Microsoft on Wednesday announced it will launch a "bug bounty" program, designed to stamp out security vulnerabilities in its software before and after its products are launched.

The software giant has previously offered as much as $250,000 for security vulnerabilities disclosed as part of its BlueHat prize during contests, but the company had yet to offer a long-term, ongoing bug bounty program to encourage researchers to find flaws in its products.

"This is the smartest thing we can do," Katie Moussouris, senior security strategist lead at Microsoft Security Response Center (MSRC), told ZDNet on the phone. "We evaluated what researchers were doing, and we noticed the reporting trend was changing. A few years ago, most researchers were going to Microsoft directly. We want to bring that back."

Read this

Bug catching activities beneficial, but obstacles exist

• Read more

But the twist in the tale is that these bug bounty programs will specifically include the company's pre-release software, such as Internet Explorer 11 preview, which will be included with Windows 8.1 ("Blue") on June 26, helping Microsoft stamp out bugs before its products are released into the wider population.

There's a method to this apparent madness. According to the company, most IE 10 security bugs were disclosed after the browser was pushed out into the wild because only then could the researcher receive a financial bounty for their discoveries through a third-party broker. 

"Most [third-party] brokers don't offer beta bounties. When brokers offered money, researchers reported them, so during the betas there was no incentive to report them. Microsoft wants to fill that gap," Moussouris said. 

Microsoft's projections for IE 11, with this beta bug bounty, is that more disclosures will occur sooner rather than later while the product is still in a smaller pool of developers and beta testers.

The company is splitting its security strengthening efforts across three programs:

The first is a "mitigation bypass bounty," which will pay out up to $100,000 per bypass to security researchers who find truly novel exploitation techniques that bypass the platform-level security layer. As Moussouris described it, it's like finding "holes in the shield," which helps Microsoft build a better protection against entire classes off attack.

Dubbed the BlueHat Bonus for Defense, the second program gives researchers the opportunity to receive $50,000 extra if they submit a defensive idea in form of a technical whitepaper that can help block their newly discovered new attack.

IE 11 will remain an integral part of Windows 8.1 while at the same time being a continued target for hackers and malware writers. So, with the third program, Microsoft is offering up to $11,000 per critical-severity vulnerability to researchers. 

For the IE 11 preview, the payout structure works like this:

All three of these programs start on June 26 and continue on an ongoing basis, with the exception of the IE 11 preview bug bounty, which ends a month later on July 26.

Moussouris said the first two programs will help protect Microsoft's desktop platforms. "But we'll see where the programs take us," regarding its cloud and Web-based technologies, such as Azure, Office 365, and the Xbox Live platform.

Read this

Google increases rewards for bug bounty programs

• Read more

For Microsoft, getting the security vulnerabilities squashed earlier rather than later is its primary motivation. And asked about rival companies, such as Google researchers, discovering bugs and flaws in its software, Microsoft doesn't mind paying out. "As long as it's OK with your employer, any researcher can participate."

And, learning from PayPal's recent bluff by refusing to pay out to a bug-finding teenager because he fell under the age requirement, Microsoft has opened up the doors to those 14 years of age or older, realizing that younger developers should still be able to participate.

"If you are at least 14 years old, but are considered a minor in your place of residence, you need to ask your parent's or legal guardian’s permission prior to participating in this program," the bug bounty program guidelines state.

On one part, Microsoft is building a better constructive relationship with the security researcher. But at the same time, the company could be seen as employing a "keep your enemies closer" approach. And if the end result is that 90 percent of the world's users have more secure software and platforms, it's a win-win for all involved.

Oracle has released fixes for multiple products, many of which are aimed at preventing remote exploitation without authentication.

On Tuesday, the technology giant and Java software maker released its June 2013 Critical Patch Update for Java SE. The latest patch update includes 40 security fixes, 37 of which aimed at stopping attackers exploiting software remotely without the need for a username or password.

The majority of the security fixes, 34 in total, only affect client deployments. Under Oracle's CVSS rating system, some flaws rate as "critical," attaining the highest rating of 10.

In addition, four vulnerabilities are able to affect both client and server deployments, with the most severe flaw reaching a CVSS base score of 7.5.

One security vulnerability fixed in the latest round of updates affects the Java installer, but can only be exploited locally.

The final fix affects the Javadoc tool and any documents created by Oracle's software. In Javadoc versions 1.5 or later, a vulnerability in Javadoc-generated HTML files hosted on a web server allows hackers to inject malicious frames into a vulnerable web page, which in turn means that visitors may be redirected to other sites through their browsers.

The security patch offered removes this issue, and an additional tool — the "Java API Documentation Updater Tool" — will fix previously created and therefore vulnerable HTML files.

Affected past versions of Java SE components include the Java Development Kit and Java Runtime Environment 5.0, 6 and 7. JDK/JRE 7 update 21 and earlier, JDK/JRE 6 update 45 and JDK/JRE 5.0 update 45 and earlier are all vulnerable. In addition, patches are included for JavaFX 2.2.21 and earlier.

Due to the "critical" nature of some security flaws, Oracle recommends applying these patches "as soon as possible" through the usual update channels, either the Java Autoupdate tool or by visiting Java's website.

In April, Oracle released 128 fixes for security vulnerabilities which affected hundreds of products. Software that was vulnerable to security exploits included Oracle Fusion Middleware, Oracle HTTP Server, JRockit, WebCenter and WebLogic. The security fixes protected against threats including remote exploitation and access without authentication.

Dates scheduled for the next round of patch updates are 15 October 2013 and 14 January next year.

BlackBerry has issued a security advisory notice to those who have bought its flagship Z10 touchscreen smartphone — the first BlackBerry 10 device to launch following the company's bid for revival, back in February.

The advisory, which was issued earlier this month, notes a bug that relates to BlackBerry Protect, its security and backup utility, rather than the phone's operating system itself. 

According to the advisory, an escalation of privilege vulnerability exists in the software of some Z10 phones that could allow a malicious app to "take advantage" of weak permissions in the in-built security software. This could allow a hacker to gain access to the device's password, and intercept and prevent the device from being wiped.

The "critical" factor is that the security flaw could dupe the device's user into installing an app which resets the device password through BlackBerry Protect. Though the device may be in the user's hands, the device's data is under the control of the hacker.

BlackBerry 10 version 10.0.10.261 and earlier devices are affected by the critical bug, except version 10.0.9.2743. BlackBerry 7 and earlier users are not affected, and neither are those who upgraded to BlackBerry 10.1 in recent weeks.

BlackBerry said in the advisory that the bug is "not currently being actively exploited," but BlackBerry Z10 owners and IT administrators who deploy BlackBerry Z10 smartphones in an enterprise should update their devices as soon as possible.

Enterprise users can also set their BlackBerry Enterprise Server policies to mitigate any unauthorized access. 

Update at 2:50 a.m. ET on June 17: This ZDNet article has been amended several times following Rep. Nadler's latest comments 

Update at 10:20 p.m. ET on June 16: The U.S. Director of National Intelligence James Clapper released a statement, debunking the claims. "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress," the statement read.

Update at 11:55 p.m. ET on June 15: There appears to be some conflicting reports over the exact wording of Nadler's remarks. There is also a video on C-SPAN (the exchange begins around the 46:00 mark) but it remains unclear if this is the exchange CNET first referenced. CNET specifically said, at the time of writing, that Nadler was told "during a secret briefing to members of Congress" this week. We've updated the story in a couple of places, and amended the headline, but much of the article remains the same. 

Analysts at the U.S. National Security Agency not only sift through the metadata associated with your calls — they also have the ability to listen in on conversations in real time, according to a report.

The news, which was first reported by sister site CNET's Declan McCullagh, cited Rep. Jerrold Nadler (D-NY) who was told during a briefing to members of Congress that phone calls could be listened to "simply based on an analyst deciding that."

Read this

U.K. government 'complicit' in NSA's PRISM spy program

• Read more

It comes just over a week after U.S. President Barack Obama stated: "Nobody is listening to your phone calls."

Nadler was also allegedly told that the NSA does not seek legal authorization from a court to allow its analysts and staff to listen in on calls, even U.S. domestic calls. And, because the same laws that apply to phone calls also include emails, instant messages, and text messages, it is possible that contents of Internet communications could also be accessed under the same premise.

Senate Intelligence committee chairperson Sen. Dianne Feinstein (D-CA) confirmed on Thursday, according to the report, that a court order is not necessary for the NSA to search its call data database that it collects under secret orders from major U.S. telecom firms.

Feinstein also said: "To look at or use the content of a call, a court warrant must be obtained," indicating that though a court order is required, the NSA does in fact collect the audio contents of calls.

Claims made in a video by Edward Snowden, the whistleblower who leaked documents to The Guardian newspaper in London, that he could "wiretap anyone from you or your accountant to a federal judge to even the president" may prove accurate.

It also comes a month after former FBI counter-terrorism agent Tim Clemente disclosed to CNN that under certain investigations relating to the protection of national security, his former employer could access call records and contents of those calls.

"All of that stuff is being captured as we speak whether we know it or like it or not," he claimed.

The NSA has faced extreme criticism and controversy over the past two weeks following leaks to U.S. and U.K. newspapers claiming that the intelligence agency had "direct access" to seven named companies, including Apple, Facebook, Google, and Microsoft.

These claims were retracted by The Guardian and The Washington Post after the companies one after the other strenuously denied that the NSA could tap into their servers.

CNET notes that, though this whole NSA scandal began with the leaking of a Foreign Intelligence Surveillance Court (FISC) order, authorized under its namesake law which forced Verizon to hand over all tangible things to the agency, this latest twist in the ongoing surveillance saga does not relate to that order.

Digital Net Agency Chief Strategy Officer Skip Graham believes the advertising industry is complicit in helping pave the way for programs like PRISM by "softening" consumer viewpoints on privacy issues — effectively making the public feel complacent about handing over personal information online.

"How our industry works has absolutely no correlation to the efforts of the government. Or does it? How much of the data the NSA is using is data we convinced people it was safe to have stored? I’m afraid it’s going to turn out to be most of it," Graham told ZDNet via email this week.

Last Sunday, after the Edward Snowden video went live, Graham took to a large, private industry email list to call out the online advertising industry as complicit in the NSA scandal by making the public collection and use of personal information seem harmless, permissible, inevitable, and sometimes even desired.

It's no secret that the advertising and marketing industry are the masters of propaganda (and they know it, too). Graham lambasted his advertising industry peers, warning they were all culpable:

I don't believe it would have been possible for the NSA and the American government to so blithely act as if their current actions were not a violation of our constitutional rights without literally years of prior effort by some of the best minds marketing has to offer to convince the public that this was the reality of how data is gathered and can be maintained.

We went first and told the public not to worry, to have faith and to trust. We crafted the arguments, molded the opinions, and quieted the skeptics.

Free email — in exchange for targeted advertising

The ad industry, Graham maintains, both increased the public's bounds of acceptance over time and fattened up company-sourced data profiles obtained by the NSA.

When asked specifically how personal and private information collection has seeped quietly into public tolerance, Graham explained the evolution of successful client service in digital advertising relied on keyword matching, to find out an individual's likes, interests and dislikes.

Things went to the next level, he said:

(...) with the advent of the Gmail free email service. Free accounts were given to anyone who requested one in exchange for Google being allowed to monitor the content of your correspondences in order to then place relevant advertising into the mail interface.

Reaction initially from the public was extremely negative over the disclosure. I was one of those people who personally supported Google's activities and I did so based on a simple premise: it's a free service and you don't have to use it.

In addition to that, I perceived that Google's business model was predicated on consumers being comfortable with the way Google uses the data. This was a strong incentive for appropriate self-regulation by the company.

However, the idea of someone "going through your mail" was about as un-American as you can get.

Graham explained that the challenge then became to guide consumers through overcoming their hesitations about having their private mail and messages read by companies such as Google; to make them feel safe. "For people to become truly comfortable with it," he said, "there was going to need to be a way to educate them on the way the data was actually gathered and reviewed."

Must Read

How did mainstream media get the NSA PRISM story so hopelessly wrong?

• Read more

A newer example of the quest to fatten up user data profiles with keyword targeting — blurring the lines of both consent and anonymization via the implied situational consent of the user's presence — can be seen in the new #hashtag implementation at Facebook.

Advertising as less intrusive surveillance

On Wednesday, Facebook announced it would add #hashtag functionality, similar to Twitter's use of the term-search mechanism.

But the reasoning behind the new feature is far more than enhancing polite conversation. In Facebook Hashtags Have More To Do With Ad Targeting Than Twitter, Buzzfeed's Matthey Linley explained, "On the surface, hashtags will help Facebook users engage in 'public conversations' ... More importantly, hashtags are a less intrusive way for advertisers to use Facebook’s platform."

Less intrusive data collection, indeed. As this relates to the NSA'a PRISM program and data collection — "lawful interception" — from companies like Google and Facebook, Graham told ZDNet,

I think it is also very important to understand how this IS a violation of everyone's constitutional rights.

The only maintained defense that these activities are not an unlawful search and seizure and a violation of privacy of every citizen of the United States is that the "data" is not being actively reviewed and therefore no one's ‘privacy’ being violated. Also that it is being gathered through a lawful process in using the courts.

Except, he said, "The problem is that the courts and the process are secret. And that means it is being done outside of the democratic process. Something this important should be reviewed by the citizens and decided by law and open judicial review. As of now it is being decided by bureaucrats using executive policy as a guide. That has to stop."

In what Steve Hall (Adrants) described as a "a crisis of consciousness" moment, Graham told colleagues across the spectrum of advertising that they all should have known better, saying,

For years we as digital marketers have created systems that gathered vast personal data while telling consumers that they should have no fear of such activities. We told them that despite the fact that we were in essence watching everything that they did and making calculated choices to manipulate their decisions based on that knowledge, that this was ultimately a benefit to them and that they were still remaining anonymous and therefore their privacy was not at risk.

And we said this even though the slightest application of historical perspective would have clearly shown the slippery slope to its inevitable complete loss.

Graham still believes that their industry has made the Internet a better place for everyone, but that buttering up the public to the trade-offs for using Internet services puts the industry in a dangerously close space to the NSA's activities.

Mr. Graham told ZDNet,

I and most of the people involved in my industry have believed that our process of monitoring, anonymizing, archiving and Robo-reviewing people's activities have produced a better overall experience for the consumer and the marketer. I still believe that today.

But throughout that process, we've had to continually defend what we were doing against concerns about privacy from organizations that are set to defend against any perceived infringement on it.

And my current assertion is that our continued efforts to explain how this process of data gathering and storage can be achieved without violating privacy has had the unintended effect of creating an environment where the public has been repeatedly assured by resources outside of the government that the gathering of data on personal actions and activities can be done while still maintaining a person's privacy.

We convinced the public it was safe, and that self-regulation and not legislation was the answer. The NSA and the current administration is making the same argument now.

When asked if the advertising and marketing industry could make a course correction, Skip Graham was optimistic, but did not mince words. He said,

I think first the industry will have to accept the fact that a strong distinction is to be made between what we do and what the government is attempting to do.

That's a distinction that most in my space will not want to make because they don’t want to draw a correlation between the two at all in the first place. We have spent years trying to get the public to accept that we mean them no harm and that in fact our activities create a benefit.

The last thing anyone wants to do is find ourselves directly associated with what is quite conceivably the greatest threat to our freedoms to occur in my lifetime.

I think it is the responsibility for industries and organizations that gather data on individuals to make a clear distinction between what we do and what the government is doing. And that's what I'm doing now.

The dark shadow of modern tech is its data-grabbing arms race: so-called "people finder" data registries, the advertising and marketing industry, spammers, corporations (such as Google and Facebook) and the U.S. government, all comprising a frenzy to collect as much private and personal information on as many people as possible — up to, and sometimes exceeding, the limit of the law.

While it's a nice idea to tell people they can't complain about anything they get for free, and that consumers can simply choose not to use email, Facebook, or internet search if they don't like agreeing to have their information monitored, stored and potentially used against them...

That argument is rendered null by both the everyday realities of life and the NSA's secret courts; there is no plainer way to illustrate that even the hippest, wisest, most cautious consumers truly have no idea what they are consenting to when using Apple, Skype, Facebook or Google.

And there are more than enough players that will take advantage of it all.

Image: EFF via Wikicommons.

The EU's justice chief has warned of the "grave adverse consequences" for the rights of EU citizens in light of the PRISM leak, which revealed the mass surveillance by the U.S. National Security Agency.

Several EU member state governments have also been dragged into the claims that they tapped into the PRISM program in order to spy on their own citizens, including the U.K. government and the Dutch government.

Read this

PRISM: Here's how the NSA wiretapped the Internet

The National Security Agency's "PRISM" program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening 'back doors' to the spy agency could well be proven innocent.

• Read more

ZDNet has obtained a copy of a letter sent by EU Justice Commissioner Viviane Reding to U.S. Attorney General Eric Holder from a European source, who declined to be named. 

Reding's letter, dated June 10, which contains some sternly worded language, states that she has "serious concerns" about the reports that U.S. authorities are accessing EU citizens' data through U.S. companies.

"The respect for fundamental rights and the rule of law are the foundations of the EU-US relationship. This common understanding has been, and must remain, the basis of cooperation between us in the area of Justice," she said.

Citing an earlier meeting between U.S. and EU diplomats in June 2012, Reding and Holder discussed the "scope of U.S. legislation," including the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act.

"It can lead to European companies being required to transfer data to the US in breach of EU and national law," Reding said. She warned that the two governments have existing "formal channels," such as mutual legal assistance (MLA), which allows one government to ask another for formal help while outside their jurisdiction. 

ZDNet covered in 2011 the scope of FISA, which was amended by the Patriot Act in 2011, which could be invoked on a U.S.-based company to bypass the MLA treaties between the U.S. and EU member states to acquire data on citizens under the radar.

Reding said in reply to questions by Dutch member of the European Parliament (MEP) Sophie in 't Veld in 2012 that there was not enough clarity in the existing 1995 Data Protection Directive to determine whether or not this could happen.

She confirmed it would be up to the International Court of Justice in The Hague to rule on the transatlantic legal dispute.

Further into the letter, Reding explained that the MLA treaties exist for a reason and should not be bypassed by other legislation.

"I must underline that these formal channels should be used to the greatest possible extent, while direct access of U.S. law enforcement authorities to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations."

Read this

Prism heats up simmering tensions between U.S. and Europe over privacy

• Read more

EU sources in Brussels with their ears to the ground, in speaking to ZDNet under the condition of anonymity, warned that the tension in the European Parliament is rising amid these U.S. spying revelations, which were first outed by The Guardian last week. Some fear that this could lead to a proposal that could suspend data-sharing agreements with the U.S. until this matter is resolved at a diplomatic level.

These concerns could see MEPs vote on the suspension of the U.S.-EU Safe Harbor agreement, which allows data to flow between the two continents under the premise that receiving U.S. companies will treat the European data as if it was still within the EU.

In Reding's letter, she confirmed that the Safe Harbor scheme is currently under review in the EU legislative process.

A European Commission spokesperson confirmed that current agreements will need to be reviewed and most likely aligned with the new data protection rules, once they are brought into force.

The spokesperson did not comment on if the Commission knew about PRISM before it was revealed last week.

In following up, it's not clear if individual companies, such as the seven named technology giants in the PRISM scandal, would be revoked or if the entire agreement could be suspended. Either way, the political and economic ramifications could be massive. 

Should this "worst case scenario" happen (it would not be an overnight thing and MEPs would be under pressure from their EU member states to avoid such sanctions), it would likely have a far greater effect on Europeans than it would on the United States. 

"Cutting off the nose to spite the face," springs to mind.

And, considering the U.S. Passenger Name Records (PNR) system (which allows the U.S. government to screen European passengers before they enter the U.S.) relies on data sharing between the two continents, theoretically should these agreements be suspended, it could leave Europeans temporarily unable to fly into the U.S. 

Reding concluded her letter:

As you know, the European Commission is accountable before the European Parliament, which is likely to assess the overall trans-Atlantic relationship also in the light of your responses.

The fact of the matter is that the European Commission can't do much about PRISM except enact legislation that counters the effects of transatlantic spying.

And, even if the Commission — not just EU member states — knew about it before that infamous PowerPoint deck was leaked, the EU doesn't have an intelligence agency, per se. Its member states do, and some may share snippets of intelligence with their European member state counterparts, and some with the Commission, but it's not mandatory or even expected.

Holder and Reding will meet in Dublin on Friday to discuss the matter, as part of a scheduled gathering of politicians.

This month's Patch Tuesday saw five updates in total — one rated "critical" and four "important." But a key Windows vulnerability discovered weeks ago by a Google engineer still hasn't been patched.

Google information security engineer Tavis Ormandy discovered a bug in Windows 2000, Windows XP, and above, including Windows Server 2003 and 2008, that affects the user privileges of the logged-on user.

He made the zero-day flaw public, citing Microsoft as being "often very difficult to work with," and "treat[ing] vulnerability researchers with great hostility."

The software giant said it was not aware of any attacks and had not issued an advisory confirming the flaw.

It's not the first time Ormandy has published his discoveries on disclosure lists following the sluggish reactions by some companies. The rinse-repeat situation happened in mid-2010 on a zero-day vulnerability with Windows Help & Support, and in the same year disclosed a flaw in Java, which Sun failed to patch given adequate time.

Microsoft on Thursday confirmed the Google-discovered bug was not included in June's Patch Tuesday.

Microsoft Trustworthy Computing group manager Dustin Childs said in an emailed statement to ZDNet, "Microsoft carefully investigates newly discovered vulnerabilities and rigorously tests security updates on the affected operating systems and applications, and delivers solutions once they are ready."

Clear as mud, then. 

Members of a group that conspired to use stolen banking information to run money laundering and identity theft schemes have been charged by a U.S. federal agency.

New Jersey U.S. Attorney Paul J. Fishman announced that eight alleged members of an international cybercrime ring are being charged after conspiring to "use information hacked from customer accounts held at more than a dozen banks, brokerage firms, payroll processing companies and government agencies" in order to steal at least $15 million from U.S. customers.

The eight defendants are being charged together in a criminal complaint with conspiracy to commit wire fraud, conspiracy to commit money laundering and conspiracy to commit identity theft.

The alleged controller of the cybercrime ring was Oleksiy Sharapka, 33, of Kiev, Ukraine. With the help of Leonid Yanovitsky, 38, also of Kiev, and Oleg Pidtergerya, 49, of Brooklyn, N.Y., Robert Dubuc, 40, of Malden, Mass., and Andrey Yarmolitskiy, 41, of Atlanta, the defendants allegedly managed cybercriminals in their respective cities to pull off fraudulent activities.

In addition, Brooklyn-based Ilya Ostapyuk, 31, is being charged with allegedly facilitating the transfer of money gained by criminal acts.

Pidtergerya, Ostapyuk and Dubuc were arrested at their homes by federal agents, and Yarmolitskiy was later apprehended at John F. Kennedy International Airport. Taylor and Gundersen are being pursued, while Sharapka and Yanovitsky are still at large.

The conspiring hackers allegedly gained access to over a dozen financial institution computer systems, including Citibank, JP Morgan Chase Bank, PayPal, the U.S. Department of Defense, Defense Finance and Accounting Service, Veracity Payment Solutions and Aon Hewitt.

Once inside the networks, federal agents say that the defendants and conspirators diverted money from accounts of the companies’ customers to bank accounts and pre-paid debit cards controlled by the cybercrime ring. Individuals were then employed to withdraw the funds through ATMs and purchases across the United States.

In addition, the defendants allegedly stole U.S. identities to facilitate the scheme, as well as try to claim refunds through fraudulent tax return submissions to the IRS.

Federal prosecutors claim that attempts were made to defraud both businesses and individuals of over $15 million.

"According to the complaint unsealed today, cybercriminals penetrated some of our most trusted financial institutions as part of a global scheme that stole money and identities from people in the United States,” said U.S. Attorney Fishman. "Today’s charges and arrests take out key members of the organization, including leaders of crews in three states that used those stolen identities to "cash out" hacked accounts in a series of internationally coordinated modern-day bank robberies. We will continue to pursue our investigation into this scheme and our fight against the rising threat of criminals for whom computers are the weapon of choice."

If convicted, each defendant faces a maximum of 20 years behind bars on the conspiracy to commit wire fraud count, 20 years in prison on the conspiracy to commit money laundering count and 15 years in prison on the conspiracy to commit identity theft count. In addition, a maximum penalty of $250,000 can be set resulting from corporate losses, and a $500,000 fine based on the money laundering conspiracy count.

Over the past three fiscal years, the Justice Department has filed nearly 10,000 financial fraud cases against nearly 15,000 defendants.

Budget proposals suggest that the Pentagon is serious about shoring up digital defenses and combating the growing problem of cybercrime.

In a five-year “cyber-expense” budget obtained by Bloomberg, the U.S. Defense Department suggests spending up to $23 billion until fiscal year 2018.

The document outlines plans to spend $4.72 billion in fiscal 2015, $4.61 billion in 2016 and $4.45 billion the next year, before rising to $4.53 billion in 2018. In addition, the Pentagon will request $9.3 billion through 2018 for the development of systems aimed at blocking hacking attempts and preventing the theft of information on governmental computers — with both offensive and defensive aspects.

2015's suggested spending is an increase of 18 percent from this fiscal year, in which $3.94 billion has been budgeted.

Harry Raduege, chairman of Deloitte LLP’s Center for Cyber Innovation, said in a statement that the budget outline shows "increased investment will be made in protecting critical infrastructures," and cyber capabilities "for use against our adversaries and enhancing overall security of DoD networks and systems."

In March, intelligence chiefs said that cybercrime is "more of a threat than terrorism." At a committee hearing, Director of National Intelligence James Clapper said that in some cases, "the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks."

According to leaked documents revealed this week, the U.S. government has drawn up a secret list of targets it can attack either preemptively or offensively in a secret order which allows national security teams to target overseas bodies in the case of attack. The "Presidential Policy Directive 20" describes how the U.S. government can go on the offensive "with little or no warning," and with "potential effects ranging from subtle to severely damaging."

President Barack Obama has defended the National Security Agency's surveillance programs, branding them a "modest encroachment" on privacy for the good of national defense.

On Friday, the U.S. president told reporters at Silicon Valley that the program, supervised by federal judges and authorized by Congress, is not about "listening to your telephone calls." Although the NSA can keep tabs on Americans' phone and Internet records, Obama said the correct "balance" has been kept between Big Brother-like spying and maintaining national security.

The president, now in his second term, said that he was skeptical about the programs when elected in 2008, but has come to the conclusion that such "modest encroachments on privacy" were worth it as a society, commenting:

"You can't have 100 percent security and also then have 100 percent privacy and zero inconvenience. We're going to have to make some choices as a society. There are trade-offs involved."

Unnamed U.S. officials told Reuters that law enforcement agencies, including the FBI and DOJ, are likely to open a criminal investigation into the leaking of documents to both The Guardian and Washington Post.

The NSA's whistleblower has been revealed as Edward Snowden, a 29-year-old who has worked as a former technical assistant for the CIA. Currently residing in Hong Kong to try and combat the U.S.'s expected reprisal for leaking information, Snowden said that despite having to leave a good job, home and family, he has "no regrets" and has "done nothing wrong."

"I understand that I will be made to suffer for my actions. I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant," Snowden told The Guardian.

Last week, leaked secret court orders showing that the NSA was mining the phone records of millions of Verizon customers. Obama's comments now come after the Post and Guardian revealed details of the NSA's extensive surveillance, including programs Prism and Boundless Informant — the agency's means of data mining and cataloguing information.

The U.S. government is said to have collected almost three billion pieces of intelligence from U.S. computer networks in the 30-day period ending in March this year, as well as indexing almost 100 billion pieces worldwide.

A number of firms including Google, Apple, Yahoo and Facebook were labelled in the reports and granted "intelligence services direct access to the companies' servers." A number of companies have denied giving agencies "direct access," and the original Post story has been altered, potentially due to misinterpretation of leaked documents.

U.S. Director of National Intelligence James Clapper has said that the surveillance system is "important and entirely legal," and the behaviour of media outlets disclosing details of the program was "reprehensible."

Edward Snowden says he has done "nothing wrong" in blowing the whistle on the NSA's surveillance program.

The 29-year-old's identity has been revealed by U.K.-based newspaper The Guardian in the form of an interview that took place in Hong Kong. The publication says that the whistleblower's identity was revealed on request. Snowden commented:

"I have no intention of hiding who I am because I know I have done nothing wrong. I understand that I will be made to suffer for my actions. I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant."

The former technical assistant for the CIA has worked at the National Security Agency for the past four years as a contractor employee, working with firms including Booz Allen and Dell.

Snowden is responsible for leaking documents to the publication which revealed the details of the agency's surveillance program Prism. A report from The Washington Post said that Prism granted "intelligence services direct access to the companies' servers," and tech giants including Facebook, Apple and Google were labeled as part of the scheme.

The companies in question denied these claims, some proclaiming that they had never head of Prism, as well as stating that no "direct access" is given to governmental bodies. As a result, the Post quietly altered its original story. A government official said that the confusion stemmed from a misread PowerPoint program which was leaked to the publication.

Snowden said he wanted the focus to be on "what the U.S. government is doing," rather than his personal plight and the likely consequences for his actions, believing that the government will seek to "demonize" him.

"I really want the focus to be on these documents and the debate which I hope this will trigger among citizens around the globe about what kind of world we want to live in," Snowden said. "My sole motive is to inform the public as to that which is done in their name and that which is done against them."

The 29-year-old was originally brought up in North Carolina, and later moved to Maryland where he attended a community college. In 2003, Snowden enlisted in the U.S. Army to join the Special Forces, but was later discharged after breaking both legs in a training accident. Snowden then secured a job for the NSA as a security guard before moving to the CIA to work on IT security. While stationed in Geneva, the whistleblower quickly became disillusioned with how the U.S. government operated.

"Much of what I saw in Geneva really disillusioned me about how my government functions and what its impact is in the world," he says. "I realised that I was part of something that was doing far more harm than good."

After dashed hopes that the election of President Obama would rein in surveillance policies, he felt uncomfortable with and learning about how "all-consuming the NSA's surveillance activities were" over the next three years, so Snowden decided to take action.

Snowden made preparations to go public several weeks ago. After telling a supervisor he needed several weeks away for treatment for epilepsy, he boarded a flight to Hong Kong and has remained there ever since because "they have a spirited commitment to free speech and the right of political dissent." In other words, it may be one of the few countries available that will allow him to fight the next move of the U.S. government.

In going public, the whistleblower said he has sacrificed a very "comfortable" life, a salary of roughly $200,000, his girlfriend and home in Hawaii. So why do it? The whistleblower says it is a matter of principle:

"The government has granted itself power it is not entitled to. There is no public oversight. The result is people like myself have the latitude to go further than they are allowed to. I carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest. There are all sorts of documents that would have made a big impact that I didn't turn over, because harming people isn't my goal. Transparency is.

I feel satisfied that this was all worth it. I have no regrets."

The stream of leaks revealing the U.S. National Security Agency's (NSA) secrets carries on with the public outing of an powerful intelligence tracking tool.

On the back of key talks between Chinese president Xi Jinping and U.S. President Obama on issues of surveillance and cybercrime, the U.S. government's week has just gotten a lot worse. In a fresh wave of documents obtained by The Guardian, the details of the NSA's data mining tool "Boundless Informant" are laid out for the world to see.

Read this

PRISM: Here's how the NSA wiretapped the Internet

The National Security Agency's "PRISM" program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening 'back doors' to the spy agency could well be proven innocent.

• Read more

The first story, which brought U.S. intelligence capabilities and surveillance to the media's attention, were claims that the NSA received a court order which allowed it to collect the telephone records of U.S.-based Verizon customers.

The order was issued by the Foreign Intelligence Surveillance Court (FISC), a secretive establishment which was created under the Foreign Intelligence Surveillance Act (FISA) 1978 and amended by the Patriot Act in 2001. The court order forced Verizon to hand over communications metadata on an "ongoing, daily basis" to the agency until July 19 this year, when the order expires.

After the court order came to light, details over NSA's internal computer system, dubbed PRISM, were leaked by The Washington Post. The report alleged that Prism was used to collect communications data from around the globe since 2007 under the NSA's Signals Intelligence Directorate, with "the assistance of communications providers in the U.S."

Seven firms allegedly involved in the program were named as Microsoft, Yahoo, Google, Facebook, AOL, Skype, YouTube, Apple, and PalTalk. One by one, the companies all denied knowledge of the system, and the Post quietly altered the report, which originally stated the tech giants "knowingly participated" in the scheme.

In response, U.S. Director of National Intelligence James Clapper issued a statement stating the system is "important and entirely legal," and the behaviour of media outlets disclosing details of the program was "reprehensible."

The intelligence chief released a PRISM factsheet (.PDF) on Saturday which claims that under Section 702 of FISA: "the United States government does not unilaterally obtain information from the servers of U.S. electronic communication service providers." In addition, data is only obtained following FISA court approval and with the knowledge of service providers.

In short:

"Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight. Service providers supply information to the Government when they are lawfully required to do so. The Government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition."

PRISM's existence has been recently confirmed by President Obama in a speech on Friday. Whereas the internal computer system collects data, Boundless Informant focuses on organizing and indexing metadata. In other words, the tool categorizes communications records rather than the content of a message itself, such as a text message or phone call.

A leaked fact sheet (.PDF) explains that almost three billion pieces of intelligence has been collected from U.S. computer networks in the 30-day period ending March this year, as well as indexing almost 100 billion pieces worldwide. Countries are ranked based on how much information has been taken from mobile and online networks, and color-coded depending on how extensively the NSA is spying on a country.

Users of the tool are able to select a country on Boundless Informant's "heat map" to view details including the metadata volume and different kinds of NSA information collection.

Iran is top of the surveillance list with over 14 billion data reports categorized by the tracking tool in March, with Pakistan coming in close second at 13.5 billion reports. Jordan, Egypt and India are also top contributors.

Levels of country-specific surveillance are color-coded depending on severity; green the least and moving through the spectrum to red if a country is under heavy surveillance.

Example use cases include "How many records (and what type) are collected against a particular country?" and "Are there any visible trends for the collection?" for example.

The other leaked document (.PDF) says the tool is designed to give NSA officials answers to questions including what coverage the agency has on specific countries, how data collection compares in different regions, and how many records are being produced.

Both documents were protectively marked as "top secret" and "NOFORN," denying non-U.S. citizens from viewing them.

According to the documents, Boundless Informant is hosted on corporate servers and leverages open-source FOSS technology. Raw data is analyzed and processed in the cloud. The level of data categorized can also be broken down to determine which intercepts originate from the U.S., and this detail includes IP addresses — which can be tracked back to determine a user's country of origin, state and city.

In a March hearing last year, NSA director-general Keith Alexander has repeatedly denied that the U.S. government spies on its citizens. When asked by Rep. Hank Johnson (R-GA) if the NSA has the technological capacity to identify citizens based upon the content of their emails, Alexander commented:

"No no, we don't have the technical insights in the United States. In other words, you have to have something to intercept or some way of doing that either by going to a service provider with a warrant or you have to be collecting in that area. We’re not authorized to that nor do we have the equipment in the United States to collect that kind of information."

The exposure of the NSA's internal Boundless tracking tool — which is likely only used by the intelligence agency — and Alexander's previous comments appear to be in complete contradiction. The NSA has maintained its position and denies spying on U.S. citizens; a spokesperson for the agency telling The Guardian:

"NSA has consistently reported — including to Congress — that we do not have the ability to determine with certainty the identity or location of all communicants within a given communication. That remains the case. The continued publication of these allegations about highly classified issues, and other information taken out of context, makes it impossible to conduct a reasonable discussion on the merits of these programs."

One NSA program brought to light this week harvests phone records via Verizon. The second program is called Prism, in which the NSA data-mines user information directly from nine Internet giants, including Apple, Facebook, Google, Microsoft and Skype.

No one has contested the Verizon data/surveillance exchange deal. President Obama today confirmed the existence of both NSA programs and acknowledges Prism, tech companies Google and Facebook issued carefully-worded statements with each company saying it had never head of Prism.

If the NSA is getting their intel without our knowledge or consent straight from the tap, there's nothing we can do to protect ourselves. Except maybe yell at them really loud. Just like in a classic scary movie, the calls are actually coming from inside the house.

Add to this the element of outside information seekers: data dealers who work to make a buck by scraping sites, exploiting security holes, or making direct data sales with the very same companies alleged to be part of Prism. Now we can extend the horror film analogy, where we find out (always too late!) that the serial killer is also the babysitter.

Even against odds, I felt that at the very least we can make someone's job a little bit harder.

Hence the title of this post. I asked not just one, but several hackers who work professionally in high-level security environments what the best anti-surveillance, pro-privacy phone apps are. What is on their phones? What should be on mine?

After they finished laughing at my question (especially in light of the Prism revelations), I got solid answers. You can tell me what I left out in the comments, but I only wanted to post apps that were tested and in use by people whose jobs (or more) depend on personal communication security.

Keep in mind that the sudden activation of encryption tools can draw attention to you, when before there might have been none.

However, now might be a good time to take advantage of the fact that in the middle of this news storm, suddenly lots of people are going to be trying out anti-surveillance software.

Most recommended: Text Secure and Red Phone by Whisper Systems (Android only; iOS in development).

Both apps are free and open source, "enabling anyone to verify its security by auditing the code."

1. Text Secure (play.google.com)

TextSecure encrypts your text messages over the air and on your phone. It's almost identical to the normal text messaging application, and is just as easy to use. 

TextSecure provides a secure and private replacement for the default text messaging app. All messages are encrypted locally, so if your phone is lost or stolen, your messages will be safe.

Messages to other TextSecure users are encrypted over the air, protecting your communication in transit. TextSecure is the only Android private SMS/MMS messenger replacement that uses open source peer-reviewed cryptographic protocols to keep your messages safe.

Rather than simply pretending to hide your texts by putting them in another place, TextSecure uses cryptography to ensure that they remain truly secure.

2. Red Phone (play.google.com)

RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in.

RedPhone uses your normal phone number to make and receive calls, so you don't need yet another identifier. Use the default system dialer and contacts apps to make calls as you normally would.

RedPhone will give you the opportunity to upgrade to encrypted calls whenever the person you're calling also has RedPhone installed.

RedPhone calls are encrypted end-to-end, but function just like you're used to. Uses wifi or data, not your plan's voice minutes.

Second place must-haves: Tor apps Onion Browser (Apple iOS) and Orbot (Android), or running your own VPN.

Both Onion Browser and Orbot make use of the Tor Project, but they each function slightly differently (with privacy protection limitations falling on the Apple side of the tree due to the closed nature of iOS).

3. Onion Browser (Apple iTunes)

Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy.

Websites do not see your real IP address. Your connection is encrypted before it leaves your device, providing protection against snooping by ISPs or people who share a WiFi connection with you.

Tunnel bypasses restrictive firewalls: you can access the entire Internet from behind ISPs or corporate connections, or when inside countries that practice online censorship. Access websites on the "dark net" of anonymous .onion web sites, only accessible in the Tor network.

User-Agent spoofing: hides the fact that you are using an iPhone/iPad from websites you visit. Ability to block third party cookies or all cookies. Can change IP address and clear cookies/history/cache in one button.

CHINA/IRAN NOTE: Due to online censorship techniques using deep-packet inspection (DPI), this app does NOT currently function in China or Iran.

4. Orbot (play.google.com)

Orbot is a "proxy app that empowers other apps to use the internet more securely. It uses Tor to encrypt Internet traffic and hide it by basically bouncing through a series of computers around the world; it is the official version of the Tor onion routing service for Android.

(...) instead of connecting you directly like VPNs and proxies. This process takes a little longer, but the strongest privacy and identity protection available is worth the wait.

Use with Orweb, the most anonymous way to access any website, even if it’s normally blocked, monitored, or on the hidden web. Use Gibberbot with Orbot to chat confidentially with anyone, anywhere for free.

Orbot can be configured to transparently proxy all of your Internet traffic through Tor. You can also choose which specific apps you want to use through Tor.

Any installed app can use Tor if it has a proxy feature, using the settings found here. Check out our fun, interactive walkthrough.

The thing to know about Tor-based projects is that they will slow down your response times, and for many — privacy or not — this is a dealbreaker.

To Tor or not to Tor, everyone agreed that running a VPN (Virtual Private Network) of some kind is a smart thing to do. Read Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs).

Yes, there is so much more you can do.

A good place to start is The Electronic Frontier Foundation (EFF) Surveillance Self-Defense Guide. If you're low on time to read it all, skip to What Can I Do To Protect Myself?

The EFF now has a two-click form — Massive Spying Program Exposed — where visitors can instantly send emails to their representatives calling for a full Congressional investigation saying, "It's time for a full accounting of America's secret spying programs—and an end to unconstitutional surveillance."

Update Saturday, June 8, 2:34am PST to include footnote: These apps are good to protect you from many types of invasive attacks, but they won't protect against skilled attackers (such as powerful, unethical governments with unrestrained technical access). It's important to know that mobile devices - in this instance mobile phones, specifically - are generally weak platforms. If you're a person who's at-risk, don't bet your life on any app - or any phone.

It looks like June will be a relatively quiet month for security patches, with Microsoft set to dish out just one fix for a "critical" flaw in Internet Explorer. 

The software giant said in its latest advanced security bulletin that it has five security vulnerability bulletins, including an Internet Explorer zero-day flaw that is currently being exploited in the wild by hackers and malware writers.

Read this

Oracle outlines steps to improve Java home, enterprise security

• Read more

All versions of Internet Explorer 6 and above, including IE10 on Windows 7 and Windows 8 devices — which include Surface and Surface RT tablets — and Windows Server products, will require patching as soon as possible. 

The zero-day flaw in Internet Explorer allows a remote code execution attack, in which a hacker can exploit the flaw to install malicious software on an affected computer.

As with all advanced notifications, Microsoft doesn't want to tip off the hackers with exactly what the flaw is, but more details will be released next week after the patches are released.

It comes at a delicate time for Microsoft, which in recent weeks was embroiled in a public rival security street fight with Google. A security expert working at the search giant publicly disclosed the flaw instead of reporting it directly to Microsoft. Instead, he published the vulnerability on a public disclosure list.

It's not clear if the patch for this privilege escalation flaw will make it in to the June round-up of security updates.

The other four bulletins are rated "important," and affect Windows and Office. In all, the 23 individual flaws range from information disclosure, an elevation of user privileges, denial of service attacks, and remote code execution, which can allow malware onto an affected device.

In a rare update, Microsoft will update its Office for Mac 2011 software — the version of the productivity suite for Apple OS X-based machines — with an "important" rated update. The bulletin will also include a patch for Office 2003 (Service Pack 3) for Windows machines.

Microsoft will release its latest round of security updates and patches on June 7, and those will be available on all the usual update channels.

Lawmakers in the U.S. have proposed legislation which will deny hackers entry to the United States and freeze the assets of foreign nationals.

The Cyber Economic Espionage Accountability Act was revealed on Thursday, and allows U.S. authorities to "punish criminals backed by China, Russia or other foreign governments for cyberspying and theft."

Reps. Mike Rogers, Tim Ryan and Sen. Ron Johnson, bipartisan members of the House and Senate, say that the bill will send a clear message to nations endorsing cybercriminals, and that "this behavior will no longer be tolerated."

"Theft of U.S. intellectual property is costing our economy an estimated $300 billion a year. It costs American jobs, innovation, and threatens national security," said Senator Ron Johnson. "It's time there are repercussions for these brazen acts taken by foreign actors. This bill is a simple, common-sense measure. It directs the Administration to develop a list of cyber spies, make that list public, and enforce penalties for those bad actors."

Rogers mentions China by name, saying that there are currently "no real consequences" for the theft of American intellectual property.

The act calls for the U.S. Department of Justice (DOJ) to prosecute more foreign nationals who are involved in the theft of intellectual property and economic warfare. In addition, the bill would deny hackers the right to apply for visas to enter the United States. If they are currently within the country, those involved in cybercrime take the risk of having visas revoked and financial assets frozen.

Xi Jinping, the newly-installed Chinese president, will be visiting the U.S. this weekend to hold talks with U.S. President Obama over a range of issues including trade relations, the situation in North Korea and the rising threat of cybercrime. Talks will be held in California.

The Guardian newspaper revealed exclusively on Wednesday that the U.S. National Security Agency (NSA) has and continues to vacuum up millions of Verizon customer details, including information on phone calls both within the U.S. and between the U.S. and other countries.

Read this

Verizon records vacuumed up by NSA under 'top secret' Patriot Act order

• Read more

Under the order, Verizon is ordered on an "ongoing, daily basis" to hand the NSA information on all of the call data in its systems.

On Thursday, ZDNet obtained a copy of a note sent by Verizon chief counsel Randy Milch to employees. In the note, he did not confirm or deny the story, but in describing it as an "alleged" court order, he stressed that the text "forbids Verizon from revealing the order’s existence."

"If Verizon were to receive such an order, we would be required to comply," just as any other company would be forced to.

Milch added that the company "continually takes steps to safeguard its customers' privacy," but warned that the "law authorizes the federal courts to order a company to provide information in certain circumstances."

A Verizon spokesperson declined to comment when ZDNet contacted the company by phone on Thursday.

This is a developing story, and will be updated with notes below, when appropriate.

What is the deal here? Is the U.S. government spying on U.S. residents?

A "top secret" order by a U.S. secret court — known as the Foreign Intelligence Surveillance Court (FISC), which was set up in the Foreign Intelligence Surveillance Act (FISA) in 1978 following the Watergate scandal — forced Verizon to send the U.S. National Security Agency the records relating to tens of millions, if not all, of its customers' phone calls and text messages.

FISA has been amended numerous times since then, including the Patriot Act in 2001, following the September 11 terrorist attacks in New York City, and in 2008, with the FISA Amendments Act, following the NSA's widespread unwarranted wiretapping campaign.

This order, published by The Guardian, applies to all calls created by Verizon between the U.S. and abroad, or within the U.S., including local calls. Only Verizon calls that are located outside the U.S. and connected with a non-U.S. number are excluded from the order.

There is no doubt that this is a massive domestic spying campaign by the U.S. government — it's clear from the document — through its intelligence services. But unlike previous cases involving the NSA and AT&T, this time around it has been warranted by the aforementioned secret court.

Why has this order been issued?

That isn't clear. The FISC order itself does not state why. For good reason: If the document is leaked, at least it doesn't dish out any more secret intelligence than is necessary.

The White House said, via a Reuters wire, that the "ability to gather information has been critical tool in preventing terrorist threats." Officials also said there is a "need to balance security with civil liberties."

There may be something going on that we don't know about. An imminent terrorist threat, potentially something on a scale that requires everyone's civil liberties to be halted or diminished to save lives? It's speculative. That said, the U.K. government is actively pushing through this kind of surveillance into law — rather than using Patriot Act-like laws that it currently doesn't possess (see below).

What does the order actually say?

It says a number of things, most of which are described in this FAQ. Verizon is forced to hand over "on an ongoing daily basis", an electronic copy of "tangible things." This is a provision given to the FISC under Section 215 of the Patriot Act, otherwise known as 50 U.S.C. 1861, which is commonly known as the "business records" section.

Verizon is also gagged from disclosing "to any other person that the FBI or NSA has sought or obtained tangible things" under the order. The order only permits Verizon to seek legal advice or assistance "with respect to the production of [tangible] things."

This is why Verizon is neither confirming nor denying the order, and is not commenting on the record. It simply isn't allowed to.

The cellular giant is not allowed to appeal. Such appeals are rare, anyway. The first appeal was in 2002, more than two decades after the introduction of the FISC.

What is Section 215 of the Patriot Act?

Section 215 of the Patriot Act relates to "business records." It also removes the normal requirement to meet the legal standard of what is known as "probable cause," according to the American Civil Liberties Union (ACLU) in a fact sheet [PDF].

Section 215 supersedes any legally binding privacy guarantees between businesses and their clients or customers, such as a privacy policy or a contract. If a company is served with a court order under Section 215, they are not allowed to contest the order, or even disclose the order to a lawyer — unless legal counsel is used to help hand over the "things" that the U.S. government wants.

Such things are anything "tangible." This includes business, financial, and even medical records, as well as papers, documents, and books — or anything you can physically hold.

But "tangible" is a broad term that has been interpreted by the U.S. government, which now allows it to include company databases, computers, hard drives, and, in some cases, cloud-stored files.

How long has this been going on for? Is the Verizon order indicative of an ongoing practice?

According to the Associated Press, the Senate Intelligence committee chairperson Senator Dianne Feinstein (D-CA) said the "top secret" court order for telephone records of millions of U.S. customers of Verizon is a three-month renewal of an "ongoing practice."

What can be collected under the order?

Communications data, dubbed "metadata," can be collected under the order. The actual contents of the calls are not available to the U.S. government — that would require a different warrant that enables wiretapping. That uses a different section of the law.

The sort of data collected includes "call data," such as the caller's and the recipient's phone number. Also, routing data, such as the IMEI unique device identifier and the IMSI number used to identify calls on cell networks, will be recorded. The time, date, and duration of the call is also recorded.

It's also possible for the NSA to collect location data of Verizon customers, following a 2005 court ruling that determined that cell site location is also considered as being "metadata."

This effectively means that foreign nationals and non-U.S. residents are being specifically targeted for widespread warranted domestic surveillance.

Is this order in breach of Fourth Amendment rights to "unreasonable" searches?

This one is tricky. Arguably, yes, but also perhaps not. The Fourth Amendment protects U.S. residents from the U.S. government — not private companies — conducting "unreasonable" searches.

However, the FISC has ruled before that similar NSA surveillance violated the Fourth Amendment. According to Senator Ron Wyden (D-OR), the court ruled that the intelligence it collected was "unreasonable" under the law.

Despite being held in secret, the FISC is accountable, albeit to a small number of select politicians on the Senate Intelligence Committee. No records are kept, and the ones that are will be treated with the highest security classification possible.

Can the U.S. government use the order to listen in on calls, or read my text messages?

Related story

Yes, the FBI and CIA can read your email. Here's how

"Petraeus-gate," some U.S. pundits are calling it. Here's how the head of the CIA (and you) can have his emails read by a friendly U.S. intelligence agency, which led to his resignation.

• Read more

Communications data does not include the contents of phone calls or text messages, such as emails or the recordings of phone conversations; rather, it instead includes all of the details about everything that's sent and received online.

Names, addresses, and financial data are also not collected. With inter-agency cooperation, it would not be difficult for the NSA or the FBI to work out who is who.

Are consumers affected, or businesses, or both?

A person familiar with the matter, who declined to be named, told ZDNet on Thursday that business and enterprise customers are the most affected. Consumers are also affected, because the division of Verizon, known as Verizon Business Network Services, serves residential and business customers, as well as local, state, and federal government entities.

What can the NSA do with this collected "metadata"?

The U.S. government doesn't believe metadata, the collected information, is private or sensitive in nature. The U.K. government used a similar analogy, which explained that while the contents of such communications are the "letter," the metadata is the "envelope."

The NSA could do almost anything it likes with the data it receives. It can work out who you're contacting, when you're likely to contact them, links with other people, and a "social networking analysis" that determines who may know other people via a mutual friend. The government agency can also determine where you've been.

Above all else, it can be used to spot what the NSA would consider "suspicious" activity. Considering it's already used the law to scrap the legal standard of what is considered "probable cause," it could probably widen the scope of what it would consider "suspicious" in the first place.

A specific Verizon division is named in the order. What is Verizon Business Network Services?

When Verizon acquired MCI Network Services in May 2007, the company was spun into the telecoms giant's business unit. It was renamed Verizon Business Network Services. It provides local and long-distance voice and messaging services, as well as Internet and data access.

For business clients, Verizon offers virtual private network (VPN) services and firewall technology. According to Bloomberg, the division also provides "network infrastructure, including network design, implementation, and customer management solutions; and data, dial, asynchronous transfer mode, digital subscriber line, and dedicated and bundled services, as well as security products."

If Verizon has been slapped with a "top secret" order, have others also?

AT&T, Sprint, and T-Mobile may have been hit with the same order, or one with almost exactly the same wording. It's possible and likely, but we cannot confirm that. It's safer to assume that if the U.S. government has forced Verizon to hand over the data of more than 98 million wireless customers and around 21 million residential and commercial lines — if not more — then other cellular firms may have been, as well.

What does "top secret" actually mean?

The document markings at the top of the document say: "TOP SECRET//SI//NOFOR," which likely means very little to the vast majority of readers.

Breaking this down, it means that the document is of the highest level of security clearance in the U.S., and also fellow allied countries, such as the U.K.

The term "SI" relates to sensitive compartmented information relating to communications intercepts, such as wiretapping.

"NOFORN" essentially means "no foreign nationals" are allowed to view the document, such as allied nations with which the U.S. government shares intelligence.

For this reason, The Guardian, based in London, U.K., may evade U.S. sanctions or prosecution as a result. It's certainly safer for a U.K.-based publication than a U.S.-based one.

Isn't this "communications data" collection similar to what the U.K. government is currently trying to push into law?

Very much so. The U.K. government is struggling to get this into a debate stage, let alone law and signed by Royal Assent, due to opposition in the Cabinet of the Conservative-led coalition government.

The government wants its intelligence agencies to be able to tap into, in near-real time, the communications data of any given person in the U.K. at any time. This involves forcing the Internet providers in the country to install "black boxes" to enable the server-side data collection.

Microsoft, the FBI and members of the financial services industry say they have disrupted a cybercrime network that is responsible for over half a billon dollars in fraud.

Microsoft announced today that in cooperation with the U.S. financial services industry and leaders including the Financial Services Information Sharing and Analysis Center (FS-ISAC), NACHA -- The Electronic Payments Association, the American Bankers Association (ABA), a network accounting for over a thousand botnets has been disrupted.

In conjunction with other technology firms and the Federal Bureau of Investigation (FBI), the Redmond giant says the investigative team was able to discover and take down a botnet system which is responsible for stealing people's online banking information and personal identities.

Botnets are compromised computer networks which, once infected with malicious software, can be controlled by cybercriminals and used to complete tasks including data theft and the disruption of online services.

An investigation began in 2012 in to a malware dubbed Citadel. Citadel, based Zeus source code, in designed to steal personal information including banking details and can inject malicious code such as ransomware into a compromised computer. Able to record keystrokes, Citadel's keylogging activities allow hackers to gain access to online accounts or steal personal identities.

Microsoft found that Citadel is responsible for the loss of more than half a billion dollars in individuals and businesses worldwide. Upwards of five million computers have been affected; with some of the highest number of infections appearing in the U.S., Europe, Hong Kong, Singapore, India, and Australia.

Citadel is believed to be present in over 90 countries.

"The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world," said Brad Smith, Microsoft general counsel and executive vice president, Legal and Corporate Affairs. "Today's coordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we're going to continue to work together to help put these cybercriminals out of business."

The tech giant has filed a civil suit against cybercriminals operating the botnet scheme, and has also received the approval of the U.S. District Court for the Western District of North Carolina to cut off communication between 1,462 Citadel botnets and infected computers under their control.

"Financial crimes used to happen through stickups, but today criminals use mouse clicks," said Greg Garcia , a consultant and former Department of Homeland Security cyber official. "This action aims to stop the ongoing harm of these Citadel botnets against people and businesses worldwide, and you can be assured that we will continue to partner with the public and private sectors to help financial institutions protect our customers from threats like this."

Due to the size of the cybercrime ring, Redmond does not expect to fully eliminate all of the botnets using Citadel, but hopes that operations will now be severely disrupted.

A "top secret" order issued by a little-known U.S. court isn't so secret anymore, after The Guardian published it on Wednesday evening.

The London, U.K.-based newspaper revealed exclusively that the U.S. National Security Agency (NSA) has and continues to vacuum up millions of Verizon customer details, including information on phone calls both within the U.S. and between the U.S. and other countries.

Read this

Yes, the FBI and CIA can read your email. Here's how

• Read more

Under the order, Verizon is ordered on an "ongoing, daily basis" to hand the NSA the information on all of the call data in its systems.

As of the company's 2012 fiscal fourth quarter, Verizon had 115.78 million cellular subscribers. That's a good chunk of Verizon customers, but still excludes a larger number of overall customers affected by this court order.

The document states that under the Foreign Intelligence Surveillance Act (FISA) court, known as the FISC, the order was granted to the U.S. Federal Bureau of Investigation (FBI) on April 25. The order expires on July 19 — around six weeks from now.

The three-month order gives the U.S. government agency an endless supply of data for the period.

The data that is being collected on Verizon customers — including cellular and landline customers — includes all call details or "metadata" relating to calls created by Verizon between the U.S. and abroad, or within the U.S., including local calls. This metadata, the publication reported, links into a 2005 ruling that determined that cell site location data is also considered as being under this scope.

Location data of Verizon customers, therefore, is in the NSA's hands.

This includes routing data, such as the originating and recipient phone number; the IMEI unique phone identifier; the IMSI number used to identify calls on cellular networks; trunk identifiers; phone calling cards; and the time, date, and duration of the call.

Verizon customers that are outside of the U.S. and making calls to non-U.S. residents are exempt from the secretive court order. Names, addresses, and financial data are also not collected. That said, it's not exactly difficult for the NSA, in conjunction with the FBI, to work out who someone is from that very specific data.

This comes only a month after former FBI counter-terrorism agent Tim Clemente told CNN that the U.S. government can acquire personal and sensitive data, and that it is "captured as we speak, whether we know it or like it or not."

Read this

Yes, U.S. authorities can spy on EU cloud data. Here's how

• Read more

It's not clear whether other cell networks, such as AT&T, T-Mobile, and Sprint, have been targeted with similar or identical warrants. Key "gagging order" provisions mean that the FISC court order does not allow anyone, including the aforementioned, to disclose the order to anyone.

It relives similar orders under the Bush administration, in which the NSA was ordered to wiretap without warrant U.S. citizens in a mass domestic surveillance program. An AT&T whistleblower disclosed that the cell company was "complicit" in the U.S. government's monitoring of phone calls, Web activity — including history and email details — and text messaging data of U.S. residents.

The wiretapping stopped in January 2007. In 2008, the FISA Amendments Act was introduced.

For the first time under Obama's time in office, the document proves that millions of U.S. citizens and residents are under surveillance by the government — whether they are even suspected of committing a crime or not.

The interesting factor here is that the FISC can order such widespread snooping under the condition that U.S. citizens could be communicating with foreign citizens — which, under FISA, such snooping is authorized. But the key factor here is "residents," and not "citizens." FISA also authorizes widespread snooping on "persons" within the U.S., as long as they are legally allowed to be there.

It was, after all, designed and brought into law in 1978, at the height of the Cold War, where spying was widespread across the U.S., Europe, and Russia.

But questions remain over why. Nobody seems to know exactly why Verizon was targeted with a "top secret" court order.

Read this

Secret interpretation of FISA snooping law released... (sort of)

• Read more

Under Section 215 of the Patriot Act, first brought out in October 2001, just a month after the devastating terrorist attack in New York City, "business records" can be acquired by the U.S. intelligence agencies — such as the NSA and the FBI — in vast swathes with a single warrant.

It also allows any "tangible thing" to be acquired by the government, such as books, receipts, and even privately held computer databases, such as in this case.

Last year, Senator Ron Wyden (D-OR) and Senator Mark Udall (D-CO) revealed, while still under U.S. secrecy laws: "We're getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says."

They specifically warned about the "business provisions" in the Patriot Act that allow the U.S. government to acquire vast amounts of data with a single warrant, including medical records, so long as it pertains to an intelligence investigation.

The secret interpretation of the "business records" provision by the U.S. Justice Department led the two senators to speak, albeit within the bounds of U.S. secrecy laws, to disclose that there was a "secret interpretation."

Section 215 has already been used to obtain driving license, credit card, car, and apartment rental records. Such records are not within the parameters of the Fourth Amendment, which protects residents from "unreasonable" searches, because arguably they are not considered a "search."

The Patriot Act provision also means that such an order must be approved by the secret FISC, and can be so long as the data sought is relevant to a terrorism investigation. Such investigations do not require much, however.

Basically, Verizon couldn't do anything about this even if it wanted to. It's not allowed to disclose anything about this order, and naturally declined to comment to The Guardian.

When it comes to pointing fingers at who is to blame for major security breaches, maybe we should look back at ourselves first.

That's because according to Symantec's eighth annual Cost of a Data Breach report, mistakes made by employees lead to nearly two-thirds of data breaches.

The security giant argued in the report that while analysis and criticism about recent data breaches often focus on the methods of malicious attackers, critics often overlook (much to our detriment) the human factor.

Obviously, such mistakes — and the repetitiveness and negligence associated with them — are very expensive.

According to the study, the average number of breached records per organization was 23,647 with an average cost range of $130 to $136 per record.

Those costs were found to be much higher in Germany and the United States, where the averages jumped to $188 and $199, respectively.

Some other important lessons to learn from the report:

• Brazilian companies were most likely to experience breaches caused by human errors, while Indian businesses were more likely to see breaches caused by system glitches.
• German companies were more likely to experience problems due to malicious attacks, followed by Australia and Japan.
• France and Australia had the highest rate of customer turnover following a data breach, while Brazil and India seem to have the most forgiving clients.
• American companies said the greatest increase in data breach costs stemmed from a third-party error or even quick notification to data breach victims, regulators, and other stakeholders. U.K. companies pointed towards lost and stolen devices as the biggest culprits.
• But U.S. and U.K. companies saw the greatest reduction in costs when they had strong response plans in place.
• Furthermore, American and French businesses also saw reduced costs when they enlisted consultants for data breach remediation.

For reference, Symantec commissioned the Ponemon Institute to conduct the study over the course of 2012.

The independent research firm surveyed more than 1,400 people at 277 global organizations across the following nine countries: the United States, the United Kingdom, Germany, France, Australia, India, Italy, Japan, and Brazil.

The Internet service provider and broadcasting firm fell foul of the Syrian Electronic Army (SEA) last week. Sky News apps were compromised and the control of Sky's help team Twitter account was also temporarily stolen before the situation was resolved.

BSkyB is simply the latest in a long line of enterprise businesses, rights groups and media outlets which have been targeted by the SEA. This year, news outlets The Guardian and Associated Press have been targeted, and the grassroots Syrian hackers have also previously taken umbrage with CBS, The Onion and Reuters.

A member of the SEA's "Special Operations Division" has said that the group "generally targets the most malicious media, especially those who refuse to cover both sides of the war," according to Vice.

Not only have SEA attacks resulted in financial market spikes due to false tweets sent by media outlets, but confusion reigned when an AP tweet declared President Obama had been attacked. The SEA has pledged to target more enterprise firms in the future, despite web hosts severing ties with the pro-Syria collective.

As such threats are unlikely to cease any time soon, the head of cybersecurity at BSkyB, Phillip Davies, believes it is high time firms took matters into their own hands. As reported by ComputerWorld, Davies wants to see corporations working together to combat both hacktivist and state-sponsored attacks which can result in service outages, data and IP theft, as well as the battering of a company's reputation.

In relation to the BSkyB cyberattack, Davies said that, "Our biggest problem was in communication, and actually getting hold of [those targeted]. They weren’t corporate Twitter accounts, they were individual Twitter accounts, and our biggest problem was getting hold of the people concerned and communicating in a safe and quick way."

BSkyB found that organized cybercriminals, insiders, hacktivists and cybercriminals with a nation-state origin are the top security threats to its business. In light of this, the company is working with other firms to try and both understand and respond to the issue. The cybersecurity chief commented:

"We are collaborating with others to understand what the hactivism threats might look like, because that is a growing area. There is often a discussion that hactivism doesn't necessarily equal an advanced persistent threat, but actually those lines are often blurred. It is about understanding the whole environment, and understanding what threats might be coming our way."

Although difficult to sell to the board at times, the Internet service provider and broadcasting firm is working with peers and competitors; sharing information and modifying its own security infrastructure based on the collaborative effort. As competitors including ITN are "likely to be hit with the same risks that we are," cross-industry work is important if companies as a whole are going to be able to fend off future cyberattacks.

"We want to take that information away and look at what we have got from the police, security services and so on and pull all of that information together," Davis told the publication. "That is where we are working towards at the moment -- we want to be able to better predict the threats that we face looking beyond our network."

In May, former senior officials in the Obama Administration recommended that businesses be spared from prosecution and be given the permission required to 'hack back' at attacking forces. Dennis Blair and Jon Huntsman Jr., leaders of the private Commission on the Theft of American Intellectual Property, said that if less forceful measures to stop cyberattacks and the theft of intellectual property fail, then companies should be able to protect their systems on their own terms.