@ericmenhart Latest Tweet:

  • Thanks to my wife and #GivingTuesday for being good motivators. Happy to have supported a few of my favorite research organizations today.
    16 days

Telecom Granted Spying Immunity by Senate

 

The Senate approved a bill today that will finally provide some guidance on procedures for government eavesdropping under what the Bush Administration has dubbed its “terrorist surveillance program.” The bill provides that any future surveillance be approved by the non-public United States Foreign Intelligence Surveillance Court.

Of particular note in the bill is the fact that telecom companies were granted immunity for providing assistance to the Bush Administration so long as they can show that they were given assurances from the Administration that the eavesdropping was legal.

Opinions were mixed about this immunity. Senator Patrick Leahy noted that the bill “does not provide accountability for the six years of illegal, warrantless wiretapping initiated and approved by this administration.” Others note that telecommunication firms were placed in difficult positions; either obey the administration or suffer the political consequences. Of course, AT&T and Verizon Communications, among others, have very large legal departments that could easily have vetted the issue by asking for clarification from the federal courts in a protected, non-public manner. The fact that these firms turned a blind eye to their customers’ civil rights is problematic.

If blanket immunity is not appropriate, what is? Appreciating the unique circumstances, perhaps Congress could have split the baby, capping economic damages, but allowing lawsuits to continue. There is little question that civil liberties were violated in this case. Granting a total pass on liability for telecommunications companies that turned a blind eye to these issues was not the best policy choice.

[Read more...]

FBI Pushes for ISP Data Retention

 

The FBI is renewing its push for legislation that would
mandate that ISPs keep records of its users’ activities for longer periods of
time. Records retained would be available for review by police in cases where a
search of such records is warranted. The FBI’s proposed length of time for
retention of records is two year. Types
of data retained could be as minimal as IP addresses assigned to each customer
or more detailed information such as web sites visited, instant messaging logs,
and more. The devil is in the details, of course, and the amount of time for
retention time and types of data requiring retention would likely be modified
if any serious legislation began to move forward.

 

The question: is this good policy? The Justice Department
has its points. More comprehensive records would allow a case to be built more
quickly against a potential terrorist or other online criminal. It’s hard to
argue that a greater pool of data would not be effective in deterring crime.

 

On the other hand, the privacy problems are enormous. The
vast majority of ISP customers will never need to be investigated by law
enforcement for any reason. Regardless, these customers’ actions would be
retained by ISPs for quite some time.

 

ISPs, already inundated with spam, additional resource
loads, and a host of other problems, would also bear a much greater burden.
While hardware for data storage is less and less expensive by the day, it is nonetheless
an additional cost. The increased administrative burden of related to
management of the data is also a strain that few ISPS will welcome.

 

While the FBI may get its way in part, privacy interests and
the preferences of ISPs will likely lead to less than the FBI is seeking.

[Read more...]

Open Source Fears Fuel Microsoft Pirating Policy

 

Microsoft is reassessing security systems that disable pirated
programs on users' computers in favor of the approach employed by “trialware”
and “shareware:” constant nagging.

 

While the current version of Microsoft’s Genuine Advantage
tool will disable pirated software, the newer version being released with Vista’s first Service Pack will instead display warnings,
constant reminder bubbles, and similar “nags” to a user, but will not disable
the software.

 

Microsoft says it wants to create “opportunity” for
customers to “get legal” with the new policy, even offering very substantial
price-cuts on Vista Home Premium to users of pirated software. While that is
likely some part of the story, the very apparent “unspoken” reason is
Microsoft’s fear of driving customers to competitors, such as Apple and open
source alternatives like Ubuntu, with their current policy.

 

Microsoft understands that much of its success depends on
Windows® being the de facto OS in the
marketplace, even when it is illegally employed by users. The more Windows®
users, the more likely that third party software will be developed with
Windows® as the standard operating system. The more third party software
available for Windows®, the more likely a user will purchase Microsoft’s OS.

 

Given its change in direction, Microsoft seems to have now
correctly determined that being a standard in an industry has greater value
than a few million additional paid licenses. Settling for being a standard is better
than having nothing if users, even the illegal ones, move competing operating
systems.

[Read more...]

Hackers Target US Networks

 

About 140 foreign intelligence organizations are trying to
hack into the computer networks of the U.S.
government and U.S.
companies, a top counterintelligence official has reported. The official, Joel Brenner,
warned that hackers could create chaos by manipulating information in
electronic systems the government, military and private industry rely on.

 

The number of hackers worldwide has been growing at an
alarming rate. Even more alarming is the continued ineffective policies of United States
security provisions. While governments such as France
and others are taking positive steps to improve their security, the U.S.
has inefficient laws that take a “reactive” stance.

 

Particularly given the United
States’ status as a primary hacking target, U.S. law and
policy must be more “proactive” in finding such organizations. More particularly,
the U.S.
must understand that cutting the finding sources for these groups will provide
a good start.

