Citigroup denies it, but its Citibank unit was reportedly robbed of tens of millions of dollars, the victim of a cyberattack by members of a Russian criminal gang, says Tuesday's Wall Steet Journal (subscription required).
The attack was discovered this past summer, says the Journal, but investigators for the FBI and National Security Agency believe it could have happened months or a year prior. The two agencies have reportedly shared information with the Department of Homeland Security and Citigroup to defend against the attack. The investigation is supposedly ongoing, with no word on whether or not any of the stolen money has been found.
Investigators initially became suspicious after spotting traffic coming from IP addresses once used by the Russian Business Network, a Russian gang of cybercriminals who went off the radar back in 2007, notes the Journal. But reports have surfaced that members of the gang have since regrouped to launch a wave of new attacks.
One of the tools allegedly used by the hackers to break into Citibank was Black Energy, says the Journal, a $40 piece of software that launches Distributed Denial of Service (DDoS) attacks to prevent access to a specific Web site. Designed by a Russian hacker, Black Energy is commonly sold on certain Russian language forums. But Black Energy is now being sold as part of a $700 kit called the YES Exploit System. The kit includes other crimeware that steals bank account credentials, making it an especially dangerous threat to firms like Citibank.
But Citigroup denies that such an attack ever took place. In a prepared statement e-mailed to CNET, Citigroup said: "Allegations of a breach of Citi systems and associated losses are false. Denial-of-service attacks are directed against companies around the world. While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi."
A company spokesperson further denied any involvement from the FBI. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
Phone calls to the FBI and NSA were not returned.
(Credit:
FBI)
Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."
Robert Mueller
(Credit: James Martin/CNET)SAN FRANCISCO--No one is immune from cyberthreats, not even the head of the FBI.
FBI Director Robert Mueller was banned by his wife from doing online banking after he nearly fell for a phishing scam, he said on Wednesday during a talk at the Commonwealth Club of California.
He received an e-mail purporting to be from his bank that looked "perfectly legitimate" and which prompted him to verify some information. He started to follow the instructions but then realized that that "might not be such a good idea," he said.
"Just a few clicks away from falling into a classic Internet phishing scam," Mueller "barely caught himself in time" and admitted he "definitely should have known better."
He said he changed his passwords and tried to pass the incident off to his wife as a "teachable moment," but she was having none of it and told him, "It is our money. No more Internet banking for you!"
(He would have benefited from reading Larry Magid's tips for avoiding phishing scams.)
Earlier on Wednesday, the FBI in Los Angeles announced indictments of 100 people in the U.S. and Egypt, and the arrest of 33 people in California, Nevada, and North Carolina as part of "Operation Phish Phry"--the largest cybercrime investigation to date in the U.S.
Egyptian hackers are accused of targeting two U.S. financial institutions in phishing attacks and using the stolen bank account information to get unauthorized access to the accounts, coordinating with associates in the U.S. to transfer the money out of the accounts, the FBI alleges.
The U.S. defendants allegedly recruited "runners" to set up bank accounts where the funds from the compromised accounts could be transferred and withdrawn. There were hundreds or thousands of bank customer victims, the FBI estimated.
"It's the largest international phishing case ever conducted," Mueller said.
Many of the scams come from people in Eastern Europe, he said. To support investigations in Romania, the FBI has agents embedded in the police agencies there and managed to arrest more than 100 people in that country and in the U.S. in the last year, he said.
During a question-and-answer session, Mueller was asked how vulnerable the U.S. is to attacks on its critical infrastructure. The U.S. is "well ahead of just about any country (in) walling off access to outsiders to our most sensitive" systems, he said. Officials have seen instances of cyberattacks by terrorists, but "they have not yet been of the magnitude that would cause us substantial concern," Mueller said.
Meanwhile, terrorists are using things like Google Earth as tools in their mission, he said.
One audience member submitted a comment card that the fear of the FBI reading citizen e-mail was greater than the fear of teenage hackers. The FBI does not intercept communications without a court order of some kind, Mueller said. "I would worry about that teenage hacker more than you should worry about us," he added.
"I'm comfortable with the stances we've taken," on balancing civil liberties and national security, he said, adding that he supports the Patriot Act because it "broke down the walls between the intelligence community and law enforcement." He warned people against revealing too much of their lives online, on sites like Facebook.
The personal moments shared with friends as a youth may later "come back to haunt you" during a job search, he said, despite the use of passwords and the supposed anonymity of screen names. "To the extent that you are going to rely on that forever, it's very, very weak security," Mueller said.
"I do not have a Facebook profile," he later added.
Young hackers also shouldn't expect to parlay their computer skills into a legitimate career if they get arrested for breaking into systems and serve time, he warned.
"You hack, you get caught," he said. "You are going to jail... You are not going to get a good job afterward. You are going to be identified as a person who has broken the law."
Asked what keeps him awake at night, Mueller responded: "The threat of a weapon of mass destruction in the hands of a terrorist... One person with access to a biological or chemical agent can cause massive harm."
Related podcast: Symantec Internet safety adviser Marian Merritt discusses how to avoid being a phishing victim.
FBI Director Robert Mueller talks about how the agency fights cybercrime.
(Credit: James Martin/CNET News)FORT BAKER, Calif.--As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday.
Matthew Parrella, assistant U.S. attorney
(Credit: Elinor Mills/CNET News)The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies increasingly distribute software and store data online via hosted computing services, Matthew Parrella, an assistant U.S. attorney based in San Jose, Calif., said at Symantec's Norton Cyber Crime Day.
"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.
Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office.
The immediate threat will be attacks to steal data from the servers they are stored on, either remotely or by an insider or someone who gains access to the data center, he said. Later on it's likely any stolen data could be pirated, he said.
Parrella spends a lot of time prosecuting counterfeit software cases, as well as trade secret theft, he said.
His office also has been tracking a botnet for a long time that has grown to include 100,000 or so compromised computers.
"We don't know what it does," he said. "That's the type of threat we're looking to prosecute...malware that may lead to distributed denial of service attacks."
Parella declined to comment on the most recent DDOS attacks that have targeted Web sites in the U.S. and South Korea since the July 4 weekend.
FBI agent Donna Peterson said her office had seen a "tremendous uptick in large-scale, fairly devastating data breaches," with the biggest heist being close to $10 million stolen in 24 hours.
Cyberthieves "are getting more organized and their technical sophistication is better," she said. "They do what they need to get the job done...if they can use a 5-year-old exploit in conjunction with an exploit that they paid a programmer in another country $60,000 to (write), they will do it."
Cybercriminals can spend anywhere from two weeks to six weeks to completely own a corporate target's computer system so completely that "you won't even know that they're there," she said.
Businesses have opened on a Monday morning only to discover that so much money has been stolen since employees went home on Friday that they are no longer solvent and there is no record on their systems of the activity, Peterson said.
Also on the cybercrime panel was San Jose Police Sergeant Edward Schroder, who talked about how he spends his time investigating fraud related to sites like eBay and Craigslist, Nigerian or lottery scams, and money mule or work-from-home scams.
Schroder also said he gets a fair share of cases involving phishing attempts and e-mail extortion cases in which someone's life is threatened if someone don't pay the hired killer money.
The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report.
A spokesperson for the U.S. Marshals Service confirmed that it had disconnected from Justice Department computers as a precaution after being hit with the virus, while an FBI spokesperson would only say that it was experiencing similar issues, according to the report.
"We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," FBI spokesman Mike Kortan told the AP.
The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated.
Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT), but a call to CERT late Thursday for comment was not immediately returned.
Federal authorities accused Adonis Gladney of selling counterfeit Microsoft product keys, and on Thursday he was convicted of violating the Digital Millennium Copyright Act.
Gladney, 24, is believed to be the first person convicted for DMCA violations dealing with the circumvention of security protections on software, according to Assistant U.S. Attorney Craig Missakian. Typically, product keys are used to activate software and are printed on Certificate of Authenticity labels that accompany legitimate products.
Missakian, who prosecuted the case in Los Angeles along with Assistant U.S. Attorney Wendy Wu, said the conviction is a sign that administrators at the U.S. Justice Department plan to take these kinds of DMCA violations "more seriously."
"The defendant couldn't have executed his scheme without counterfeit access keys," Missakian said. "(The keys) allowed purchasers to load software on multiple computers."
Among those who unwittingly purchased phony keys from Gladney is the United States Marine Corp. Gladney's attorney, Frank Sanes Jr., declined to comment.
Convicted of one count of violating the DMCA and three counts of mail fraud, Gladney could face several years in prison, Missakian said, adding that Gladney's prison term will likely be based on the amount of monetary damage he caused.
"At this point we're still counting," Missakian said.
Gladney, who resides in Los Angeles, would advertise software licenses in large volume on his Web sites, abovegroundsolutions.com or agsolutionsspc.com. Customers paid their money and received licenses, which prosecutors say Gladney claimed legally covered between 25 and 750 users. Gladney would then ship them a CD loaded with software that authorities say was not designated as a retail product for sale to the general public, such as software that typically comes bundled in PCs.
"The licenses were essentially thin air," Missakian said.
The FBI, which spearheaded the investigation on behalf of the Electronic Crimes Task Force, a group that includes several law enforcement agencies, said that Gladney would obtain key codes and then tweak them so he could use them over and over.
"By repeatedly using and distributing the same key codes on multiple products," an FBI agent wrote in court documents, "Gladney is circumventing one of Microsoft's primary security features for legitimate product activation in violation of (trafficking in unauthorized access devices)."
According to the FBI, Gladney managed to turn his illegal enterprise into a cash cow while he was barely 20. Gladney told agents he had earned more than $3 million. Following his arrest, officials seized $74,038 and two custom-built Lamborghinis.
In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.
FBI Special Agent J. Keith Mularski spent two years posing as a cybercriminal as part of an undercover sting operation.
(Credit: U.S. Federal Bureau of Investigation)Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.
Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the Dark Market sting during a session at the RSA security conference last month. CNET News caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.
Q: You were central to the Dark Market sting. Tell me what happened and what role you played.
Mularski: We kicked off an undercover operation to try to penetrate these underground crime groups that are running these forums on the Internet. We developed the persona of a spammer/hacker and I assumed that role. Our intention was to try to penetrate the groups and dismantle them like we would with organized crime. In this case we were very successful in getting to the upper echelons of the Dark Market group and we were actually able to run the server and host all the communications that were going on there to make our cases against the criminals. Worldwide we had 60 arrests. It was a two-year operation and we had arrests in the U.K., Germany, Turkey, and here in the U.S.
What measures did you take to try to prove you were legitimate?
I acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers, made a listing for me as being a top spammer and that gave me credibility so that I didn't necessarily have to do any criminal activity. I could talk the talk. If someone wanted me to mail (send spam) for them I would (get out of it by giving them the excuse) that they were too small of a fish. If they were a big fish I'd just say I didn't have any openings or time to work with them.
What sorts of crimes were they doing on Dark Market?
They were doing all sorts of identity theft. They were hacking into companies and stealing credit card numbers and selling them. They were selling counterfeit drivers' licenses and other photo documentation, as well as manufacturing fake credit cards. They were selling harvested bank accounts and brokerage accounts and selling different types of malware or spyware programs or Trojan horses that you could infect peoples' computers with. The whole gamut of the cyber underground was available there. If you needed it you could get it there on the site.
How did being undercover interfere with your life? What extremes did you have to go to to keep up the facade?
I would have to be online all the time, basically, in case someone needed to get ahold of me. If I was at home I would always have a computer on, even while watching TV. If I went on vacation I took the computer with me to make sure I was able to log in. I would tell the (Dark Market) guys I was traveling to go surfing or something like that and I would tell them I'll be online at these times if you need to get me. I had a cell phone connected to a Gmail account and I would tell them if they had to get ahold of me to send an e-mail and it would ping me. It was like that for two solid years almost every day. My wife wasn't too happy about it (chuckling).
No doubt! Was there ever a moment when you thought the jig was up and that they were on to you?
There were a couple of those. We had a problem with our backstopping right at the beginning of the operation when I took over the server. One of our rivals had hacked into the Dark Market server and was looking at who was logging in. He traced the IP address doing a "who is" (lookup) and the phone number connected to our covert IP address, which was supposed to be unlisted but instead it showed the address here at the National Cyber Forensics Training Alliance. By doing some research they determined that the IP address came from this building and they thought it came from me. I had to go on the offensive and say that it wasn't me and that it was already in the server. Eventually they believed me. There were a lot of wars between rival groups at the time. A lot of people were accusing each other of being "feds" and "cops" and I was able to use that to my advantage to create a smoke screen and create doubt.
How were you able to become administrator of the Dark Market server?
I had good relations with the administrator whose alias was "Jilsi." He wasn't a very technical guy and was having problems running the site because it was getting attacked by a rival group. So I told him about my background as a spammer and told him how good I was at setting up sites. I did some demonstrations and set up some test sites to show him I had the skills. Then there was just a lot of talk and rapport building. One night when Dark Market was getting attacked by a rival group I said I was ready and that I could secure the server for him and he said "let's move." That gave me full access to everyone using it and what they were doing.
Any anecdotes to tell about your dealings with these people?
It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops. It was funny being part of the discussion as people were talking about whether so and so was a cop or a fed and I was sitting there knowing full well that the person wasn't. There were a lot of egos, and a lot of funny stories where guys would brag about their close brushes with the law and how close they got to being arrested. You get 20-year-old guys, 30-year-old guys who are single and making a lot of money, so you hear a lot of stories of partying and things like that.
Did you get a sense of what these carders are like as people; what their characters are like?
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name Iceman, was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert. He could have given talks at RSA about vulnerabilities. A lot of these guys are just misguided. They get into a hotel and see that they have credit cards and one thing leads to another. I think that's how it all starts off and then they find they can make a lot of money and it becomes a business, a job. If you met them in person they were actually nice guys. I enjoyed a lot of my chat sessions when we were talking about other things, like traveling the world and things like that.
How old are they?
The average guy is in his mid-20s or so. We've seen guys in their 40s. Ages range from 17 to 40something, typically. A lot of the guys who we arrested were in their mid-30s.
How tied to organized crime are they?
One of the guys, "ChaO," kidnapped someone. He viewed himself as a traditional organized crime member. He was connected with organized crime groups in Turkey and they resorted to violence when they kidnapped someone who was talking too much about the operations. We're seeing more of that, especially in Romania. Also in Russia.
Did you hear from any of your former carder cohorts after the arrests?
I heard from sources that they couldn't believe I was an FBI agent. One of the guys whose house we raided wasn't at home and he sent me an expletive-filled message saying 'you're never going to catch me.' I told him he should give himself up rather than spend his life on the run and a week later he turned himself in.
This work sounds kind of dangerous. Did you ever feel you were in danger or are you worried now?
When you are an FBI agent there's always that threat of danger working crimes undercover. We never intended for my name to come out in this operation. But FBI agents' names are in affidavits. There was always that risk that my name could be exposed. It's always in the back of your mind but you try not to think about it.
What impact did the sting have?
It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don't necessarily have to be in the U.S. for us to bring you to justice. That is one of the most significant impacts it had. Another one is that it showed these guys that, yes, we do have a presence out there (on the Internet) and the U.S. is serious about targeting cybercrime. We are going to throw our resources at this problem.
How have things changed since you started the Dark Market operation in 2006?
With every operation the bad guys learn more of the undercover techniques that law enforcement is using. Everything that was successful for us in this operation would have to be tweaked because of that. The level of sophistication is so much higher. The days of a cyber investigation where you just track an IP address and that leads you to a hacker's house, those days are long gone. There are many different anonymization services the bad guys are using. The exploits and botnets they are using are so much more sophisticated than they were a couple of years ago. Just two years ago the majority of the botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like the Storm worm that are very sophisticated and running peer-to-peer networks and that makes it harder for us to track down the command and control servers.
Have you been involved in any of the efforts to track down the people behind the Conficker worm?
I can't comment on that.
Anything else to add?
The message I'm trying to preach is that we have international cooperation and that other countries are starting to recognize this problem. Also, the attackers have changed with the emergence of organized crime into these cybercrimes. It's not just an 18-year-old pimply faced kid in his room committing these crimes. These are organized crime groups doing it. It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.
The stakes are higher now for everyone?
Definitely.
One week after a breached corporate health care company refused to pay extortionists, the criminals now are seeking money from the corporate clients whose employee data might have been exposed.
St. Louis-based Express Scripts said on Tuesday that a limited number of its clients--which include government agencies, unions, and employers--have received letters threatening to expose the personal information of its members. The company said the letters sent to its clients were similar to the original extortion threat it received in October.
The company also said it was establishing a reward totaling $1 million to anyone providing information that results in the arrest and conviction of the criminals responsible.
"We are cooperating fully with the FBI to assist them in their investigation and doing what we can to protect our members," said George Paz, CEO and chairman of Express Scripts, in a statement on the company's site.
In a separate announcement, Express Scripts announced that Knoll, a New York-based risk-consulting firm, has been contracted to offer expert assistance to members who become victims of identity fraud as a result of this incident.
The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."
The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.
Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.
"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.
Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.
Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.
This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."
A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.
Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."
Express Scripts said it will notify affected customers in compliance with state regulations.
Last summer, Sen. Barack Obama's presidential-campaign computers came under cyberattack from an "unknown entity." His machines weren't alone; John McCain's computers were also attacked, according to a report appearing Wednesday on the site of Newsweek magazine.
The Obama attack was initially thought to be a piece of malware downloaded from a phishing site. Newsweek reports that "the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: 'You have a problem way bigger than what you understand,' an agent told them. 'You have been compromised, and a serious amount of files have been loaded off your system.'"
The McCain campaign's computer system was also compromised over the summer. Newsweek confirmed with a top McCain official that the FBI had become involved. A federal investigation into both attacks is under way.
According to Newsweek Editor at Large Evan Thomas, the FBI and White House officials told the Obama campaign that a foreign entity or organization was likely responsible, not political opponents. Independently, Obama technical experts have speculated that the hackers were Russian or Chinese. The files accessed appear to be policy-related and thus potentially useful in future negotiations with a new presidential administration.
Earlier this year, during the primaries, an online prank had the Obama campaign site redirected to Sen. Hillary Clinton's campaign site.
The Newsweek report is part of a special edition that will be on newsstands November 6 through 16, and online November 5 through 7.
