It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran's totalitarian-esque government and its budding nuclear program. If this initiative wasn't stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations.

 When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before. 

Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans. 

Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It's also programmed to collect a dizzying array of information about the computers it infects—including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives.

 But the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the Gödel module, the secret warhead is loaded onto USB sticks and removable drives when they're connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed—but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran's high-security Natanz enrichment facility. Certainly not your everyday malware. 

"Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Given how careful the attackers were to make sure the Gauss payload doesn't fall into the 'wrong' hands, we can assume it is very special."

Built to last 

Gauss is by no means the first malware with a payload that was programmed to remain dormant unless it was installed on computers meeting a narrow set of criteria. Stuxnet also contained code instructing it to destroy uranium-enrichment centrifuges only when they were physically located at Natanz. Researchers have theorized that the trigger was implemented to reduce the chances of collateral damage that might result if Stuxnet took hold in other facilities. (The precaution proved wise, since Stuxnet infected more than 100,000 computers scattered all over the globe.) 

But as cryptographer Nate Lawson observed more than two years ago, the mechanism Stuxnet used to protect unintended targets from destruction was surprisingly crude for an otherwise advanced cyberweapon developed by countries with almost unlimited budgets. The coding techniques were largely limited to conditional "if/then" range checks that identified computers running German conglomerate Siemens's Simatic Step7 software inside Natanz. If an infected computer met the criteria, the sabotage payload was activated. If not, the exploit sat dormant.

 Noticeably absent from Stuxnet was any kind of mechanism preventing researchers, enemies, or potential copycat programmers from peering inside the malware to see what the highly selective payload did. That's precisely what security experts such as Ralph Langner did following the Stuxnet discovery. Within a few weeks, the world had its answer: Stuxnet was a powerful cyberweapon unleashed by a well-resourced government bent on sabotaging Iran's nuclear program. While the developers may have taken care to prevent the worm from attacking other countries, they did little to conceal the true aim and methods of their malware, which attacked programmable logic controllers at the heart of the enrichment process. 

"Encrypting your payload so that only the intended target can decrypt it hides both the identity of the victim and the worm's purpose," Lawson recently told Ars. "If Gauss came after Stuxnet, it's clear the authors disliked the publicity its PLC [programmable logic controller] payload received and made an effort to hide it properly the second time."

Read entire article HERE

Learn when new posts are made to this blog: Sign up for Email Alerts

New York Post - By Ellen Nakashima (http://www.nypost.com/) 

A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report.

The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document. The assessment does not quantify the financial impact of the espionage, but outside experts have estimated it in the tens of billions of dollars.

Cyber-espionage, which was once viewed as a concern mainly by U.S. intelligence and the military, is increasingly seen as a direct threat to the nation’s economic interests.

In a sign of such concerns, the Obama administration is seeking ways to counter the online theft of trade secrets, according to officials. Analysts have said that the administration’s options include formal protests, the expulsion of diplomatic personnel, the imposition of travel and visa restrictions, and complaints to the World Trade Organization.

Cyber-espionage is “just so widespread that it’s known to be a national issue at this point,” said one administration official, who like other current and former officials interviewed spoke on the condition of anonymity to discuss internal deliberations.

The National Intelligence Estimate names three other countries — Russia, Israel and France — as having engaged in hacking for economic intelligence but makes clear that cyber-espionage by those countries pales in comparison with China’s effort.

China has staunchly rejected such allegations, saying the Beijing government neither condones nor carries out computer hacking.

Dating to at least the early 1980s, China has made the acquisition of Western technology — through means licit and illicit — a centerpiece of its economic development planning. The explosion in computer use has greatly aided that transfer of technology.

China’s intelligence services, as well as private companies, frequently seek to exploit Chinese citizens or people with family ties to China who can use their insider access to U.S. corporate networks to steal trade secrets using thumb drives or e-mail, according to a report by the Office of the National Counterintelligence Executive.

The National Intelligence Estimate comes at a time when the U.S. government is making a concerted effort to develop policies that address cyberthreats against the nation.

“We need the NIE on cyber for a systematic and comprehensive understanding of what the most dangerous technologies are, who are the most threatening actors and what are our greatest vulnerabilities,” said former deputy defense secretary William J. Lynn III, who requested the report in 2011 but has not seen or been briefed on the contents.

Get alerts when new articles are posted: Signup for Email Alerts

From: Reuters News Service

 Software makers Microsoft Corp and Symantec Corp said they disrupted a global cybercrime operation by shutting down servers that controlled hundreds of thousands of PCs without the knowledge of their users.

The move made it temporarily impossible for infected PCs around the world to search the web, though the companies offered free tools to clean machines through messages that were automatically pushed out to infected computers.

 Technicians working on behalf of both companies raided data centers in Weehawken, N.J., and Manassas, Va., accompanied by U.S. federal marshals, under an order issued by the U.S. District Court in Alexandria, Va.

 They seized control of one server at the New Jersey facility and persuaded the operators of the Virginia data center to take down a server at their parent company in the Netherlands, according to Richard Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit.

 Boscovich told Reuters that he had "a high degree of confidence" that the operation had succeeded in bringing down the cyber crime operation, known as the Bamital botnet.

 "We think we got everything, but time will tell," he said.

 The servers that were pulled off line on Wednesday had been used to communicate with what Microsoft and Symantec estimate are between 300,000 and 1 million PCs currently infected with malicious software that enslaved them into the botnet.

HIJACKING SEARCHES 

The companies said that the Bamital operation hijacked search results and engaged in other schemes that the companies said fraudulently charge businesses for online advertisement clicks.

 Bamital's organizers also had the ability to take control of infected PCs, installing other types of computer viruses that could engage in identity theft, recruit PCs into networks that attack websites and conduct other types of computer crimes.

 Now that the servers have been shut down, users of infected PCs will be directed to a site informing them that their machines are infected with malicious software when they attempt to search the web.

Microsoft and Symantec are offering them free tools to fix their PCs and restore access to web searches via messages automatically pushed out to victims.

 The messages warn: "You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer."

 It was the sixth time that Microsoft has obtained a court order to disrupt a botnet since 2010. Previous operations have targeted bigger botnets, but this is the first where infected users have received warnings and free tools to clean up their machines.

 Microsoft runs a Digital Crimes Unit out of its Redmond, Washington, headquarters that is staffed by 11 attorneys, investigators and other staff who work to help law enforcement fight financial crimes and exploitation of children over the web.

 Symantec approached Microsoft about a year ago, asking the maker of Windows software to collaborate in trying to take down the Bamital operation. Last week they sought a court order to seize the Bamital servers.

 The two companies said they conservatively estimate that the Bamital botnet generated at least $1 million a year in profits for the organizers of the operation. They said they will learn more about the size of the operation after they analyze information from infected machines that check in to the domains once controlled by Bamital's servers.

 Their complaint identified 18 "John Doe" ringleaders, scattered from Russia and Romania to Britain, the United States and Australia, who registered websites and rented servers used in the operation under fictitious names. The complaint was filed last week with a federal court in Alexandria and unsealed on Wednesday.

 The complaint alleges that the ringleaders made money through a scheme known as "click fraud" in which criminals get cash from advertisers who pay websites commissions when their users click on ads.

Bamital redirected search results from Google, Yahoo and Microsoft's Bing search engines to sites with which the authors of the botnet have financial relationships, according to the complaint.

The complaint also charges that Bamital's operators profited by forcing infected computers to generate large quantities of automated ad clicks without the knowledge of PC users.

 Symantec researcher Vikram Thakur said Bamital is just one of several major botnets in a complex underground "click fraud ecosystem" that he believes generates at least tens of millions of dollars in revenue.

He said that researchers at will comb the data on the servers in order to better understand how the click fraud ecosystem works and potentially identify providers of fraudulent ads and traffic brokers.

 "This is just the tip of the iceberg in the world of click fraud," said Thakur.

 Boscovich said he believes the botnet originated in Russia or Ukraine because affiliated sites install a small text file known as a cookie that is written in Russian on infected computers.

The cookie file contains the Russian phrase "yatutuzebil," according to the court filing. That can loosely be translated as "I was here," he said.

Microsoft provided details on the takedown operation on its blog.

(Reporting By Jim Finkle; Editing by Claudia Parsons and Leslie Gevirtz)

 Original Reuters Article

Keep up with new posts on this blog: Sign up for Email alerts Here

Electronic devices such as computers, cellphones and digital cameras must be properly seized, processed and stored to preserve the integrity of the data and ensure its evidentiary value. A manual developed by the Electronic Crime Technology Center of Excellence (ECTCoE) can provide agencies with much-needed guidance on drafting policies and procedures for handling digital evidence.

As stated in the text, the purpose of the sample Policy and Procedure Manual is to give law enforcement agencies a collection of documents that can serve as a starting point for developing policies and procedures for the collection, handling and processing of digital evidence. Once final, the manual will be posted to the National Law Enforcement and Corrections Technology Center (NLECTC) System website, in a Microsoft Word format to facilitate editing as needed by individual agencies. The NLECTC System is a program of the Office Justice Programs’ National Institute of Justice.

“The document was written in response to the many requests we’ve seen on the various computer forensic email lists requesting copies of policy and procedure 
manuals by state and local officers and agents who have been tasked with developing such a document for their own agency,” explains Russell Yawn, ECTCoE deputy director.

In developing the manual, the ECTCoE was able to take advantage of in-house expertise along with information gathered from law enforcement agencies.

“The ECTCoE deals with the law enforcement community at large so we have contacts throughout the country and some internationally that we can rely on for input,” says ECTCoE Director Robert O’Leary. “We have a well-established network and relied on that network to provide us with examples that agencies were using at the state level, and combined it with the expertise in the ECTCoE. Every CoE staff member has criminal justice experience with digital evidence collection and examination, so we were able to leverage all those resources and put together this set of policies and procedures.”

Some of the agencies that provided assistance include the Southern Oregon High Tech Crimes Task Force, the New York Police Department, Orlando Police Department, Austin Police Department, Dallas Police Department and Charleston Police Department. The ECTCoE also looked at sample policies from the U.S. Department of Defense.

“We were able to get a great deal of information from a number of agencies and contacts, and look at the policies that had been implemented and ensure that we did not overlook any topics or points of interest that other agencies may have found important,” O’Leary says.

The manual should also help agencies performing the Commission on Accreditation for Law Enforcement Agencies (CALEA) accreditation process regarding digital evidence procedures. The purpose of CALEA accreditation programs is to improve the delivery of public safety services, primarily by maintaining a body of standards and establishing and administering an accreditation process.

“Another thing we tried to keep in mind was the CALEA standards,” O’Leary says. “We wanted to ensure that these procedures would lend themselves to compatibility, and we were able to rely on some of our contacts that perform CALEA reviews.”

The manual has sections covering case assignment and prioritization; equipment testing, validation and updates; evidence and property handling; search and seizure; storage of evidence and retention policy; reports; materials and supplies; computer forensic lab access; Manual Outlines Policies and Procedures for Digital Evidence2 release of information to the media; quality assurance policy and process; and sample forms (e.g., computer lab request for service, evidence inventory and details, and evidence access and tracking).

“Some forms we developed, others are based on forms received from other agencies. We simply wanted to give agencies a format they could work with as a guide,” O’Leary says.

For more information, contact NLECTC at (800) 248-2742. For information on NIJ’s electronic crime technology portfolio, contact Program Manager Martin Novak at martin.novak@usdoj.gov or (202) 616-0630

Visit NLECTC's Interactive TechBeat.

Learn about new posts to this blog: Sign up for Email Alerts

Disclosure requirements for expert witnesses and written reports under

Federal Rule of Civil Procedure Rule 26.

 No part of this recording should be considered legal advice.

 Expert Witness Testimony Video

To be notified when new posts are made to this blog - Signup for Email Alerts

Reuters: 10/1/2012

Cyber Command intelligence chief says attacks accelerating

* Plans under way to promote Cyber Command to top-level unit

 * China accused of seeking to "exfiltrate" Pentagon secrets

 By Jim Wolf 

WASHINGTON, Sept 27 (Reuters) - The U.S. Cyber Command's top intelligence officer accused China on Thursday of persistent efforts to pierce Pentagon computer networks and said a proposal was moving forward to boost the cyber command in the U.S. military hierarchy.

"Their level of effort against the Department of Defense is constant" while alleged Chinese attempts to steal corporate trade secrets has been growing, Rear Admiral Samuel Cox, the command's director of intelligence, told Reuters after remarks to a forum on the history of cyber threats.

 The Office of the National Counterintelligence Executive, a U.S. intelligence arm, said in a landmark report a year ago that "Chinese actors are the world's most persistent perpetrators of economic espionage."

 "It's continuing apace," Cox said. "In fact, I'd say it's still accelerating." He accused China of trying to "exfiltrate" Pentagon secrets, jargon for sneaking them out.

 Asked whether any classified U.S. networks had been successfully penetrated - something not publicly known to have occurred - Cox replied: "I can't really get into that."

 A spokesman for the Chinese embassy did not immediately respond to a request for comment. In the past Chinese officials have denied such accusations.

 Cyber Command is responsible for defending Defense Department networks as well as mounting any U.S. offensive operations in cyberspace. It was created about two years ago as a unit of the U.S. Strategic Command, the outfit responsible for U.S. nuclear and space operations.

 Cox said a proposal was moving forward to elevate the cyberwarfare unit to the status of a full unified combatant command. This would put it on the same footing as its parent Strategic Command and the Defense Department's eight other top-level military units.

 The matter was headed to the secretary of defense and the president for a decision that possibly would come by the end of the year, he said.

 Cox spoke after telling a conference hosted by the Atlantic Council think tank that the overall sophistication and danger of cyber threats is increasing at "an accelerating rate, not a linear rate."

 "So the potential for these things to do destructive damage is very high," he said.

 The United States is among the few countries reliably reported to have mounted a destructive keyboard-launched attack - against Iran's disputed nuclear centrifuges using malicious code known as Stuxnet that surfaced in 2010.

 Army General Keith Alexander, who simultaneously heads Cyber Command and the National Security Agency, told a forum in July that unspecified foreign countries, hackers and criminal gangs contributed to a 17-fold jump in cyber attacks on U.S. infrastructure from 2009 to 2011.

 Promoting Cyber Command in the military hierarchy would simplify its operations in cyberspace and boost its ability to work directly with U.S. government agencies, allies and coalition partners.

Article Source

These days, even entry-level cellphones come standard with a decent digital camera and basic Internet access. That makes it easy to update your Facebook status or share pictures and video with family and friends in a matter of seconds. 

But that convenience can lead to trouble, too -- particularly among teenagers and young adults who don't consider the consequences of their actions beforehand. 

It's something that Chuck Hagen, a longtime Tippecanoe County deputy prosecutor, witnesses often. 

"The younger crowd uses technology to its fullest extent, including the criminal aspect," he said. "... Everything is so easily recorded, so easily transferred, so easy to use. 

"When I was in high school, it would take half an hour to load a photo. Now they just snap pictures of everything and share, at little cost." 

Take, for example, the two former Faith Christian School students, ages 13 and 14, who admitted sexually assaulting a 13-year-old girl last April in a wooded area near school property. Both were sentenced to an Indiana Department of Correction facility for youth. 

According to court records, prior to the sexual assault, the 14-year-old took a photo of the victim topless, and without her knowledge, in December 2011. He then shared the digital image with other juveniles and used it to blackmail the girl for four months. 

The same boy also recorded the April sexual assault, which lasted 45 minutes, and later watched it with other juveniles. 

Technology did not prompt the crimes, but it played a key role in the blackmail and subsequent police investigation and prosecution. 

The boy's behavior and actions fall under what the U.S. Department of Justice calls cybercrime, described as using a computer as a target, a weapon or an accessory. 

According to the National Crime Prevention Council, it's just as important for parents, schools and caregivers to teach children about "cyberethics" as it is to protect them from Internet-related crimes. 

"While youth who commit cybercrimes may realize that their actions are wrong, they may not know that their Internet behaviors are illegal," an article on the organization's website states.

 Where all can see

With his office computer, Hagen recently shared how he can easily pull up Facebook pages for juvenile defendants he has prosecuted. Often the photos he uncovers can be used in court as evidence.

Hagen displayed the Facebook page of a Lafayette, Ind., boy whose cover photo is of him pointing a black handgun directly at the camera. 

"Not only did he put that out there where I could see it, but he's sharing that with the world," Hagen said.

 The most common photos that Hagen has found are of minors consuming alcohol or using drugs. It provides compelling evidence in court when minors insist they've been well-behaved.

 "I can look up almost any kid on Facebook and see all the pictures they uploaded from their smartphone," he said. "Part of the problem is when you have parents who want their kids to be happy at any cost. They want to keep up with the other kids, so they get them fancy cellphones.

 "What I definitely don't see are pictures of kids studying. And they don't realize that once it's out there, it's not going to go away easily."

 As the lead crime scene investigator for the Lafayette Police Department, Detective Paul Huff has received specialized training on evidence recovery from computers and cellphones.

 He's been able to recover everything from hidden child pornography to Internet searches from a cellphone Internet browser. Suspects wrongly assumed that such information had been deleted.

 "Every time people get online, they leave some type of artifact," Huff said. "We basically see it all here."

 Some smartphones, such as iPhones, essentially track every keystroke that a person makes, from chat logs to text messages, Huff said.

 "Just four years ago, it was extremely difficult to get something that was deleted from a cellphone," he said. "Now it's much less difficult, though time consuming."

 Huff also warns that just because something is deleted on the user's end, it can be saved by another party -- for instance, if speaking to someone via video chat.

 So what can parents do? Hagen's best advice is to stay vigilant, even if children protest to phone or computer checks.

 "You may know your kid well, but you will never know all of your kid's friends," he said. "All this technology does make it easy to see what they're up to. ... It's a way to connect with your kids, too, by having them show you how something works."

Millions of people depend on the Internet every day and cyber criminals are counting on that,
according to a Kansas State Univ. cybersecurity expert.

"Hackers are performing cyber espionage by gathering information on companies, seeking out national secrets or starting cyber warfare by disabling critical infrastructure," says Xinming "Simon" Ou, associate professor of computing and information sciences.

To help counter the threat, the National Science Foundation has awarded $2.3 million to Kansas State University's department of computing and information sciences to provide scholarships to qualified students interested in becoming cybersecurity and information assurance professionals. A team of computing and information sciences faculty, including Ou, Gurdip Singh, Eugene Vasserman, John Hatcliff and Scott DeLoach, lead the scholarship program.

According to Ou, many systems society uses every day — such as smartphones, online companies, media communications, transportation, electricity and hospital systems — are highly dependent on a very fragile cyber infrastructure that, if hacked into, could be disastrous and shake people's sense of security like a cyber version of Pearl Harbor or 9/11.

"The nation is in dire need of people who are capable of handling the cybersecurity challenges we face," Ou says. "We are lagging behind in the number of experts we have versus the threats we see."

About 6 million attempts are made each day to hack into the U.S. Department of Defense's computers, Ou says. While safeguarding national secrets is a priority, experts also realize that disrupting physical infrastructure is a real possibility.

"It has been shown that by hacking into the computer systems controlling a power generator's turbine, it can set the turbine into high speed until self-destruction," Ou says. "And our power grid in the U.S. is pretty much accessible from anywhere in the world thanks to the Internet."

A newly developed course by the computing and information sciences department, Cyber Defense Basics, uses a contained off-the-grid cybersecurity lab for mock exercises. The lab allows instructors to test students' abilities to defend against cyber attacks without infecting systems outside the lab. It teaches students the basics of cyber defense and how to counterattack.

"The public may not be very aware of how vulnerable we are these days, but the government is," says Gurdip Singh, head of the department of computing and information sciences at Kansas State Univ. "There have been successful incidents where attackers from another part of the world were able to penetrate U.S. financial and government computer systems. That's why training the next generation to counter these attacks is so important. This scholarship program will be a wonderful opportunity for students interested in the field."

Scholarship applicants must be U.S. citizens and will be subjected to background checks. The scholarship package includes a $20,000-$30,000 stipend plus tuition and fees, as well as money for materials and professional development such as attending cybersecurity conferences and trainings. Scholarship recipients are obligated to serve a government agency in a cybersecurity and information assurance position for the equivalent number of years they received the scholarship.

"Cybersecurity is not a pure technical problem; it needs the whole society’s attention and effort to address," Ou says.

The first scholarships will be awarded sometime in 2013.

Source: Kansas State Univ. 

Source: The Associated Press, Richard Lardner

A customer in Shenzhen, China, took a new laptop out of its box and booted it up for the first time. But as the screen lit up, the computer began taking on a life of its own. The machine, triggered by a virus hidden in its hard drive, began searching across the Internet for another computer.

 The laptop, supposedly in pristine, super-fast, direct-from-the-factory condition, had instantly become part of an illegal, global network capable of attacking websites, looting bank accounts and stealing personal data.

For years, online investigators have warned consumers about the dangers of opening or downloading emailed files from unknown or suspicious sources. Now, they say malicious software and computer code could be lurking on computers before the bubble wrap even comes off.

 The shopper in this case was part of a team of Microsoft researchers in China investigating the sale of counterfeit software. They received a sudden introduction to malware called Nitol. The incident was revealed in court documents unsealed in a federal court in Virginia. The records describe a new front in a legal campaign against cybercrime being waged by the maker of the Windows operating system, which is the biggest target for viruses.

 The documents are part of a computer fraud lawsuit filed by Microsoft against a web domain registered to a Chinese businessman named Peng Yong. The company says the domain is a major hub for illicit Internet activity, home base for Nitol and more than 500 other types of malware, which makes it the largest single repository of infected software that Microsoft officials have encountered.

 Peng, the owner of an Internet services firm, said he was not aware of the Microsoft suit. He denied the allegations and said his company does not tolerate improper conduct on the domain, 3322.org. Three other unidentified individuals accused by Microsoft of establishing and operating the Nitol network are also named in the suit.

 What emerges most vividly from the court records and interviews with Microsoft officials is a disturbing picture of how vulnerable Internet users have become, in part because of weaknesses in computer supply chains. To increase their profit margins, less reputable computer manufacturers and retailers may use counterfeit copies of popular software products to build machines more cheaply. Plugging the holes is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals.

 "They're really changing the ways they try to attack you," said Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft's digital crimes unit.

 Distance doesn't equal safety. Nitol, for example, is an aggressive virus found on computers in China, the United States, Russia, Australia and Germany. Microsoft has even identified servers in the Cayman Islands controlling Nitol-infected machines. All these compromised computers become part of a botnet, or collection of compromised computers; it's one of the most invasive and persistent forms of cybercrime.

 Nitol appears poised to strike. Infection rates have peaked, according to Patrick Stratton, a senior manager in Microsoft's digital crimes unit who filed a document in the court case explaining Nitol and its connection to the 3322.org domain.

For Microsoft, pursuing cybercriminals is a smart business. Its Windows operating system runs most of the computers connected to the Internet. Victims of malware are likely to believe their problems stem from Windows instead of a virus they are unaware of, and that damages the company's brand and reputation.

 But more than Microsoft's image is stake when counterfeit products are tainted by malware that spreads so rapidly, Boscovich said. "It's more than simply a traditional intellectual property issue," Boscovich said. "It's now become a security issue."

 The investigation by Microsoft's digital crimes unit began in August 2011 as a study into the sale and distribution of counterfeit versions of Windows. Microsoft employees in China bought 20 new computers from retailers and took them back to a home with an Internet connection.

 They found forged versions of Windows on all the machines and malware already installed on four. The one with Nitol, however, was the most alarming because the malware was active.

 "As soon as we powered on this particular computer, of its own accord without any instruction from us, it began reaching out across the Internet, attempting to contact a computer unfamiliar to us," Stratton said in the document filed with the court.

 The laptop was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.

 Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.

 Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.

 "In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide," Microsoft said in its lawsuit.

 Peng, the registered owner of 3322.org, said he has "zero tolerance" for the misuse of domain names and works with Chinese law enforcement whenever there are complaints. Still, he said, his huge customer base makes policing difficult.

 "Our policy unequivocally opposes the use of any of our domain names for malicious purposes," Peng said in a private chat via Sina Weibo, a service like Twitter that's very popular in China. "We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes."

 Peng is the founder and chief executive of Bitcomm, a company he and his wife own. They founded an earlier company, which started 3322.org in 2001. Bitcomm took over the domain in 2007.

 Past warnings by other online security firms have been ignored by Peng, according to Boscovich. 3322.org accounted for more than 17 percent of the world's malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose, Calif. In 2008, Russian security company Kaspersky Lab reported that 40 percent of all malware programs, at one point or another, connected to 3322.org.

U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole. From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.

 Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, according to Microsoft.

 Associated Press researcher Fu Ting in Shanghai contributed to this report.

National Institute of Justice (NIJ)
 

Computers are used for committing crime, and, thanks to the burgeoning science of digital evidence forensics, law enforcement now uses computers to fight crime.

Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, among other places.[1] Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims.

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement
agencies are incorporating the collection and analysis of digital evidence, also known as computer forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train officers to collect digital evidence and keep up with rapidly evolving technologies such as computer operating systems.

NIJ's Electronic Crime Program, which includes the Electronic Crime Center of Excellence, supports the development of tools to assist state and local law enforcement in combating e-crime and collect digital evidence. The program has five main focus areas:

Mobile and Cellular Device Forensics Tools

Digital Evidence Investigative Tools

Digital Evidence Analysis Tools

Digital Forensic Training

Digital Forensics Standards and Capacity Building

More detailed information is available at: The National Institute of Justice:

Digital Evidence Investigative Tools

Digital evidence investigative tools are needed to efficiently and effectively collect digital evidence from crime scenes.

On this page, find:

The critical role of first responders in collecting digital evidence

Why traditional forensics techniques are less effective with digital evidence

Types of images captured by digital evidence investigative tools

Digital evidence investigative tools supported by NIJ

The Critical Role of First Responders in Collecting Digital Evidence

As technology advances, so have the knowledge and duties required of law enforcement officers at a crime scene. The scope of evidence to be searched for and collected at a crime scene now includes digital evidence such as cell phones and computer networking devices. Some of these devices might be hidden in ceilings or other locations that are not immediately evident. At the same time, forensics experts face an ever-expanding backlog of digital evidence due to the increased use of computers. Training and preparing first responders to perform preliminary investigations could help reduce the digital evidence backlog and help law enforcement make significant headway into solving a range of crimes, including:

Computer threats

Missing person cases

Fraud cases

Theft

NIJ supports the development of tools that allow law enforcement officers who are not computer experts to conduct basic analysis of digital evidence at crime scenes. Onsite analysis by first responders would speed up initial investigative tasks, reducing the workload of digital forensics experts and allowing them to focus on more in-depth digital evidence analysis.

Why Traditional Forensics Techniques Are Less Effective With Digital Evidence

In the early days of digital evidence collection and analysis, law enforcement officers would confiscate a computer, and then create an exact duplicate of the original evidentiary media — called an image — onto another device. Analysis of the device's image would then be conducted in a controlled setting.

However, some data cannot be recovered once the device is shut down, so law enforcement has moved away from "grab-and-go" tactics. The emphasis is now on capturing as much data as possible at crime scenes while devices are still running.

When dealing with digital evidence, first responders should still observe general forensic and procedural principles, including:

Evidence should not be changed while it is being collected, secured and transported.

Digital evidence should be examined only by those trained specifically for that purpose.

Everything done during the seizure, transportation and storage of digital evidence should be fully documented, preserved and available for review.

Types of Images Captured by Digital Evidence Investigative Tools

Digital evidence investigative tools capture two types of images:

Physical images: Images of passwords stored in memory, whole disk encryption keys, information stored by Windows and other user-related information that may not be stored once volatile memory is flushed upon reboot or shutdown. Physical images hold up better in court as evidence.

Logical images: Information that could be easily viewed by any user, including a list of running processes and programs, screen captures (to document open windows) and graphic files or documents that may be relevant to an open investigation.

Digital Evidence Investigative Tools Supported by NIJ

NIJ supports several digital evidence investigative tools that:

Prevent Data Loss When Seizing Electronic Devices of Interest

Identify Intrusion and Unauthorized Activities

Acquire Data From Networked Computers

Analyze Live Memory

Enhance "At-the-Scene" Digital Analysis Capabilities of First Responders

For more detailed information, visit the National Institute of Justice  

To receive updates on new blog posts, Sign up for Email Alerts

LIKE US ON FACEBOOK

Digital breadcrumbs left by the iMac and iPad computers were key in tracking them down

 By Martyn Williams

IDG News Service - The digital breadcrumbs left behind when people use Internet-connected gadgets are what led California investigators to recover iMacs, iPads and other items stolen from the home of the late Apple CEO Steve Jobs.

 Based on the police report, obtained by the IDG News Service, here's how they did it.

 The burglary took place while the Jobs family home, in a leafy and quiet area of Palo Alto, was being renovated and was unoccupied. Sometime between the construction crew leaving the site at 5:00 p.m. on Tuesday, July 17, and arriving just before 8:00 a.m. the next morning, someone entered the house and stole several personal effects and Apple gadgets.

 Within several days, the Palo Alto Police Department had enlisted the help of the Rapid Enforcement Allied Computer Team, a San Jose-based organization formed by local, state and federal law enforcement agencies that specializes in computer-related crimes. Local police wanted assistance tracking down the Apple computers and iPads that were reported stolen from the house.

 The REACT team reached out to Apple's own investigators, who had access to the company's computer systems, and supplied them with a list of serial numbers of stolen devices. Apple was quickly able to determine that one of the stolen iPads had connected with Apple's servers soon after the burglary.

 The iPad was trying to reinstall its operating system and was recorded connecting from an AT&T U-verse Internet IP address from 7:22 a.m. to 7:31 a.m. on July 18, the morning after the house was broken into and minutes before the returning construction workers would discover the break-in.

 Upon searching logs for the IP address, Apple investigators discovered a different iPad had connected from the same address at 8:10 a.m. on July 17, before the burglary took place, and again at 1:56 p.m. on July 20, after the break-in was reported to police. That iPad wasn't suspected stolen, but the iTunes account information gave investigators a lead.

 Tied with information from AT&T U-verse about the Internet connection, investigators were led to an address in Alameda, on the east side of San Francisco Bay. At that address Kariem McFarlin, the suspect in the case, was paying for AT&T Internet service, according to investigators.

 While police were building their case there was more activity on the stolen devices.

 Over a five day period, Apple investigators recorded activity on McFarlin's iTunes account linked to the iPad that originally connected to restore its operating system, a second iPad stolen from the Jobs' home and an iMac computer that was also missing, according to police. One of the iPads later connected from a Comcast Internet connection in Alameda using a different iTunes account.

 Investigators say they searched McFarlin's Facebook page and discovered their suspect and the owner of this new iTunes account were friends.

 Before investigators made their move there was one final check that had to be made.

 They traveled to the Alameda address where McFarlin lived and swept the immediate area for Wi-Fi signals.

 Police wanted to determine whether there was an open Wi-Fi network that perhaps was being used without the owners' permission. If the AT&T Internet address was tied to an unsecured connection, it could complicate the case because anyone could have used it. Finding only secured Wi-Fi signals, investigators could argue it was being used by the person paying the bill or those with permission.

On August 2 police entered McFarlin's apartment and discovered one of the stolen iMac computers on his kitchen table, according to the police report.

 The other iPads were recovered from people associated with McFarlin, the police say.

 To get rid of stolen jewelry, McFarlin told police, he had Googled selling jewelry and found a dealer in Pennsylvania. Police say they found email messages in McFarlin's phone indicating the sale and were able to recover the stolen jewelry by contacting the broker.

 In a subsequent interview with McFarlin, police say he admitted breaking into the home by climbing over the builders' scaffolding and finding a spare key for the house in the garage. He said he stole two iMacs, three iPads, three iPods, one Apple TV, a diamond necklace and earrings, and several other items.

 In explaining his actions, investigators say McFarlin said he had money problems and had taken to breaking into houses. He wrote a single page letter of apology admitting he had burglarized Steve Jobs' house and stolen property, but had done so because he was desperate.

 McFarlin is due in court on Monday.

 Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service.

To learn when new posts are available on this blog: Register Your Email Address.

CONSENT TO SEARCH COMPUTER/ELECTRONIC EQUIPMENT

I, _____________________________, have been asked to give my consent to the search of my computer/electronic equipment. I have also been informed of my right to refuse to consent to such a search. 

I hereby authorize ________________________ and any other person(s) designated by [insert Agency/Department] to conduct at any time a complete search of:

¤ All computer/electronic equipment located at ___________________

_________________________. These persons are authorized by me to take from the above location: any computer hardware and storage media, including internal hard disk drive(s), floppy diskettes, compact disks, scanners, printers, other computer/electronic hardware or software and related manuals; any other electronic storage devices, including but not limited to, personal digital assistants, cellular telephones, and electronic pagers; and any other media or materials necessary to assist in accessing the stored electronic data.

¤ The following electronic devices:

[Description of computers, data storage devices, cellular telephone, or

other devices (makes, models, and serial numbers, if available)]

I certify that I own, possess, control, and/or have a right of access to these

devices and all information found in them. I understand that any contraband or evidence on these devices may be used against me in a court of law.

I relinquish any constitutional right to privacy in these electronic devices and any information stored on them. I authorize [insert Agency/Department] to make and keep a copy of any information stored on these devices. I understand that any copy made by [insert Agency/Department] will become the property

of [insert Agency/Department] and that I will have no privacy or possessory interest in the copy.

This written permission is given by me voluntarily. I have not been threatened, placed under duress, or promised anything in exchange for my consent. I have read this form; it has been read to me; and I understand it. I understand the _____________ language and have been able to communicate with the agents/officers.

I understand that I may withdraw my consent at any time. I may also ask for a receipt for all things turned over.

Signed: ________________ Signature of Witnesses:  _______________

Date and Time:__________ Date and Time:_______________

Consent Form: Search and Seizure of Computers

As published in:

Searching and Seizing Computers  and Obtaining Electronic Evidence in Criminal Investigations

Computer Crime and  Intellectual Property Section, Criminal Division

U.S. Dept . of Justice

By Ellen Messmer - Originally Published at: Digital Forensic News

It started out as an ordinary workday for Michelle Marsico, who runs a business based in Redondo Beach, Calif., handling escrow funds for clients in real estate. But when she went online to check the funds-transfer activity in her commercial bank account, she found to her horror that it had been cleaned out by cybercrooks to the tune of almost half a million dollars.

Two dozen fraudulent electronic-funds transfers had whisked about $450,000 out of her account to bank accounts elsewhere for roughly 20 recipients whose names and addresses she didn't recognize. "I was in shock for a few minutes," says Marsico, president of Village View Escrow. "I thought, there must be a mistake."

 It was all an online cyberheist against her and Professional Business Bank, where she had the Village View escrow account, and it turned her life upside down. The next shock was when she realized her bank, which called the FBI, wasn't going to be able to speedily recover the funds that had been sent to these 20 or so "money mules," the individuals recruited to help the organized cybercrime gang.

And since her bank wasn't going to quickly go after the money mules, Marsico decided to do it herself.

"I finally received a copy of the wire transfers, with the names and addresses of the recipients," she says. She frantically set out to find as many as she could through online searches.

 Strangely, one of the recipients had actually called the company, angrily demanding that it "stop harassing him."

 "They thought we were harassing him to send out the money after he had his bank call him about it. He thought the money legitimately came from us, and the criminals were trying to hurry him up," she says.

Some of the money mules that had been recruited to transfer stolen funds on to the crooks were indeed unaware they were part of a cybercrime, often having been recruited by means of fake job advertisements at online job sites like CareerBuilder.com. One older man in Hawaii thought the funds transfers were part of a textile-buying operation.

 But "some did know what it was," says Marsico.

 One man in New York that had received about $29,000 "was frank with me and said, 'I feel bad about it.' I said if you return the money, I'll let the Secret Service know that." She managed to get about a dozen of the recipients to cough up $72,000 of the stolen funds. But that left her out $373,000.

 That left Marsico and her bank to square off over how this had happened, whether someone had broken into a Village View Escrow computer or something else. The focus of the dispute came to center around the nature of the authentication and funds-transfer validation process.

Village View Escrow ended up suing Professional Business Bank. Basically, the company contended that the authentication and funds-transfer authorization and validation process was insufficient, and the bank should be held responsible for the loss that Village View suffered.

 Marsico does not represent herself as a security expert, but her painful experience has also been a learning experience. Basically, Professional Business Bank -- later acquired by Bank of Manhattan -- at the time claimed to use "two-factor authentication," says Marsico, but the process was only two people from the company who had to log in to release the wire transfer. "One of input, one to release," she says. "Only using a user name and password." The process was also supposed to entail the company getting an email or callback response, but "nothing was consistent. Sometimes it happened, sometimes it didn't."

 She switched to another bank where token-based variable passwords are part of the security in online banking.

 The lawsuit took two years to settle. Marsico was represented by Silicon Valley Law Group, whose lead attorney, Kim Dincel, had been a friend since she was 14. One filing from the suit almost mockingly recites the advertising Professional Business Bank used to attract clients:

 "Now you can do all your banking from home or office! ProBizBank offers NetTeller -- advanced and secure financial online banking services that's available 24 hours a day 7 days a week. All you need is a computer, a ProBizBank account and your personalized user ID and password. It's simple, safe and so convenient, you'll wonder how you lived without it."

 Law enforcement wasn't much help to Marsico.

 "Every department I talked with, it was out of their jurisdiction. The Secret Service agent -- he was very kind -- but he said you need to do what it takes to survive." Marsico had to go get a loan to cover the stolen funds and the situation also put her in jeopardy of losing the license she needed to operate her business.

But after a two-year fight, Professional Business Bank, which had by that time become part of Bank of Manhattan, finally agreed to pay Village View Escrow $600,000 in late June. The settlement basically covered Marsico's losses, plus interest and expenses.

 Julie Rogers, attorney at Silicon Valley Law Group, points out that businesses that end up in disputes with their banks over cybercrime-related theft actually find they have less legal protection than consumers. When in a dispute with their commercial customers, "banks typically deny liability," says Rogers, adding small to midsize businesses are often more on the defensive than larger corporations that may have more resources.

 Not only that, business owners will find themselves under investigation as law-enforcement authorities or others question whether the business actually committed the fraud. And in these circumstances, the person being investigated may also have to pay for this investigation under the law. In Marsico's case, competitors in her business even took advantage of the situation by sending out fliers alluding to her plight, trying to impact her reputation, Rogers adds.

As to where all those stolen funds from the money mules were being transferred, Rogers says it appeared they were destined for the Middle East and Russia.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

by Mirko Zorz - Tuesday, 10 July 2012.

Published in Digital Forensic Investigation News 

Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he talks about mobile forensics, cyber crime scenes, how forensics experts testify in court, privacy concerns, and more. Garcia will be teaching at SANS Forensics Prague 2012.

 Let's say we're looking at a cyber-crime scene comprised of several still powered on computers as well as confiscated smartphones. When the forensic investigator arrives, what does his workflow look like?

 Mobile devices are typically the most volatile of all the evidence, because they are constantly exchanging data (via wifi, 3G, Bluetooth, calls/SMS, etc.). The typical first step is to isolate those devices using appropriate measures (such as Faraday bags), to prevent a potential remote wipe or alternative technique directed to alter or destroy evidence in the device.

 Certain precautionary measures should also be taken into account, like disabling access passwords or PINs in case the device is unlocked (for preventing re-locking), connecting it to a power source (to prevent battery exhaustion), etc. Similar steps should be taken with computers (in case they are connected to the network).

 After that, a traditional forensics process can be carried out: on-site triage and pre-analysis if required, forensic acquisition of memory, hard drives, evidence preservation, etc.

 Mobile devices can at times be acquired at the forensic lab, where you work in a more friendly environment with a better signal isolation. In that case, you need to make sure the device is kept connected to a power source at all times, since the signal isolation will quickly drain the batteries.

 What forensics tools do you prefer and why?

 I literally have hundreds of forensic tools in my "bag", both open source and commercial, Windows, Linux and Mac. Each case typically requires different tools and techniques, and sometimes a specific small utility can save you hours of work. It is important to be up to date with the latest versions, keep an eye on new tools and new features of your current tools.

 If I have to mention just one tool, I will mention the SANS SIFT, which is open source and freely downloadable from the SANS website, and which comes with a myriad of forensic tools ready to use in a forensically friendly environment.

 What advice would you give to a forensic investigator that needs to present his findings in front of a jury in court?

 Court is a weird, confusing and at times hostile environment for technical professionals. In our world things are binary, black or white. Law is all about interpretation.

 f you need to testify in court, just be objective, translate to normal words any non-technical person can understand your findings and conclusions, in a professional and scientific way.

There is an excellent book, A Guide to Forensic Testimony, which I love and I always recommend to my students. It is a must read if you are going to testify in court, as it will open your eyes to how things work. A perfect case can be a lost case if the expert witness is not able to properly translate the findings for the audience.

 How can a forensic investigator make sure he strikes a balance between his work and a users' right to privacy?

 In a corporate environment there should be policies that take care of this, defining what a forensic Investigator can or cannot do. However, in many cases they are actually not in place, and you will have to use your common sense. But beware: the boundaries and interpretation of law are not easy to understand for a forensic examiner, and our common sense is sometimes not valid.

I always recommend to check with a lawyer as required. My advice would be: "be conservative and ask for expert advice if in doubt."

 Said that, our forensic tools can also help, as they allow us to do "blind searches" over the evidence which, with the right keywords, might be enough evidence that something is fishy.

 What are the fundamental differences in investigating Windows, Linux and Mac OS X systems?

 The difference is that in the Windows environment almost every artifact is a proprietary format and requires a different tool and technique for analysis, while in the Linux and Mac OS X worlds (which are part of the same *NIX family) artifacts are typically text or pseudo-text (some plist files can be compressed, but they can easily be decompressed on the fly).

 This allows easily automating many of the tasks in Linux/Mac investigations, consequently speeding them. Also there are many more obscure artifacts in the Windows world that we tend to discover day by day, being the Registry a world on its own.

 When I teach the SANS FOR408 course, in which we cover many of those artifacts, the vast majority of the students are not familiar with most of these artifacts, including very experienced professionals.

 What does your SANS training course look like? What skills can attendees expect to acquire?

 Think of a SANS course like one of the most extreme learning experiences you've ever had. One of the old sayings that students repeat is: "It feels like drinking from a firehose!" A SANS course is much more than just teaching some material.

Every instructor makes an effort to share his own real world experience (which in my case is 15+ years in computer security and forensics), in an intense and passionate way. We cover lots and lots of content, in a VERY hands-on way, with demos, in-class discussions, experience sharing, real world examples, etc.

 We all love this field, students and instructors, and both enjoying and learning as much as possible is the final objective. Always with a focus on real world practical things, on things that you can put to use as soon as you go back to the office. 

Reprinted from DFI News;  DFI NEWS Website 

In its first ever transparency report, Twitter reported Monday that the United States leads the pack when it comes to government demands for user data, having filed 679 requests in the first half of the year.

Worldwide, Twitter said it has received more government demands for data in the first six months of this year than all of last year.

In Twitter’s transparency report, it said it has complied with 75 percent of user-data disclosure demands by producing “some or all information” requested by U.S. authorities. Globally, the average was 63 percent.

Data previous to 2012 was not available. Twitter said it notifies its users of government demands “unless prohibited by law.”

The closest country behind the United States was Japan, which lodged 98 requests with a 20 percent Twitter compliance rate. The United Kingdom and Canada came in with 11 requests, with an 18 percent compliance rate. All of the other countries in the 23-nation Twitter report registered with less than 10 government demands.

“We’ve received more government requests in the first half of 2012, as outlined in this initial dataset, than in the entirety of 2011,” Twitter said on its blog.

The disclosure follows Google’s lead — nearly two years ago, when the search giant turned heads by publishing a treasure trove of data surrounding government demands for user data, in addition to information on the number of takedown notices connected to copyright infringement.

“Wednesday marks Independence Day here in the United States. Beyond the fireworks and barbecue, July 4th serves as an important reminder of the need to hold governments accountable, especially on behalf of those who may not have a chance to do so themselves,” Twitter said.

The Twitter report came the same day a New York state judge ordered the San Francisco-based microblogging site to divulge the tweets and account information allegedly connected to an Occupy protester.

Twitter did not say whether, at least in the United States, the authorities presented probable-cause warrants for user data. Manhattan Criminal Court Judge Matthew A. Sciarrino Jr.’s ruling Monday did not require local prosecutors to have probable cause to get the tweets and accompanying account information of an Occupy protester.

The company, however, listed a few reasons why it does not acquiesce to all government-issued, user-data requests.

“We do not comply with requests that fail to identify a Twitter user account. We may seek to narrow requests that are overly broad. In other cases, users may have challenged the requests after we’ve notified them,” Twitter said. Most famously, Twitter successfully fought to allow individuals being investigated for their connections to WikiLeaks to challenge requests for their Twitter data.

In a separate reporting category, Twitter said it received 3,378 requests to remove copyrighted material from Twitter in the United States for the first half of the year. The Digital Millennium Copyright Act requires internet service providers to remove works, at the copyright holder’s request, to avoid legal liability.

Overall, Twitter said it removed 38 percent of the material specified in the takedown requests. Among other reasons, Twitter said it does not comply with all requests because sometimes they “fail to provide sufficient information” or were “misfiled.”

Twitter also reported that it did not comply with any of the handful of requests from France, Greece, Pakistan, Turkey and the United Kingdom to remove content that is illegal in those nations.

Twitter’s not the first to follow Google’s transparency lead – Dropbox, LinkedIn, SpiderOak and SonicNetbeat

Among those who ought to be next: Facebook, AT&T, Verizon, Sprint, Yahoo, Comcast, Time Warner Cable, and Microsoft.

To Learn When new posts Are added: Sign Up For eMail Alerts Here