 

Bottom Line: The United State
must understand that the next September 11th type of attack will be
electronically based. Setting standards of security for networks and critical
computer systems is not a convenience, but a necessity.

[Read more...]

Wal Mart Begins Selling DRM Free Music

 

As CyberLawg previously discussed the dominant iTunes is
beginning to see substantial competition buoyed by Apple’s restrictive digital
rights management (DRM) on its downloads.

 

The newest competitor is Wal-Mart, which has the power to
redefine a market based on its massive retailing power. The retail giant has
announced
that it will begin selling music online that is DRM free for much less
than that offered by iTunes. While iTunes sells its DRM free music for $1.29,
Wal-Mart’s current pricing has DRM free music at only 94 cents; even less than
the price charged by iTunes for DRM protected music.

 

Bottom Line: While
Wal-Mart’s entry is likely “promotionally priced” and the library is more
limited than other services, it is increasingly apparent that DRM protected
music will likely not win out in the marketplace unless it is priced LESS than
similarly available DRM-free music. Whether iTunes and the major labels will
react to this shift in the marketplace is less a question of “if” and more a
question of “when.” Consumers have made it clear that DRM is not palatable to
their needs, and certainly when it is sold at a premium price.

[Read more...]

Spam, Trojans, Law and Terrorism

 

A new study suggests that certain phishing and spamming operations are filtering their proceeds directly into terrorist cells that plan to attack the United Kingdom and United States.

The men behind the operation in the study used stolen credit cards, obtained via phishing schemes, to purchase necessary materials. The men then used the stolen credit cards to launder money through online gambling sites, including AbsolutePoker.com, BetFair.com, BetonBet.com, Canbet.com, Eurobet.com, NoblePoker.com and ParadisePoker.com and others.

Investigators estimated that the practices led to as much as $3.5 million in fraudulent charges on credit cards obtained through phishing schemes. Other funds were obtained through the distribution of Trojan horses, which are typically sent via spam e-mail and allow the schemers to take control over end-users' computers.

While this is concerning enough, one investigator is quoted in the story as stating:

 

There is no law enforcement agency in the world that, if this wasn't a terrorism financing case, would follow up on this. They just don't have the resources.

 

This story brings salience to the largely misguided cybercrime policy in the United States.

First, despite there being numerous private parties capable of tracking and analyzing the patterns of such criminals, the policy of the United States has largely destroyed incentive for private parties to pursue these networks. Proposals for "bounties" paid by government to private investigators have been rejected, and stronger state laws providing statutory damages and incentives for "private attorney generals" have been gutted by inferior laws such as CAN-SPAM. This despite the fact that law enforcement knows that it simply cannot investigate every cyber crime matter alone, as the quoted investigator admits.

Second, the United States' recent decision to effectively ban online gambling for American citizens, in violation of WTO rules, has meant that these online gambling sites have been forced into the proverbial shadows. In addition to rejecting the very large pool of income that would come from regulating and taxing these sites, the U.S. policy means that gambling sites become much more palatable to terrorism because the transactions are unregulated and the sites already actively seek to avoid the auspices of law enforcement.

Bottom Line: While cyber criminals are taking advantage of unregulated technology and underfunded authorities, the United States is letting simple and effective procedures for combating these schemes lie untapped. One can only hope that regulators recognize the easily implemented opportunities to combat such schemes before another major terrorist attack, funded via similar means, strikes the United States or United Kingdom.

[Read more...]

China Military Rising in Cyberspace

 

Yet another example of the United States’ weakness in protecting
its citizens from cybercrime and cyberwarfare is the Defense Department’s
recent report on China’s growing ability to challenge the United States in "electromagnetic
dominance" in conflicts.

 

China has (correctly) identified the power of viruses,
denial of service attacks (DOS) and network security as critical in wars or
conflicts. The Chinese army has
established information warfare units to develop viruses to attack enemy
computer systems and networks and has also developed electronic countermeasures
and defenses against electronic attack, including infrared decoys, angle
reflectors and false-target generators.

 

China’s current development has been attributed to a mix of
criminals, hackers and "nation-state" forces. The report also notes
that China and most other U.S. networks were constantly attempting to access US
networks for trade and defense secrets.

 

Bottom Line: The United States has been lax on cyber-security
for too long. The inefficient and ineffective regulations have mostly affected
businesses and consumers to this point, but it is apparent that national
security risks should become more salient to lawmakers and military when
considering cybersecurity policy.

[Read more...]

Internet Spyware Prevention Act of 2007

 

The House of Representatives recently passed the Internet Spyware (I- SPY) Prevention Act of 2007. The bill amends the federal criminal code to prohibit intentionally accessing a protected computer without authorization, or exceeding authorized access, by causing a computer program or code to be copied onto the protected computer, and intentionally using that program or code: (1) in furtherance of another federal criminal offense; (2) to obtain or transmit personal information (including a first or last name, physical address, Social Security number or other government-issued identification number, a bank or credit card number, or an associated password or access code) with intent to defraud or injure a person or cause damage to a protected computer; or (3) to impair the security protection of that computer.

 

The Bill goes on to express the Sense of Congress that the Department of Justice should vigourously pursue claims against. Unfortunately, the bill also prohibits civil actions under state law.

 


Bottom Line:
Congress is correct to continue addressing cybercrimes and cybertorts via legislation. The decision to prevent civil actions under state law, however, is misguided. Instead of allowing consumers to address their losses in a private fashion victims of spyware must depend on already overburdended law enforcment authorities under this legislation.

[Read more...]

Cyber Security Enhancement Act of 2007

 

A bill has been introduced in the United States Congress to shore up penalties and provide additional funding for fighting cyber crimes. The bill, HR 2290 in the 110th Congress, expands the scope of 18 USC 1030, entitled “fraud and related activity in connection with computers.” That section provides ramifications, both civil and criminal, for unauthorized computer access. The proposed bill would expand and redefine several portions of 1030 to allow for greater enforcement of cybercrimes.

 

First, 1030(a)(2) would prevent an unauthorized user from obtaining “(D) a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.” This means that liability would attach if someone accessed your bank account details, social security number or similar electronic identification information via unauthorized access to a protected computer.

 

The bill also expands the use of full interstate and foreign commerce power for criminal penalties. The current version of 1030 requires that the conduct involve an interstate or foreign communication, which typically requires communications traveling between different states or countries. The bill would amend this provision to require that the communication only “affect” interstate commerce. This expands the applicability of 1030 to communications occurring within the same state, for example.

 

The proposed legislation also requires that damages or fines shall be any benefits obtained as a result of the conduct. If a hacker stole $10,000 via a protected computer that would be the amount of the fine, in addition to any jail time or other ramifications.

 

Furthermore, damage affecting ten or more protected computers during any 1-year period would now be actionable, in addition to previous provisions, which required $5,000 or more to one person in one year, or “clear and present dangers” such as personal safety or injury or threats to public safety. This is a particularly good provision because it addresses some of the most prevalent cyber security problems such as phishing, spamming and spyware. Now, if as few as 10 computers are affected in interstate commerce Section 1030 would be a tool against a wrongdoer.

 

The bill also expressly defines any activity under 1030 to be a “racketeering activity” under RICO, expands liability to conspirators, and expands the cyber extortion provisions of 1030. Finally, the bill provides $10,000,000 to the Director of the United States Secret Service, $10,000,000 to the Attorney General for the Criminal Division of the Department of Justice and $10,000,000 to the Director of the Federal Bureau of Investigation for purposes of stepping up enforcement of cybercrime.

 

Bottom Line: The proposed Cyber-Security Enhancement Act of 2007 is an excellent bill that would make simple changes to existing law but would allow for powerful new legal tools to combat cyber crime. While presently in the early stages of House consideration Congress would be wise to give this bill the attention that it deserves as it moves through the chambers.

[Read more...]

TSA Suit Reminder of Security Concerns

 

The union representing most of the airport safety screeners of the nation have filed a class action suit against the Transportation Security Administration for its negligence in allowing an external hard drive to be stolen from TSA Headquarters. The hard drive contained 100,000 records of past and current employees, including social security numbers, banking details and other sensitive data.

 

The suit seeks injunctive and monetary relief, including any financial losses for the breach and additional safeguards to prevent against future privacy thefts.

 

The breach of security is especially troubling in this case because the agency robbed is one that is primarily responsible for managing the safety of the oft-targeted air travel industry.

 

The suits were not unexpected. Such a high profile loss of data is often followed by a lawsuit. The Union’s lawsuit, however, is very appropriate in this matter. First, the Union’s demand are reasonable. The plaintiffs ask for injunctive relief, that is, relief that will improve the TSA’s future protection of data. The relief requested includes encryption of data and electronic monitoring of data. The plaintiffs also request monetary relief for any losses resulting from the breach. Second, the lawsuit is appropriate because it helps to bring attention to the need for greater security protections in any size organization, government or private.

 

Unfortunately, most organizations, big or small, would do well to reevaluate their data security policies. Many times, taking small steps to protect sensitive data can make a substantial difference, even in situations where sophisticated encryption and other technology is not used.

 

For example, setting your computer to require a password to access data after about 5-10 minutes of inactivity is an easy step to prevent prying eyes from taking “quick peeks” at your data. Don’t use the same password for all of your accounts, and be aware of the roster of people that have access to your sensitive data at all times.

 

Bottom Line: The TSA mishap could likely have been averted by following simple steps such as these. The union lawsuit brings salience to the value of data and the increasing need for all of us to makes small changes in our daily behavior in the interest of greater protection of sensitive data.

[Read more...]

Attorney Eric Menhart has been seen in: