terrorist behaviors with these connections. Mohammad Khasawneh, professor and head of the Systems Science and Industrial Engineering (SSIE) department at Binghamton University, assisted and advised Tutun with his research. Jun Zhuang, an associate professor and director of undergraduate studies in the Department of Industrial and Systems Engineering at the University at Buffalo, also contributed to this research. In the framework, there are two main phases: (1) building networks by finding connections between events, and (2) using a unified detection approach that combines proposed network topology and pattern recognition approaches. Firstly, the framework identifies the characteristics of future terrorist attacks by analyzing the relationship between past attacks. Comparing the results with existing data shows that the proposed method was able to successfully predict most of the characteristics of attacks with more than 90% accuracy.

    Moreover, after building the network with connections, the researchers propose a unified detection approach that applies pattern classification techniques to network topology and features of incidents to detect terrorism attacks with high accuracy, and identify the extension of attacks (90 percent accuracy), multiple attacks (96 percent accuracy) and terrorist goals (92 percent accuracy). Hence, governments can control terrorist behaviors to reduce the risk of future events. The results could potentially allow law enforcement to propose reactive strategies, said Tutun.

    "Terrorists are learning, but they don’t know they are learning. If we can’t monitor them through social media or other technologies, we need to understand the patterns. Our framework works to define which metrics are important," said Tutun. "Based on this feature, we propose a new similarity (interaction) function. Then we use the similarity (interaction) function to understand the difference (how they interact with each other) between two attacks. For example, what is the relationship between the Paris and the 9/11 attacks? When we look at that, if there’s a relationship, we’re making a network. Maybe one attack in the past and another attack have a big relationship, but nobody knows. We tried to extract this information."

    Previous studies have focused on understanding the behavior of individual terrorists (as people) rather than studying the different attacks by modeling their relationship with each other. And terrorist activity detection focuses on either individual incidents, which does not take into account the dynamic interactions among them; or network analysis, which gives a general idea about networks but sets aside functional roles of individuals and their interactions.

    "Predicting terrorist events is a dream, but protecting some area by using patterns is a reality. If you know the patterns, you can reduce the risks. It’s not about predicting, it’s about understanding," said Tutun.

    Tutun believes that policymakers can use these approaches for time-sensitive understanding and detection of terrorist activity, which can enable precautions to avoid against future attacks.

    "When you solve the problem in Baghdad, you solve the problem in Iraq. When you solve the problem in Iraq, you solve the problem in the Middle East. When you solve the problem in the Middle East, you solve the problem in the world," said Tutun. "Because when we look at Iraq, these patterns are happening in the USA, too."

    The paper, "New framework that uses patterns and relations to understand terrorist behaviors," was published in Expert Systems with Applications.

  • 30 Dec 2016 12:07 PM | Anonymous member (Administrator)

    The following release provided to ISPLA is a rather long news clip on bank fraud schemes.  Interesting to see where future problems may arise regarding Automated Clearing House (ACH) procedures.

    American Banker: Faster ACH Payments Strain Bank Anti-Fraud Systems

    By Penny Crosman - December 29, 2016

    Faster ACH payments are taxing banks' ability to check for fraud and criminals are taking notice.

    As of September 2016, credit-based ACH payments are now being settled within the same day. These are transactions where one person or entity is pushing money from their bank account to another person or organization, using the automated clearinghouse. Examples include direct deposit, payroll, person-to-person and vendor payments.

    Where before banks had two to five days to analyze suspicious transactions, now in some cases they have only two hours. Banks haven't quite caught up with the shorter time frame for checking red flags, some say, and fraudsters have jumped on this opportunity.

    "Recently we've seen more evidence of incidences of ACH fraud than we have in the past," said Andrew Davies, a vice president at Fiserv who helps financial institutions worldwide spot potentially illegal transactions.

    Davies has seen recent cases of malicious software tampering with ACH files to perpetrate fraud. For instance, hackers are manipulating payroll files and adding themselves as fake employees to collect money. Some of the cases have been in the U.S. 

    Some banks' systems don't sufficiently scrutinize ACH files

    "A lot of their fraud filters will not necessarily have the wherewithal to break out all the transactions, look at history of the accounts on the incoming and outgoing side, look at the batches within the file, and then look at the behavior associated with the overall file from an ACH perspective," Davies said.

    Money lost this way will be difficult to recover

    "Anytime you push money out, it's really hard to pull it back," said Ruston Miles, founder and chief innovation officer of Bluefin Payment Systems, a payment processor. For instance, "if it's a payroll file, the money has been pushed out, and you can't go out to the customer and pull it back."

    A lot of fraud monitoring is still done manually, Miles said.

    "Most banks have electronic fraud detection systems that catch transactions that don't look right and put them in an exception bin, and these banks employ floors of people who inspect the flagged transactions," Miles said. "With same-day, all that time gets crunched down, so you either have to add more people or you have to open the floodgates on your fraud detection systems or you've got to get more picky about fraud detection."

    Along with faster settlement, the increasing interconnectedness of international payment systems taxes fraud investigators' skills and resources. The fact that dozens of countries are increasing the speed of payment transactions brings an increased level of risk.

    "If you're settling transactions between financial institutions more frequently or in shorter time frames, and you have too many false positives or you have a limited amount of resources to remediate unusual activity, the funds … may well have moved on to South Korea in a relatively short time frame, and you're still sitting on an alert you haven't had a chance to look at," Davies said.

    "I wouldn't say banks are scrambling but there's increased focus and understanding of the elevated risks associated with those transactions," Davies said.

    In a way, this problem isn't new. There have long been different speeds for ACH payments. Also, in some cases you can pay to expedite ACH or bill payments.

    "Many financial institutions have found that if criminals can pay a fee for expedited processing, they don't mind paying the fee, and you see a shift in many cases to these quicker mechanisms," said David Pollino, deputy chief security officer for Bank of the West.

    He points out that there's an upside: Now banks have a way to risk-stack their products, knowing that the faster services are inherently more attractive to criminals.

    Jane Larrimer, executive vice president of ACH network administration at Nacha, said she is not aware of increased fraud over the network (Nacha is refers itself as "The Electronic Payments Association" and was formerly the National Automated Clearing House Association.).

    "We have not heard that at all," she said. "It's been amazingly quiet." Bank members worked to make sure they had robust risk and fraud systems during the 16-month lead-up to the faster credit payments.

    "They did that work and they were ready to go on phase 1," Larrimer said.

    Banks aren't required to report ACH-related fraud to Nacha. "But if there was some upswing, we do hear things," Larrimer said.Pollino is also unworried about the threat of fraudsters breaking in and changing ACH files, because doing so takes a lot of work. Phishing attacks are still the biggest fraud concern at Bank of the West.

    "Why hack into a system, understand a complex financial package, figure out where that file is and then change the file if you can just email the person and ask them for the money?" he said.

    Next Challenge: Same-Day ACH Debits

    Same-day ACH debit payments, which go into effect Sept. 15, 2017, will be even trickier for fraud prevention teams.

    ACH debit transactions typically take two to three days to clear and settle, noted Steve Mott, principal of BetterBuyDesign, an advisory firm in Stamford, Conn. And banks' fraud systems take full advantage of that window.

    "Some would say it's a lazy way, because it takes advantage of the time to say, 'OK, I don't have to check this stuff until I come in on Monday morning,' " Mott said.

    The banks' fraud systems, controls and secondary and tertiary checks all assume the bank has plenty of time to perform those checks. Those will need to be updated.

    "What's happened historically is that none of the financial institutions have wanted to change much in the way they did faster and more secure stuff through the pipes until they absolutely have to," Mott said.

    Power of the Bank Account Number

    In a faster-ACH-payments world, the bank account number becomes more powerful because it can be turned into cash more quickly.

    To date, bank account numbers have been worth less than credit card numbers in the black market because they've been harder to use.

    With same-day settlement, fraudsters will be able to use bank account numbers to make real-time purchases, such as software, movie and song downloads, and receive the items before a bank can stop them.

    "If fraud starts really going there and merchants start losing, merchants will either have to add anti-fraud detection systems themselves or they may turn away from ACH payments for any real-time or near-real-time transfers, because they can't be assured of the funds," Miles said. 

    Americans are fairly casual about writing and sending checks, which have our full account number printed at the bottom, to anyone because of the built-in protections of time, Miles said. I recently sent a yearend tip by check to the person who delivers my newspaper. This is someone I've never met, who lives in a town I've never been to, and for all I know she could be a petty criminal. Now she has my checking account number and my bank name and routing number, as well as my address and signature.

    "Now we're taking out that time buffer, making this twice a day, same day, meaning that it's more convenient and easier for fraudsters to capitalize on the account numbers."

    But account numbers printed on checks are unlikely to be a large-scale problem, Miles pointed out.

    "Hackers want to automate these attacks; they don't want to dig through the trash all over the country to steal a million check numbers," he said. "They want to open their laptop and see that 10,000 bank account numbers were found over the past week, through automated attack tools. So that's the big threat."

    Miles suggested the banking industry needs to develop security standards like PCI. "The best way to fix the problem is to not have the fraudsters get their hands on the bank account numbers in the first place, and that comes through data security and not through authentication," Miles said. For instance, the PCI data security standard requires that payment card data be encrypted at all times; this same rule could help protect bank account data. Tokenization of account numbers could also help, he said.

    Continual Improvement

    As ACH payments continue to get faster, along with FedWire, Chips, and other types of payments, banks are going to have to step up their fraud analytics and security efforts accordingly. Those processes will need to be continually improved, too, Pollino said.

    "As soon as you're happy with your controls, the criminals will get happy with them as well because they'll figure out a way around them," he said.

    Nacha members have been upgrading their risk processes and procedures, Larrimer said. "Same-day is the tipping point," Larrimer said. "We're the first movement in faster payments. So they're starting here and I don't think this is the end of it."

    She also noted that faster payments can lower transaction risk, especially credit and operations risk.

    "And the faster you can settle things on the system, that lessens the systemic risk," she said.

    One thing banks need to do is understand how the criminal rings that target them work, Pollino suggested.

    "Are they looking for the small, quick score or are they looking for the larger, long-term payoff?" he said. "Criminals looking for the quick, small score might be drawn toward this type of product." The bank's fraud analytics and fraud detection strategies need to be tuned to that.

    Third-party data sets become increasingly useful to help vet the parties to a transaction, Pollino said. Names, phone numbers, email addresses and account numbers can all be checked against databases run by Early Warning Services, LexisNexis, Experian and others. 

    "It's becoming more and more important to understand where this money is going, who's at the other end of the transaction," Pollino said. "Does your customer know who's at the other end of the transaction? What personal information is included in a transaction?"


    Bruce Hulme, CFE, BAI

    ISPLA Director of Government Affairs

    ISPLA: Keeping Investigative & Security Professionals Informed of Emerging Issues

  • 17 Nov 2016 10:56 AM | Anonymous member (Administrator)

    Prioritizing Internet of Things (IoT) Security

    While the benefits of IoT are undeniable, the reality is that security is not keeping up with the pace of innovation. As we increasingly integrate network connections into our nation’s critical infrastructure, important processes that once were performed manually (and thus enjoyed a measure of immunity against malicious cyber activity) are now vulnerable to cyber threats. Our increasing national dependence on network-connected technologies has grown faster than the means to secure it.

    The IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of-service attacks, and potential disruptions to critical infrastructure.

    Last year, in a cyber attack that temporarily disabled the power grid in parts of Ukraine, the world saw the critical consequences that can result from failures in connected systems. Because our nation is now dependent on properly functioning networks to drive so many life-sustaining activities, IoT security is now a matter of homeland security.

    Overview of Strategic Principles

    Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures. There are many contributing factors to this security shortfall. One is that it can be unclear who is responsible for security decisions in a world in which one company may design a device, another supplies component software, another operates the network in which the device is embedded, and another deploys the device. This challenge is magnified by a lack of comprehensive, widely-adopted international norms and standards for IoT security. Other contributing factors include a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing to do so, and uneven awareness of how to evaluate the security features of competing options.

    Below is a link to a 17-page November 15, 2016 report by the U.S. Department of Homeland Security entitled "Strategic Principles for Securing the Internet of Things (IoT). It sets forth ways to organize strategies to address IoT security challenges.


  • 02 Mar 2016 10:54 AM | Anonymous member (Administrator)

    The item below was furnished to ISPLA from a regulatory agency having jurisdiction over the financial services industry. It outlines various pretexts used against banks and others to obtain personally identifiable information (PII) of their customers. - Bruce Hulme, ISPLA Director of Government Affairs

    American Banker: To Case the Joint, Press 1: Crooks Refocus on Bank Call Centers - By Penny Crosman - March 1, 2016

    The often-overlooked call center is getting more attention, as banks realize that stronger security on online and mobile channels has driven cybercriminals to focus their energies on conning phone reps.

    They're tricking these eager-to-please call center agents into coughing up customer information or letting them reset passwords on other people's accounts.

    "Fraudsters will always use the weakest plank in the door," said Gary McAlum, chief security officer at USAA. "If you're using strong authentication security but someone can call into a call center and social-engineer through the call center representative to reset their account, then that's the weak point in the network. It has to be an end-to-end holistic approach."

    This problem made news when Apple Pay came out in September 2014. There was an immediate rash of call center fraud, as cybercriminals realized they could set up accounts using stolen credit card data. The problem has steadily grown since then.

    Last year, one in every 2,900 calls coming into large banks' call centers was fraudulent, according to Pindrop Security. This year, the number is closer to one in every 2,000 calls. Among regional banks, it's more like one in 700. Pindrop's software analyzes incoming calls for signs of fraud and scores them for risk. For instance, if a call is coming from Nigeria and the same caller number has called the contact center for different accounts, it will probably end up with a high risk score. (Pindrop was one of American Banker's Tech Companies to Watch in 2013 and it recently received $75 million from Google Capital. Its customers include eight of the top 15 U.S. banks.) The company will release this year's fraud report in April but gave American Banker a few numbers in advance.

    The average fraud exposure caused by these hackers — that is, the average amount they could potentially steal after successfully logging in by gaming the call center — was $7.6 million per bank in a 2014-15 study. More recently, in a study that covered the 12 months through February, it was $11 million per bank, according to Pindrop.

    So the attackers have been able to expand the pools of money that they can reach by over 45%.

    "When we're working with customers, we're finding about 30% to 80% of all fraud has a phone component," said Vijay Balasubramaniyan, Pindrop's CEO and chief technology officer.

    Bankers are generally tight-lipped about sharing what technology they're using to better secure their call centers.

    "The more information you provide to the fraudsters, the better [equipped] they are to perpetrate their fraud," said Brett Beranek, director of product strategy for voice biometrics at Nuance Communications. His company's technology analyzes incoming calls for fraud, detecting mismatches between the caller and previous recordings tied to the same account. It can also spot people calling about multiple accounts and fraudsters whose voices are on a blacklist. "The more information is disseminated, the less effective fraud groups can be at stopping the fraudsters."

    Canada's Tangerine Bank recently invested in secure chat software to allow call center agents to have encrypted, archived chat sessions with authenticated customers, according to the bank's chief information officer, Charaka Kithulegoda.

    Patience and PII

    One reason call centers are facing a rise in fraud attempts is the prevalence of personally identifiable information, McAlum observed.

    Fraudsters painstakingly gather information about account holders on the Web and use it to manipulate customer service agents who are trained to be helpful, not to block crime. The fraudster might say, "I don't remember my own password, let me call you right back." Then he'll go out to social media sites and figure it out. 

    "One call center agent completely buckled and started reading out every single account transaction on [a customer's] account for the last month," Balasubramaniyan said. "Though [the fraudster] didn't manage to get a wire at that point, now that he had all his transactions, he called back in, and when the next call center agent said, 'How do I trust you?' he started rattling off these transactions. The call center agent said, 'OK, it must be you,' and let him through."

    Balasubramaniyan's all-time favorite call was from a fraudster who, when asked, "What's your mother's maiden name?" replied, "My dad married thrice, so can I take three guesses?"

    "It doesn't even make sense — so what, your dad married thrice?" Balasubramaniyan said.

    The call center agent allowed him to take three guesses, the last of which was "Smith," which is one of the most popular names in the world and happened to be right. After that call, he wired $97,000 out of the bank. 

    Beranek said by closely monitoring what goes on in the call centers, banks can learn how fraudsters operate.

    "Often a fraudster will call in several times and progressively increase the complexity of their calls," he said. "So for call No. 1, they would ask for a benign piece of information that would be very easy to socially engineer the contact center agent to provide. By call five or seven, they have amassed enough information that they could completely take over the account, go online and perform a wire transfer."

    Fraudsters often need several attempts to break into accounts, because as they search the Web for information on account holders, sometimes the data they get is correct, sometimes it isn't.

    IVR Reconnaissance

    In addition to live agents being fooled by fraudsters, there's an uptick in the gaming of automated interactive voice response systems, or IVRs. Cybercriminals can robo-call IVRs continuously to guess a PIN number. (If it's four digits, there are 10,000 possible combinations.)

    In 2014, only 47% of calls to banks went through IVR systems. This year, more than 60% of calls will, according to Pindrop, as banks are cutting back on live agent calls. (It behooves Pindrop to point all this out, as it's getting ready to release an IVR security system that will act similarly to its call center software.)

    There isn't always fraud happening within the IVR itself, Balasubramaniyan said. "What the IVR is great in is reconnaissance, which is finding out about an account without talking to a call center agent," he said. It's also good for trying different combinations of account numbers, PINs and card verification values (those three-digit codes on the backs of payment cards) without coming up on any radar.

    "If you're able to detect that activity, you can forewarn banks on average 30 days before account takeover even starts happening," Balasubramaniyan said. "It's almost like 'Minority Report,' " the science fiction movie about a clairvoyant police force.

    In addition to security software, of course, part of the answer is to make call center agents more aware of social engineering and help them look for signs of foul play. One of our cybersecurity predictions for 2016 was that banks and other companies would address the problem of fraudsters' easily being able to reset passwords.

    The hard part is taking a tougher stance on such helpful call center duties, without turning away legitimate customers.


  • 07 Jan 2016 12:07 PM | Anonymous member (Administrator)

    The item on encryption below may be of interest to our European INTELLENET members. It is concerns a Dutch government document on encryption and is quite informative on the subject of "backdoor" access by government. However, It is quite lengthy. - Bruce Hulme, ISPLA Director of Government Affairs


    Full translation of Dutch Government document by Matthijs R. Koot Posted on 2016-01-05 2016-01-06  

    TL;DR: on January 4th 2016, the Dutch government stated that it will, at this time, not take restrictive legal measures considering the development, availability and use of encryption within the Netherlands. Some things to keep in mind:

    • they explicitly state ‘at this time’ — the possibility remains that their position changes in the future;
    • current Dutch law provides some forms of compelled decryption: first, two provisions in intelligence law regarding targeted hacking and targeted interception (note: the law does not forbid the use of this power against a target, but for obvious reasons — e.g. maintaining operational secrecy — it seems likely it will typically only be used against third parties, for instance a provider, a roommate, etc.), and second, one provision in the code of criminal procedure (criminal law) regarding access to a secured computer (the law forbids the use of this power against a suspect because of nemo tenetur, i.e., the right to not self-incriminate);
    • in July 2015, the Dutch government proposed compelled decryption for untargeted (bulk) interception in a draft intelligence bill (intelligence law). The draft bill is currently being revised and is expected to be submitted to the House of Representatives by the end of Q1/2016. AFAIK it is expected that the final bill, that will be debated in the House of Representatives, will still include the new decryption provision. The status of the bill can be viewed here;
    • in December 2015, the Dutch government stated they cancelled the decryption provision in the final version of a cybercrime bill (more) (part of criminal law). The stated reason for cancelling: incompatibility with nemo tenetur. Why they initially introduced it — notably following a rather critical study by professor Bert-Jaap Koops — yet now cancelled it, is not clear (to me).

    On January 4th 2016, the Dutch government released a statement on encryption. It is covered by El Reg. Here is a full, unofficial translation of that statement (~1600 words; hyperlinks were added by the above translator):

    Government position on encryption

    We hereby submit the government position on encryption. This fulfills promises made during the General Meeting of the Telecom Council of June 10th 2015 (Parliamentary Papers 2014-2015, 21501-33, nr. 552) and the General Meeting of the JHA Council of October 7th 2015.


    Encryption is increasingly easy to obtain and use, and increasingly common in regular data communication. The government, the private sector and citizens increasingly use encryption to protect the confidentiality and integrity of communication and stored data. That is important for public trust in digital products and services, and for the Dutch economy, in the light of the rapidly developing digital society. At the same time, encryption obstructs access to information necessary for prosecution services and intelligence & security services when malicious persons (such as criminals and terrorists) use it. The recent attacks in Paris, where the terrorists possibly used encrypted communications, lead to the justified question what is needed to provide these services with proper insight into attack planning, and to maintain that insight.

    The duality described in the previous paragraph was also heard in the public debate in the past months about the dilemmas of the use of encryption. The House [of Representatives; i.e., the lower house] has also discussed this. During the General Meeting of the Telecom Council it was asked what the government intends to do regarding the promotion of strong encryption. Besides that, the House requested the government to establish a position on encryption.

    Next, the importance of encryption for the system and information security of the government and the private sector, and for the constitutional protection of privacy and confidential communication, will be discussed. The importance of prosecution of serious criminal offenses and the protection of national security will be laid down. Finally, after weighing of the interests, a conclusion is drawn.

    The Dutch situation can not be discussed without taking into account the international context. Software for strong encryption is increasingly available world-wide, and is already integrated in products or services. Considering the broad availability and use of advanced encryption techniques, and the cross-border nature of data traffic, options to act at a national level are limited.

    Importance of encryption for the government, private sector and citizens

    Cryptography plays a key role in technical security in the digital domain. Many cyber security measures in organizations depend strongly on the use of encryption. Secure storage of passwords, the protection of laptops against loss or theft, and the secure storage of backups are more difficult without the use of encryption. The protection of data transferred via the internet, for instance during internet banking, is only possible through the use of encryption. Due to the connectedness of systems and the global branches and various paths that communication can travel, the risk of interception, breach, access or manipulation of information and communication is always present.

    The government increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged, such as the use of DigiD [a national authentication system that Dutch citizens can use to log in to the IRS, the cadastre, their municipality, etc.] or declaring taxes. As stated in the coalition agreement of 2012, citizens and companies should be able to carry out their interactions with the government entirely digitally by 2017. The government has the responsibility to ensure that confidential data is protected against access by third parties: encryption is indispensable for this. The protection of communication within the government also depends on encryption, such as the security of the exchange of diplomatic messages, and military communication.

    For companies, encryption is essential to store and transfer business information securely. The ability to use encryption strengthens the international competitiveness of the Netherlands, and promotes an attractive climate for businesses and innovation, including startups, data centers and cloud computing. Trust in secure communication and storage of data is essential for the (future) growing potential of the Dutch economy, that mainly resides in the digital economy.

    Encryption supports the protection of privacy and the confidentiality of citizens’ communications, because it provides them with a means to protect the confidentiality and integrity of personal data and communications. This is also important for exercising the right to free speech. It enables citizens, but also persons who hold an important democratic profession, such as journalists, to communicate confidentially.

    Encryption thus enables everyone to ensure the confidentiality and integrity of communication, and defend against, for instance, espionage and cyber crime. Fundamental rights and freedoms, as well as security interests and economic interests, benefit from this.

    Encryption, prosecution services and intelligence & security services

    The investigatory powers and means available to the services, must be equipped for the present and future digital reality. Effective, lawful access to data promotes the security of the digital and physical world. Encryption used by malicious persons hinders access to data by the prosecution services and intelligence & security services. The services experience these barriers for instance when they investigate the distribution and storage of child pornography, while supporting military missions abroad, while countering cyber attacks, and when they want to gain and maintain insight into terrorists who are planning attacks. Criminals, terrorists and opponents in armed conflicts are often aware that they can attract attention of the services, and also posses advanced encryption methods that are difficult to circumvent or break. The use of such methods requires little technical knowledge, because encryption is often integral part of the internet services that they too can use. That complicates, delays, or makes it impossible to gain (timely) insight in communication for the purpose of protecting national security and the purpose of prosecuting criminal offenses. Furthermore, court hearings and the providing of evidence in court for a conviction can be severely hindered.

    The right to privacy and confidentiality of citizens’ communication

    As mentioned before, the use of encryption supports citizens in ensuring privacy and confidentiality of their communication. Said lawful access to data and communication by prosecution services and intelligence & security services constitutes a breach of the confidentiality of citizens’ communication.

    Confidentiality of communication involves the constitutional protection for privacy and the right to protection of correspondence [letters, snail mail], telephone communication and telegraph communication (hereafter: ‘confidentiality of communications’). These constitutional rights are laid down in, respectively, Article 10 and Article 13 of the Dutch constitution. Besides that, these fundamental rights are laid down in Article 8 ECHR and Article 7 and Article 8 of the Charter of Fundamental Rights of the EU (insofar EU law is affected).

    The protection of constitutional rights applies to the digital world. Said constitutional regulations and international regulations provide the framework to counter unlawful breaches. Said rights are not absolute, meaning that limitations can be established insofar they meet the requirements set by the Dutch constitution and the ECHR (and insofar European Union law is affected, the EU Charter). A limitation is permissible when it serves a legitimate purpose, is established by law, and the limitation is foreseeable and cognizable [=transparent]. Furthermore, the limitation must be necessary in a democratic society. Finally, the infringement must be proportional, which means that the government’s purpose of the infringement must be proportional in relation to the infringement on the right to privacy and/or the right to confidentiality of communications.

    These requirements provide the framework for weighing the interests involved in encryption, such as the right to privacy and the right to confidentiality of communications, public and national security, and the prevention of criminal offenses. This framework, insofar it involves the special powers of the intelligence & security services, is also laid down in the Intelligence & Security Act of 2002 (‘Wiv2002’, Article 18 and Article 31). The obligations [for third parties] to cooperate with decryption laid down in the Wiv2002 (Article 24, third paragraph, and Article 25, seventh paragraph) and in the Code of Criminal Procedure (‘WvSv’, Article 126m, sixth member) can be invoked if the related special powers are exercised after such weighing.

    Discussion and conclusion

    Nowadays it is increasingly less often possible to break encryption. Furthermore, it is increasingly less often possible to demand unencrypted data from service providers. Increasingly often, modern uses of encryption mean that data is processed by the service providers only in encrypted form. Considering the importance of investigation and prosecution, and the interests involved with national security, these developments necessitate the search for new solutions.

    Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption. For instance by introducing a technical doorway [=backdoor, exceptional access] in an encryption product that would enable prosecution services to access encrypted files, digital systems can become vulnerable to criminals, terrorists and foreign intelligence services. This would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.

    In carrying out their legal tasks, prosecution services and intelligence & security services are partially relying on cooperation from providers of IT products and services. Given this dependence, consultation is necessary with providers regarding effective data provisioning in case of the use of their services by malicious persons, while taking into account everyone’s role and responsibilities, as well as the legal frameworks.

    Given this discussion, we draw the following conclusion:

    The government has the duty to protect the security of the Netherlands and to prosecute criminal offenses. The government emphasizes the necessity of lawful access to data and communication. Furthermore, governments, companies and citizens benefit from maximum security of digital systems. The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.

    Therefore, the government believes that at this time it is not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands. The Netherlands will propagate this conclusion, and the arguments that underlie it, internationally [recall: the Netherlands chairs the EU in the first half of 2016 and focuses on, among others, the digital domain]. Regarding the promotion of strong encryption, the Minister of Economic Affairs will follow-up on the intent of the amendment (Parliamentary Papers 2015-2016, 34300 XIII, nr.10) on the budget of the Ministry of Economic Affairs [=grant EUR 500k to OpenSSL].

    (signed by the Minister of Security & Justice and the Minister of Economic Affairs)

    Further reading:

    • 2016-01-06: Wired is reporting on David Chaum’s plan to end the crypto war: PrivaTegrity, a backdoor scheme that requires cooperation between nine server administrators from nine countries. Chaum reportedly developed it “as a side project for the last two years along with a team of academic partners at Purdue, Radboud University in the Netherlands, Birmingham University and other schools”. Recall this sentence in the above translation of the Dutch gov’t statement on encryption: “Currently, there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption“. It is unclear (to me) whether the authors of the Dutch gov’t statement were aware of Chaum’s idea at the time they wrote that sentence. For  details on Chaum et al.’s “cMix” scheme, see cMix: Anonymization by High-Performance Scalable Mixing (.pdf, 2016).

  • 25 Nov 2015 7:26 PM | Anonymous member (Administrator)

    Crowd Management Safety Guidelines for Retailers

    Crowd related injuries can occur during special sales and promotional events. In 2008, a worker died at the opening of a "Black Friday" sale on Long Island in New York.

    Under the Occupational Safety and Health Act of 1970, employers are responsible for providing their workers with safe and healthy workplaces. The Occupational Safety and Health Administration (OSHA) encourages employers to adopt effective safety and health management systems to identify and eliminate work-related hazards, including those caused by large crowds at retail sales events

    OSHA has prepared these guidelines to help employers and store owners avoid injuries during the holiday shopping season, or other events where large crowds may gather. Crowd management planning should begin in advance of events that are likely to draw large crowds, and crowd management, pre-event setup, and emergency situation management should be part of event planning. OSHA recommends that employers planning a large shopping event adopt a plan that includes the following elements.

    In 2008, a 34-year-old retail worker was trampled to death when Black Friday shoppers in Long Island literally busted through the doors of a Walmart store to claim their holiday bargains. Since then, OSHA has issued "Crowd Management Safety Guidelines for Retailers."


    1. It’s wrong – perhaps illegal – to expect that shoppers will be able to control themselves enough to avoid destroying whatever stands between them and the best bargains.
    2. When counting your blessings this Thanksgiving, don’t forget to include the increased availability of online shopping, where the risk of getting trampled by Long Island shoppers at 5 a.m. is minimal.


    §  Where large crowds are expected, hire additional staff as needed and have trained security or crowd management personnel or police officers on site.

    §  Create a detailed staffing plan that designates a location for each worker. Based on the size of the crowd expected, determine the number of workers that are needed in various locations to ensure the safety of the event (e.g., near the door entrances and throughout the store).

    §  Ensure that workers are properly trained to manage the event.

    §  Contact local fire and police agencies to determine if the event site meets all public safety requirements, and ensure that all permits and licenses are obtained and that local emergency services, including the local police, fire department and hospital, are aware of the event.

    §  Designate a worker to contact local emergency responders if necessary.

    §  Designate a store manager to make key decisions as needed during the event

    §  Provide legible and visible signs that describe entrance and exit locations, store opening times, and other important information such as the location of major sale items and restrooms.

    §  Prepare an emergency plan that addresses potential dangers facing workers, including overcrowding, crowd crushing, being struck by the crowd, violent acts and fire. Share emergency plan with all local public safety agencies.

    §  Train workers in crowd management procedures and the emergency plan. Provide them with an opportunity to practice the special event plan. Include local public safety agencies if appropriate.

    Pre-Event Setup:

    §  Set up barricades or rope lines for crowd management well in advance of customers arriving at the store.

    §  Make sure that barricades are set up so that the customers' line does not start right at the entrance to the store. This will allow for orderly crowd management entry and make it possible to divide crowds into small groups for the purpose of controlling entrance.

    §  Ensure that barricade lines have an adequate number of breaks and turns at regular intervals to reduce the risk of customers pushing from the rear and possibly crushing others, including workers.

    §  Designate workers to explain approach and entrance procedures to the arriving public, and direct them to lines or entrances.

    §  Make sure that outside personnel have radios or some other way to communicate with personnel inside the store and emergency responders.

    §  Consider using mechanisms such as numbered wristbands or tickets to provide the earlier arriving customers with first access to sale items.

    §  Consider using Internet lottery for "hot" items.

    §  Locate sale items in different parts of the store to prevent overcrowding in one place.

    §  Locate shopping carts and other potential obstacles or projectiles inside the store and away from the entrance, not in the parking lot.

    §  If appropriate, provide public amenities including toilets, washbasins, water and shelter.

    §  Communicate updated information to customers waiting in line. Have signs and distribute pamphlets showing the location of entrances and exits, store opening times and location of special sales items within the store.

    §  Shortly before opening, remind waiting crowds of the entrance process (i.e., limiting entry to small groups, redemption of numbered tickets, etc.).

    During the Sales Event:

    §  Provide a separate store entrance for staff. Provide door monitors there to prevent crowd entry.

    §  Make sure that all employees and crowd control personnel are aware that the doors are about to open.

    §  Staff entrances with uniformed guards, police or other authorized personnel.

    §  Use a public address system or bullhorns to manage the entering crowd and to communicate information or problems.

    §  Position security or crowd managers to the sides of entering (or exiting) public, not in the center of their path.

    §  Provide crowd and entry management measures at all entrances, including the ones not being used. If possible, use more than one entrance.

    §  When the store reaches maximum occupancy, do not allow additional customers to enter until the occupancy level drops.

    §  Provide a safe entrance for people with disabilities.

    Emergency Situations:

    §  Do not restrict egress, and do not block or lock exit doors

    §  Know in advance who to call for emergency medical response.

    §  Keep first-aid kits and Automated External Defibrillators (AEDs) available, and have personnel trained in using AEDs and CPR onsite.

    §  Instruct employees, in the event of an emergency, to follow instructions from authorized first responders, regardless of company rules.

    This is one in a series of informational fact sheets highlighting OSHA programs, policies or standards. It does not impose any new compliance requirements. For a comprehensive list of compliance requirements of OSHA standards or regulations, refer to Title 29 of the Code of Federal Regulations.

    Have a Safe and Happy Thanksgiving Day too!

    Bruce H. Hulme, CFE, BAI - ISPLA Director of Government Affairs

  • 19 Oct 2015 5:41 PM | Anonymous member (Administrator)

    New York State Rifle & Pistol Ass’n, Inc., et al. v. Cuomo, et al.

    Connecticut Citizens’ Defense League, et al. v. Malloy, et al.

    1436cv(L); 14319cv

    Laws in New York and Connecticut prohibiting certain semiautomatic assault weapons and large-capacity ammunition magazines do not violate the Second Amendment, the U.S. Court of Appeals for the Second Circuit ruled. Upholding laws passed in the wake of the 2012 murder of 20 students and six adults at the Sandy Hook Elementary School in Newtown, Connecticut, the Second Circuit said the measures do not violate the Second Amendment's guarantee of "the right of the people to keep and bear arms."

    In the first case, the court upheld, with one exception, Western District Judge William Skretny's grant of summary judgment to New York. The circuit held only that one provision of New York's law regulating load limits on guns did not survive scrutiny.

    In the second case, the circuit upheld summary judgment for Connecticut granted by U.S. District Judge Alfred Covello of the District of Connecticut except on one provision: the state's prohibition of the non-automatic Remington 7615 "unconstitutionally infringes upon the Second Amendment right," Judge Jose Cabranes wrote for the court.

    Cabranes said the court was adopting a two-step analytical framework for challenges under the Second Amendment in light of the U.S. Supreme Court's decision in District of Columbia v. Heller, 554 U.S. 570 (2008) and the case law as it has developed since Heller.

    Heller struck down the District of Columbia's ban on handgun possession as it affirmed the individual right to possess and carry weapons in "common use" and "for lawful purposes like self-defense."

    Read more:

    Read more:

    Investigative and Security Professionals should consider reviewing the 57-page opinion of the U.S. Circuit Court for the Second Circuit with regard to appeals in New York and Connecticut. What follows is merely an ISPLA summary of just a few key points.

    Before the Second Circuit Court were two appeals challenging guncontrol legislation enacted by the New York and Connecticut legislatures in the wake of the 2012 mass murders at Sandy Hook Elementary School in Newtown, Connecticut. The New York and Connecticut laws at issue prohibit the possession of certain semiautomatic “assault weapons” and largecapacity magazines. Following the entry of summary judgment in favor of defendants on the central claims in both the Western District of New York (William M. Skretny, Chief Judge) and the District of Connecticut (Alfred V. Covello, Judge), plaintiffs in both suits pressed two arguments on appeal. First, they challenged the constitutionality of the statutes under the Second Amendment; and second, they challenged certain provisions of the statutes as unconstitutionally vague. Defendants in the New York action also crossappeal the District Court’s invalidation of New York’s separate sevenround load limit and voiding of two statutory provisions as facially unconstitutionally vague.


    To summarize, we hold as follows:

    (1) The core prohibitions by New York and Connecticut of assault weapons and largecapacity magazines do not violate the Second Amendment.

             (a) We assume that the majority of the prohibited conduct falls within the scope of Second Amendment protections. The statutes are appropriately evaluated under the constitutional standard of “intermediate scrutiny”—that is, whether they are “substantially related to the achievement of an important governmental interest.

             (b) Because the prohibitions are substantially related to the important governmental interests of public safety and crime reduction, they pass constitutional muster.

    We therefore AFFIRM the relevant portions of the judgments of the Western District of New York and the District of Connecticut insofar as they upheld the constitutionality of state prohibitions on semiautomatic assault weapons and largecapacity magazines.

    (2) We hold that the specific prohibition on the non semiautomatic Remington 7615 falls within the scope of Second Amendment protection and subsequently fails intermediate scrutiny.

    Accordingly, we REVERSE that limited portion of the judgment of the District of Connecticut. In doing so, we emphasize the limited nature of our holding with respect to the Remington 7615, in that it merely reflects the presumption required by the Supreme Court in District of Columbia v. Heller that the Second Amendment extends to all bearable arms, and that the State, by failing to present any argument at all regarding this weapon or others like it, has failed to rebut that presumption. We do not foreclose the possibility that States could in the future present evidence to support such a prohibition.

    (3) New York’s sevenround load limit does not survive intermediate scrutiny in the absence of requisite record evidence and a substantial relationship between the statutory provision and important state safety interests.

    We therefore AFFIRM the judgment of the Western District of New York insofar as it held this provision.

    The following concerns the SevenRound Load Limit, a controversial measure that passed in New York during the "Dead of Night" within weeks after the shooting

    "Though the key provisions of both statutes pass constitutional muster on this record, another aspect of New York’s SAFE Act does not: the sevenround load limit, which makes it 'unlawful for a person to knowingly possess an ammunition feeding device where such device contains more than seven rounds of ammunition.

    "As noted above, the sevenround load limit was a secondbest solution. New York determined that only magazines containing seven rounds or fewer can be safely possessed, but it also recognized that sevenround magazines are difficult to obtain commercially. Its compromise was to permit gun owners to use tenround magazines if they were loaded with seven or fewer rounds. On the record before us, we cannot conclude that New York has presented sufficient evidence that a sevenround load limit would best protect public safety. Here we are considering not a capacity restriction, but rather a load limit. Nothing in the SAFE Act will outlaw or reduce the number of tenround magazines in circulation. It will not decrease their availability or in any way frustrate the access of those who intend to use tenround magazines.

    "To be sure, the mere possibility of criminal disregard of the laws does not foreclose an attempt by the state to enact firearm regulations. But on intermediate scrutiny review, the state cannot 'get away with shoddy data or reasoning.' To survive intermediate scrutiny, the defendants must show 'reasonableinferences based on substantial evidence' that the statutes are substantially related to the governmental interest. With respect to the load limit provision alone, New York has failed to do so."

    A link to the full opinion is at:

    Bruce Hulme, CFE, BAI

    ISPLA Director of Government Affairs

  • 15 Sep 2015 7:18 PM | Anonymous member (Administrator)

    UNLICENSED FLORIDA PI ARRESTED FOR COMPUTER CRIME: claims to be searching for transfer of funds from charitable organization to Jihadist groups

    Manhattan U.S. Attorney Announces Charges Against Florida "Private Investigator" For Attempting To Gain Unauthorized Access To The Computer Network Of A Global Charitable Organization

    Preet Bharara, the United States Attorney for the Southern District of New York and Robert J. Sica, the Special Agent in Charge of the New York Office of the United States Secret Service, announced on September 14 the filing of a criminal complaint against TIMOTHY SEDLAK for attempting to gain unauthorized access to the computer network of a global charitable organization based in New York, NY (the “Organization”).  Sedlak was arrested in Ocoee, Florida on the evening of September 11, 2015 and was presented September 14 in federal court before U. S. Magistrate Judge Gregory J. Kelly in Orlando, FL.

    Sedlak, 42, of Ocoee, Florida, was charged with one count of attempted unauthorized access to a computer, which carries a maximum sentence of five years.  The maximum potential sentence in this case is prescribed by Congress and is provided for informational purposes only. According to the complaint, an unidentified global charity headquartered in New York experienced some 390,000 attempts to gain unauthorized access to its computer network from June to July, 2015.

    The attempted intrusions, which disrupted employees' ability to access email and conduct business, were made by computers associated with two internet protocol addresses subscribed to by Sedlak at his home in Florida.

    On LinkedIn, Sedlak holds himself out as an investigator with Surveillance Associates, LLC, a Florida company registered in his name. However, complaint indicates that he did not have a license to work as a private investigator in Florida.

    The Complaint filed in Manhattan federal court also revealed the following:

    Computers associated with two particular internet protocol addresses made nearly four hundred thousand attempts to gain unauthorized access to the Organization’s computer network.  As a result, numerous Organization employees experienced difficulty accessing their Organization email accounts, and were disrupted in their ability to conduct regular business functions.  Both of the IP Addresses were subscribed to Sedlak at his residence in Florida.

    In particular, between June 22, 2015 and July 8, 2015, from one of the IP Addresses, there were approximately 195,000 attempts to log into approximately twenty email accounts of the Organization.  Between July 8, 2015 and July 10, 2015, from the other IP Address, there were an additional approximately 195,000 attempts to log into approximately six email accounts of the Organization.  Sedlak had never been employed by the Organization, and was not authorized to access any email accounts of the Organization.

    On September 11, 2015, US Secret Service agents executed a search warrant at the Sedlak Residence, from which they seized, among other things, (i) approximately 30 computers connected to the same internal network, which enabled each computer to communicate with the others (the “Sedlak Computers”); (ii) notes pertaining to the Organization, an executive of the Organization (“Individual-1”) and an individual who has been publicly affiliated with the Organization (“Individual-2”), including e-mail addresses, registrant information for certain website domain names, and certain IP address information associated with the Organization, Individual-1 and/or Individual-2; and (iii) lists of e-mail addresses and e-mail servers, many of which included the word “jihad.”  The Sedlak Computers contained, among other things, a list of certain Organization employees’ email account usernames, and a “brute force” password-cracking tool.  Such a tool is designed to launch a relentless barrage of potential passwords at an email account in an attempt to guess the account’s password.

    That same date Secret Service agents interviewed Sedlak, who claimed to be using the computers to conduct “research” into charitable organizations in the course of his work as a private investigator.  He claimed to be trying to determine if the organizations were unintentionally financing jihadist groups by sending funds to charitable organizations in the Middle East, which are then seized by jihadist groups.  When questioned about notes pertaining to Individual-1 and Individual-2 found at the Sedlak residence, he claimed that he came across such information in his “research” into the financing of jihadist groups and that he hoped to sell the information he found.

    The investigation remains ongoing. This case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  AUSA Kristy J. Greenberg is in charge of the prosecution. (U.S. v. Sedlak, U.S. District Court, SDNY - No. 15-mj-3265)

    Bruce Hulme, ISPLA Director of Government Affairs

    Your Resource to the Profession, to Government, and to the Media

    Educate to Legislate:


  • 04 Sep 2015 2:32 PM | Anonymous member (Administrator)

    Department of Justice Policy Guidance: Use of Cell-Site Simulator Technology

    Cell-site simulator technology provides valuable assistance in support of important public safety objectives. Whether deployed as part of a fugitive apprehension effort, a complex narcotics investigation, or to locate or rescue a kidnapped child, cell-site simulators fulfill critical operational needs.

    As with any law enforcement capability, the Department must use cell-site simulators in a manner that is consistent with the requirements and protections of the Constitution, including the Fourth Amendment, and applicable statutory authorities, including the Pen Register Statute. Moreover, any information resulting from the use of cell-site simulators must be handled in a way that is consistent with the array of applicable statutes, regulations, and policies that guide law enforcement in how it may and may not collect, retain, and disclose data.

    As technology evolves, the Department must continue to assess its tools to ensure that practice and applicable policies reflect the Department’s law enforcement and national security missions, as well as the Department’s commitments to accord appropriate respect for individuals’ privacy and civil liberties. This policy provides additional guidance and establishes common principles for the use of cell-site simulators across the Department.1 The Department’s individual law enforcement components may issue additional specific guidance consistent with this policy.

    This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.


    Cell-site simulators, on occasion, have been the subject of misperception and confusion. To avoid any confusion here, this section provides information about the use of the equipment and defines the capabilities that are the subject of this policy.

    Basic Uses

    Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are already known to law enforcement, or to determine the unique identifiers of an unknown device by collecting limited signaling information from devices in the simulator user’s vicinity. This technology is one tool among many traditional law enforcement techniques, and is deployed only in the fraction of cases in which the capability is best suited to achieve specific public safety objectives.

    How They Function

    Cell-site simulators, as governed by this policy, function by transmitting as a cell tower. In response to the signals emitted by the simulator, cellular devices in the proximity of the device identify the simulator as the most attractive cell tower in the area and thus transmit signals to the simulator that identify the device in the same way that they would with a networked tower.

    A cell-site simulator receives and uses an industry standard unique identifying number assigned by a device manufacturer or cellular network provider. When used to locate a known cellular device, a cell-site simulator initially receives the unique identifying number from multiple devices in the vicinity of the simulator. Once the cell-site simulator identifies the specific cellular device for which it is looking, it will obtain the signaling information relating only to that particular phone. When used to identify an unknown device, the cell-site simulator obtains signaling information from non-target devices in the target’s vicinity for the limited purpose of distinguishing the target device.

    What They Do and Do Not Obtain

    By transmitting as a cell tower, cell-site simulators acquire the identifying information from cellular devices. This identifying information is limited, however. Cell-site simulators provide only the relative signal strength and general direction of a subject cellular telephone; they do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications. Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).


    This policy guidance is intended only to improve the internal management of the Department of Justice. It is not intended to and does not create any right, benefit, trust, or responsibility, whether substantive or procedural, enforceable at law or equity by a party against the United States, its departments, agencies, instrumentalities, entities, officers, employees, or agents, or any person, nor does it create any right of review in an administrative, judicial, or any other proceeding.

    Cell-site simulators require training and practice to operate correctly. To that end, the following management controls and approval processes will help ensure that only knowledgeable and accountable personnel will use the technology.

    1. Department personnel must be trained and supervised appropriately. Cell-site simulators may be operated only by trained personnel who have been authorized by their agency to use the technology and whose training has been administered by a qualified agency component or expert.

    2. Within 30 days, agencies shall designate an executive-level point of contact at each division or district office responsible for the implementation of this policy, and for promoting compliance with its provisions, within his or her jurisdiction.

    3. Prior to deployment of the technology, use of a cell-site simulator by the agency must be approved by an appropriate individual who has attained the grade of a first-level supervisor. Any emergency use of a cell-site simulator must be approved by an appropriate second-level supervisor. Any use of a cell-site simulator on an aircraft must be approved either by the executive-level point of contact for the jurisdiction, as described in paragraph 2 of this section, or by a branch or unit chief at the agency’s headquarters.

    Each agency shall identify training protocols. These protocols must include training on privacy and civil liberties developed in consultation with the Department’s Chief Privacy and Civil Liberties Officer.


    The use of cell-site simulators is permitted only as authorized by law and policy. While the Department has, in the past, appropriately obtained authorization to use a cell-site simulator by seeking an order pursuant to the Pen Register Statute, as a matter of policy, law enforcement agencies must now obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure (or the applicable state equivalent), except as provided below.

    As a practical matter, because prosecutors will need to seek authority pursuant to Rule 41 and the Pen Register Statute, prosecutors should, depending on the rules in their jurisdiction, either (1) obtain a warrant that contains all information required to be included in a pen register order pursuant to 18 U.S.C. § 3123 (or the state equivalent), or (2) seek a warrant and a pen register order concurrently. The search warrant affidavit also must reflect the information noted in the immediately following section of this policy (“Applications for Use of Cell-Site Simulators”).

    There are two circumstances in which this policy does not require a warrant prior to the use of a cell-site simulator.

    1. Exigent Circumstances under the Fourth Amendment

    Exigent circumstances can vitiate a Fourth Amendment warrant requirement, but cell-site simulators still require court approval in order to be lawfully deployed. An exigency that excuses the need to obtain a warrant may arise when the needs of law enforcement are so compelling that they render a warrantless search objectively reasonable. When an officer has the requisite probable cause, a variety of types of exigent circumstances may justify dispensing with a warrant. These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.

    In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government’s certification that the information sought is relevant to an ongoing criminal investigation. In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year. In addition, the operator must obtain the requisite internal approval to use a pen register before using a cell-site simulator. In order to comply with the terms of this policy and with 18 U.S.C. § 3125,3 the operator must contact the duty AUSA in the local U.S. Attorney’s Office, who will then call the DOJ Command Center to reach a supervisory attorney in the Electronic Surveillance Unit (ESU) of the Office of Enforcement Operations.4 Assuming the parameters of the statute are met, the ESU attorney will contact a DAAG in the Criminal Division5 and provide a short briefing. If the DAAG approves, the ESU attorney will relay the verbal authorization to the AUSA, who must also apply for a court order within 48 hours as required by 18 U.S.C. § 3125. Under the provisions of the Pen Register Statute, use under emergency pen-trap authority must end when the information sought is obtained, an application for an order is denied, or 48 hours has passed, whichever comes first.

    3 Knowing use of a pen register under emergency authorization without applying for a court order within 48 hours is a criminal violation of the Pen Register Statute, pursuant to 18 U.S.C. § 3125(c).

    4 In non-federal cases, the operator must contact the prosecutor and any other applicable points of contact for the state or local jurisdiction.

    5 In requests for emergency pen authority, and for relief under the exceptional circumstances provision, the Criminal Division DAAG will consult as appropriate with a National Security Division DAAG on matters within the National Security Division’s purview.

    2. Exceptional Circumstances Where the Law Does Not Require a Warrant

    There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

    In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government’s certification that the information sought is relevant to an ongoing criminal investigation. In addition, if circumstances necessitate emergency pen register authority, compliance with the provisions outlined in 18 U.S.C. § 3125 is required (see provisions in section 1 directly above).


    When making any application to a court, the Department’s lawyers and law enforcement officers must, as always, disclose appropriately and accurately the underlying purpose and activities for which an order or authorization is sought. Law enforcement agents must consult with prosecutors6 in advance of using a cell-site simulator, and applications for the use of a cell-site simulator must include sufficient information to ensure that the courts are aware that the technology may be used.7

    6 While this provision typically will implicate notification to Assistant United States Attorneys, it also extends to state and local prosecutors, where such personnel are engaged in operations involving cell-site simulators.

    7 Courts in certain jurisdictions may require additional technical information regarding the cell-site simulator’s operation (e.g., tradecraft, capabilities, limitations or specifications). Sample applications containing such technical information are available from the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division. To ensure courts receive appropriate and accurate information regarding the technical information described above, prior to filing an application that deviates from the sample filings, agents or prosecutors must contact CCIPS, which will coordinate with appropriate Department components.

    1. Regardless of the legal authority relied upon, at the time of making an application for use of a cell-site simulator, the application or supporting affidavit should describe in general terms the technique to be employed. The description should indicate that investigators plan to send signals to the cellular phone that will cause it, and non-target phones on the same provider network in close physical proximity, to emit unique identifiers, which will be obtained by the technology, and that investigators will use the information collected to determine information pertaining to the physical location of the target cellular device or to determine the currently unknown identifiers of the target device. If investigators will use the equipment to determine unique identifiers at multiple locations and/or multiple times at the same location, the application should indicate this also.

    2. An application or supporting affidavit should inform the court that the target cellular device (e.g., cell phone) and other cellular devices in the area might experience a temporary disruption of service from the service provider. The application may also note, if accurate, that any potential service disruption to non-target devices would be temporary and all operations will be conducted to ensure the minimal amount of interference to non-target devices.

    3. An application for the use of a cell-site simulator should inform the court about how law enforcement intends to address deletion of data not associated with the target phone. The application should also indicate that law enforcement will make no affirmative investigative use of any non-target data absent further order of the court, except to identify and distinguish the target device from other devices.


    The Department is committed to ensuring that law enforcement practices concerning the collection or retention8 of data are lawful, and appropriately respect the important privacy interests of individuals. As part of this commitment, the Department’s law enforcement agencies operate in accordance with rules, policies, and laws that control the collection, retention, dissemination, and disposition of records that contain personal identifying information. As with data collected in the course of any investigation, these authorities apply to information collected through the use of a cell-site simulator. Consistent with applicable existing laws and requirements, including any duty to preserve exculpatory evidence,9 the Department’s use of cell-site simulators shall include the following practices:

    8 In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3127(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until the point at which such information is deleted.

    9 It is not likely, given the limited type of data cell-site simulators collect (as discussed above), that exculpatory evidence would be obtained by a cell-site simulator in the course of criminal law enforcement investigations. As in other circumstances, however, to the extent investigators know or have reason to believe that information is exculpatory or impeaching they have a duty to memorialize that information.

    1. When the equipment is used to locate a known cellular device, all data must be deleted as soon as that device is located, and no less than once daily.

    2. When the equipment is used to identify an unknown cellular device, all data must be deleted as soon as the target cellular device is identified, and in any event no less than once every 30 days.

    3. Prior to deploying equipment for another mission, the operator must verify that the equipment has been cleared of any previous operational data.

    Agencies shall implement an auditing program to ensure that the data is deleted in the manner described above.


    The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.


    Accountability is an essential element in maintaining the integrity of our Federal law enforcement agencies. Each law enforcement agency shall provide this policy, and training as appropriate, to all relevant employees. Periodic review of this policy and training shall be the responsibility of each agency with respect to the way the equipment is being used (e.g., significant advances in technological capabilities, the kind of data collected, or the manner in which it is collected). We expect that agents will familiarize themselves with this policy and comply with all agency orders concerning the use of this technology.

    Each division or district office shall report to its agency headquarters annual records reflecting the total number of times a cell-site simulator is deployed in the jurisdiction; the number of deployments at the request of other agencies, including State or Local law enforcement; and the number of times the technology is deployed in emergency circumstances.

    Similarly, it is vital that all appropriate Department attorneys familiarize themselves with the contents of this policy, so that their court filings and disclosures are appropriate and consistent. Model materials will be provided to all United States Attorneys’ Offices and litigating components, each of which shall conduct training for their attorneys.

    * * *

    Cell-site simulator technology significantly enhances the Department’s efforts to achieve its public safety and law enforcement objectives. As with other capabilities, the Department must always use the technology in a manner that is consistent with the Constitution and all other legal authorities. This policy provides additional common principles designed to ensure that the Department continues to deploy cell-site simulators in an effective, appropriate, and consistent way.

<< First  < Prev   1   2   3   4   Next >  Last >> 


Powered by Wild Apricot Membership Software