Category Archives: Security
You think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden says it’s worse than you know.
Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. Wyden (D-Oregon) says that powers they grant the government on their face, the government applies a far broader legal interpretation — an interpretation that the government has conveniently classified, so it cannot be publicly assessed or challenged. But one prominent Patriot-watcher asserts that the secret interpretation empowers the government to deploy ”dragnets” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.
“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden told Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”
What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation.
“It is fair to say that the business-records provision is a part of the Patriot Act that I am extremely interested in reforming,” Wyden says. “I know a fair amount about how it’s interpreted, and I am going to keep pushing, as I have, to get more information about how the Patriot Act is being interpreted declassified. I think the public has a right to public debate about it.”
That’s why Wyden and his colleague Sen. Mark Udall offered an amendment on Tuesday to the Patriot Act reauthorization.
The amendment, first reported by Marcy Wheeler, blasts the administration for “secretly reinterpret[ing] public laws and statutes.” It would compel the Attorney General to “publicly disclose the United States Government’s official interpretation of the USA Patriot Act.” And, intriguingly, it refers to “intelligence-collection authorities” embedded in the Patriot Act that the administration briefed the Senate about in February.
Wyden says he “can’t answer” any specific questions about how the government thinks it can use the Patriot Act. That would risk revealing classified information — something Wyden considers an abuse of government secrecy. He believes the techniques themselves should stay secret, but the rationale for using their legal use under Patriot ought to be disclosed.
“I draw a sharp line between the secret interpretation of the law, which I believe is a growing problem, and protecting operations and methods in the intelligence area, which have to be protected,” he says.
Surveillance under the business-records provisions has recently spiked. The Justice Department’s official disclosure on its use of the Patriot Act, delivered to Congress in April, reported that the government asked the Foreign Intelligence Surveillance Court for approval to collect business records 96 times in 2010 — up from just 21 requests the year before. The court didn’t reject a single request. But it “modified” those requests 43 times, indicating to some Patriot-watchers that a broadening of the provision is underway.
Story Continues -> There’s a Secret Patriot Act, Senator Says
Watch out for these cyberattacks that can turn smartphones into texting botnets, shut off electricity, jam GPS signals and more
Computerworld - Hackers never sleep, it seems. Just when you think you’ve battened down the hatches and fully protected yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or a stalker who dogs your every step online. Or maybe it’s an emerging technology like in-car Wi-Fi that suddenly creates a whole new attack vector.
Whether you’re an IT manager protecting employees and corporate systems or you’re simply trying to keep your own personal data safe, these threats — some rapidly growing, others still emerging — pose a potential risk. Fortunately, there are some security procedures and tools available to help you win the fight against the bad guys.
1. Text-message malware
While smartphone viruses are still fairly rare, text-messaging attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group coalition of security researchers. PCs are now fairly well protected, he says, so some hackers have moved on to mobile devices. Their incentive is mostly financial; text messaging provides a way for them to break in and make money.
Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are becoming more common as people rely more on mobile devices. It’s not just consumers who are at risk from these attacks, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business’s network and data, and perhaps cause a compliance violation.
“This is a similar type of attack as [is used on] a computer — an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it,” Nguyen explains. “Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user.”
In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pocketbook of the hacker selling the ring tones.
Another ruse, says Nguyen, is a text-message link to download an app that supposedly allows free Internet access but is actually a Trojan that sends hundreds of thousands of SMS messages (usually at “premium SMS” rates of $2 each) from the phone.
Article continues -> Six Rising Threats from cybercriminals
Six rising threats from cybercriminals
The US government worries that terrorists could take down the country”s electrical grid just by hitting a small node in the system. But a new study reveals the grid is too unreliable for that kind of attack.
Last year, network theorists published some papers suggesting that terrorists could take down the entire US electrical grid by attacking a small, remote power station. But new research shows that network theory models, which great for analyzing many complex systems, don”t work for patchwork systems like the US electrical grid. Basically, the grid was set up so haphazardly that you”d have to take out a major node before you”d affect the entire thing. (Want to see a map of the US electrical grid? Check out this one on NPR.)
Science Daily sums up:
[The] electric grid is probably more secure that many people realize — because it is so unpredictable. This, of course, makes it hard to improve its reliability (in another line of research, Hines has explored why the rate of blackouts in the United States hasn”t improved in decades), but the up-side of this fact is that it would be hard for a terrorist to bring large parts of the grid down by attacking just one small part.
The researchers based their conclusions on real-world data from the power grid in the eastern U.S.
Read the full scientific paper via Chaos: An Interdisciplinary Journal of Nonlinear Science (via Science Daily)
Send an email to Annalee Newitz, the author of this post, at email@example.com.
By Tim Stevens
We think you’re going to be hearing a lot about this one over the next few days… or weeks. A team of researchers at the University of Washington and the University of California San Diego have determined that, with physical access to your car’s ECU, a hacker could “adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.” For example, the team was able to connect a computer to a car’s ODB-II port, access that computer wirelessly, and then disable the brakes in the first car while driving down the road in a separate vehicle. The conclusion is that these in-car systems have few if any safeguards in place and, with physical access, nearly anything is possible. The solution, of course, is to prevent physical access. So, if you see a hacker hanging around in your car looking all shady, or a laptop computer sitting in the footwell that totally wasn’t there before, well, you know who to call.
In mid-April, a coalition of privacy groups filed a brief in federal district court in Colorado, defending Yahoo against attempts by the federal government to obtain the contents of Yahoo Mail messages without first obtaining a warrant. One month earlier, the Justice Department filed a 17-page brief arguing that Yahoo Mail messages do not fall under current statutory protection because, once opened, those messages are not considered to be in “electronic storage.”
The privacy coalition—which included Google—came to Yahoo’s defense, arguing that users with e-mail stored in the cloud have a reasonable expectation of privacy in the contents of that e-mail, and should thus be protected from warrantless searches by the government. (Hopefully the irony of Google opposing robust searches is not lost on Google’s attorneys.)
Unfortunately, the protections afforded by the warrant requirement have not yet been fully extended to the digital “cloud.” This handy metaphor for the ethereal Internet as a storage and access hub is coming to have other implications: can we really conceal our data inside this cloud, shielding it from government intrusion?
In fact, there is not even any guarantee that e-mails stored locally on a personal home computer will be afforded such protection. But as this novel question has remained unanswered by the sloth-like pace of legal innovation, a dozen more questions have cropped up. Meanwhile, the technological innovators are demanding faster answers.
The fourth amendment and reasonable expectations of privacy
The Fourth Amendment to the US Constitution provides that the people shall “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” The Fourth Amendment also provides a method by which an otherwise unreasonable search might be characterized as “reasonable” and, therefore, constitutionally valid: by aid of a warrant, issued “upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Requiring law enforcement to properly justify itself before conducting invasive searches offers an essential layer of constitutional privacy protection which, if breached, renders the improperly seized evidence inadmissible in court against the person whose privacy was violated. But a warrant is not always necessary to make a search reasonable. In some situations a search and seizure is reasonable without the need for a warrant, such as when items are in plain view, or when a person consents to being searched.
Over time, the courts have developed a standard for determining when a search requires a warrant and when it is reasonable on its own. This standard, which requires a warrant only if there exists a “reasonable expectation of privacy,” originated from a 1967 Supreme Court case involving the wiretapping of a phone booth. In that case, because the phone booth had a door which could be shut behind the user, he was deemed to have reasonably expected that nobody was listening in. The presence of a physical barrier also acted as a legal one.
The “reasonable expectation of privacy” test actually has two requirements. First, the person must have had a subjectively reasonable expectation that the item was private. Second, that item must also be something that society in general is willing to objectively recognize as reasonably private. In other words, it’s not enough that you think your fenced-in backyard is private if society as a whole would find it unreasonable to think so. Sunbathers beware.
Nuances in this standard have developed in the years since the phone booth case. One such nuance is the “third-party doctrine.” For example, the police do not need a warrant to obtain a list of the phone numbers you have dialed and when those calls were made, because, unlike the content of your calls, the transactional data is part of the business records of a third party—the service provider.
Similarly, receipts and checks exchanged with a bank or retailer are not considered to enjoy Fourth Amendment protection, because society is not prepared to reasonably expect privacy in those documents. This third-party doctrine has narrowed the situations in which a warrant is required to conduct a search.
Of course as the courts have narrowed these protections vis-à-vis the Constitution, Congress has passed legislation fortifying the constitutional protections and filling in the gaps created by new technologies. But there are two major problems with those fortifications. First, statutes can be overturned or repealed, whereas constitutional protections provide more permanent safeguards. Second, most of these laws are decades old and have hardly been updated to account for changing technologies.
Among these laws is the Stored Communications Act (SCA), which was passed in 1986. The SCA is at the heart of the dispute between Yahoo and the Justice Department, and the government’s position is that e-mails in the cloud that have already been opened are no longer in “electronic storage,” and thus fall outside the protection of the statute.
Updating these statutes is one short-term option. But, just as Google and the other groups defending Yahoo have argued, there is a basis for interpreting the “reasonable expectation of privacy” standard to cover these new cloud computing and storage uses, shielding at least parts of the cloud with the protection of the warrant requirement.
The differing evolutions of technology and law
The linchpin in extending Fourth Amendment protection to the cloud rests with the reasonableness of society’s expectations governing privacy in the cloud. But societal expectations change over time, especially as technology and our uses of that technology change.
With massive increases in bandwidth, wireless access, and mobile device use over the past decade, remote storage (and cloud computing generally) has changed the way in which the Internet is used. Rather than being a purely public medium, the Internet has become a means of private storage and mobile or remote access.
This is in stark contrast to ten or fifteen years ago, when data was often uploaded for the intended purpose of sharing it with a mass audience. Bandwidth and access limitations made it unfeasible for everyday Internet users to rely on the cloud to efficiently store and access their private files, and mobile devices were not yet powerful enough or pervasive enough for consumers to even need such “everywhere access.”
Unfortunately, the law generally does not evolve as quickly as technology. The 1967 phone booth case was the first time telephone conversations were recognized as constitutionally protected from unreasonable searches—nearly one hundred years after the telephone was invented. The Internet and cloud computing have taken a fraction of that time to reach wide market penetration, and show little sign of slowing down. But since Moore’s Law does not apply to legal innovation, the disparities between technology and the law are likely to become even greater.
Take, for example, the case City of Ontario v. Quon, currently pending before the US Supreme Court. Although the case is not precisely within the scope of what we often think of as “cloud computing” (online storage and manipulation of e-mails, photos, documents, and so on), it deals in a similar realm—the storage of text messages within the servers of a service provider. The city of Ontario, California, contracted with Arch Wireless to provide text messaging services for, among others, the city’s police department. Although the police department had no official policy regarding use of the pagers for personal versus work-related messaging, the unofficial policy was that if an officer went over the limit but paid the overcharge fee, their messages would not be audited.
The department later decided it would audit some of these texts and found a significant number of sexually explicit personal messages. Several officers sued, claiming their Fourth Amendment rights were violated because the department, being an agent of the government, should have been required to obtain a warrant first. The district court and the Ninth Circuit Court of Appeals both agreed that the officers had a reasonable expectation of privacy in the content of their texts, and analogized the stored text messages to e-mail, among other things.
The Supreme Court just heard oral arguments in Quon on April 19th, and based on the Justices’ questions and demeanors, they did not seem overly sympathetic to the officers’ privacy concerns—at least not enough to extend Fourth Amendment protections to their stored text messages. In part this may be because the facts in this case were simply not compelling enough; society is likely not prepared to recognize that police officers should have an expectation of privacy in their city-issued (and taxpayer-funded) work pagers.
Though the future of Fourth Amendment protection in the cloud will probably not be foreclosed by this case, it may create a hurdle for privacy groups and entities such as Yahoo and Google who are looking for more favorable Fourth Amendment treatment by the Supreme Court. The Court’s decision in Quon should come out later this summer. Whatever the ultimate decision may be, these groups will undoubtedly be looking for any……
by Greg Sandova
Visa, one of the world’s largest credit card companies, is taking aim at “scam” marketing practices that were quietly used by some of the Internet’s largest retailers in recent years.
Retailers will no longer be able to allow third parties to charge a customer’s card without the card owner re-entering credit card information, Visa said Tuesday. This is Visa’s response to one of the biggest scandals to rock online retailing in years.
Last year, the U.S. Senate Committee on Commerce, Science, and Transportation launched an investigation after learning that thousands of consumers had complained about receiving mysterious credit card charges.
The committee concluded that millions of consumers were misled into signing up for so-called loyalty programs with the help of companies such as as Classmates.com, Continental Airlines, Priceline, Orbitz, Buy.com, and many others. Lawmakers said during hearings that these merchants had made an unholy but profitable alliance with one or more of three so-called post-transaction marketing firms: Webloyalty, Affinion, and Vertrue.
Under most of the agreements between the marketing firms and retailers, an advertising page is presented to shoppers while they complete a transaction at the retailer’s online store. Many shoppers say they entered their e-mail address and pushed a large “Yes” button on the ad because it appeared to be a $10 cash-back offer or coupon. Many of those who complained say they thought they were being rewarded by the retailer for making a purchase.
Buried in the fine print are the full terms of the deal. Customers are notified that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20. Many people said they didn’t see this notice.
Visa’s new requirement is designed to send a “clear signal to cardholders that a second purchase is being initiated and protects them from questionable marketing practices,” the company said.
With the government leaning on them, many of the merchants involved have severed ties with the post-transaction marketers, which have also taken steps to alter their business practices. They haven’t gone far enough, however, critics have said.
By Joshuah Bearman
The plane slowed and leveled out about a mile aboveground. Up ahead, the Viennese castle glowed like a fairy tale palace. When the pilot gave the thumbs-up, Gerald Blanchard looked down, checked his parachute straps, and jumped into the darkness. He plummeted for a second, then pulled his cord, slowing to a nice descent toward the tiled roof. It was early June 1998, and the evening wind was warm. If it kept cooperating, Blanchard would touch down directly above the room that held the Koechert Diamond Pearl. He steered his parachute toward his target.
A couple of days earlier, Blanchard had appeared to be just another twentysomething on vacation with his wife and her wealthy father. The three of them were taking a six-month grand European tour: London, Rome, Barcelona, the French Riviera, Vienna. When they stopped at the Schloss Schönbrunn, the Austrian equivalent of Versailles, his father-in-law’s VIP status granted them a special preview peek at a highly prized piece from a private collection. And there it was: In a cavernous room, in an alarmed case, behind bulletproof glass, on a weight-sensitive pedestal — a delicate but dazzling 10-pointed star of diamonds fanned around one monstrous pearl. Five seconds after laying eyes on it, Blanchard knew he would try to take it.
The docent began to describe the history of the Koechert Diamond Pearl, better known as the Sisi Star — it was one of many similar pieces specially crafted for Empress Elisabeth to be worn in her magnificently long and lovely braids. Sisi, as she was affectionately known, was assassinated 100 years ago. Only two stars remain, and it has been 75 years since the public had a glimpse of…
Blanchard wasn’t listening. He was noting the motion sensors in the corner, the type of screws on the case, the large windows nearby. To hear Blanchard tell it, he has a savantlike ability to assess security flaws, like a criminal Rain Man who involuntarily sees risk probabilities at every turn. And the numbers came up good for the star. Blanchard knew he couldn’t fence the piece, which he did hear the guide say was worth $2 million. Still, he found the thing mesmerizing and the challenge irresistible.
He began to work immediately, videotaping every detail of the star’s chamber. (He even coyly shot the “No Cameras” sign near the jewel case.) He surreptitiously used a key to loosen the screws when the staff moved on to the next room, unlocked the windows, and determined that the motion sensors would allow him to move — albeit very slowly — inside the castle. He stopped at the souvenir shop and bought a replica of the Sisi Star to get a feel for its size. He also noted the armed guards stationed at every entrance and patrolling the halls.
But the roof was unguarded, and it so happened that one of the skills Blanchard had picked up in his already long criminal career was skydiving. He had also recently befriended a German pilot who was game for a mercenary sortie and would help Blanchard procure a parachute. Just one night after his visit to the star, Blanchard was making his descent to the roof.
Aerial approaches are a tricky business, though, and Blanchard almost overshot the castle, slowing himself just enough by skidding along a pitched gable. Sliding down the tiles, arms and legs flailing for a grip, Blanchard managed to save himself from falling four stories by grabbing a railing at the roof’s edge. For a moment, he lay motionless. Then he took a deep breath, unhooked the chute, retrieved a rope from his pack, wrapped it around a marble column, and lowered himself down the side of the building.
Carefully, Blanchard entered through the window he had unlocked the previous day. He knew there was a chance of encountering guards. But the Schloss Schönbrunn was a big place, with more than 1,000 rooms. He liked the odds. If he heard guards, he figured, he would disappear behind the massive curtains.
The nearby rooms were silent as Blanchard slowly approached the display and removed the already loosened screws, carefully using a butter knife to hold in place the two long rods that would trigger the alarm system. The real trick was ensuring that the spring-loaded mechanism the star was sitting on didn’t register that the weight above it had changed. Of course, he had that covered, too: He reached into his pocket and deftly replaced Elisabeth’s bejeweled hairpin with the gift-store fake.
Within minutes, the Sisi Star was in Blanchard’s pocket and he was rappelling down a back wall to the garden, taking the rope with him as he slipped from the grounds. When the star was dramatically unveiled to the public the next day, Blanchard returned to watch visitors gasp at the sheer beauty of a cheap replica. And when his parachute was later found in a trash bin, no one connected it to the star, because no one yet knew it was missing. It was two weeks before anyone realized that the jewelry had disappeared.
Later, the Sisi Star rode inside the respirator of some scuba gear back to his home base in Canada, where Blanchard would assemble what prosecutors later called, for lack of a better term, the Blanchard Criminal Organization. Drawing on his encyclopedic knowledge of surveillance and electronics, Blanchard became a criminal mastermind. The star was the heist that transformed him from a successful and experienced thief into a criminal virtuoso.
“Cunning, clever, conniving, and creative,” as one prosecutor would call him, Blanchard eluded the police for years. But eventually he made a mistake. And that mistake would take two officers from the modest police force of Winnipeg, Canada, on a wild ride of high tech capers across Africa, Canada, and Europe. Says Mitch McCormick, one of those Winnipeg investigators, “We had never seen anything like it.”
In Depth article Continues ->
by CBS Interactive staff
At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports that almost every one of them holds a secret.
Nearly every digital copier built since 2002 contains a hard drive–like the one on your personal computer–storing an image of every document copied, scanned, or e-mailed by the machine.
In the process, it’s turned an office staple into a digital time-bomb packed with highly personal or sensitive data.
Read more of “ Digital Photocopiers Loaded With Secrets” at CBSNews.com, or follow the link to watch the video: