My
students have been following this one, since they do use encryption.
It's legal logic which is far removed from logical logic. “Your
Honor, the defendant claims he does not know the password to this
file. We would like you to require him to reveal the password he
does not know so that there is no chance he could forget the password
at some future date and claim he doesn't know the password. And
while we're at it, could you hold him in contempt for claiming he has
a Fifth Amendment right?”
New
Argument in Forced-Decryption Case: Defendant’s Memory Is Ticking
Clock
Federal prosecutors are urging a
federal judge to demand a Wisconsin man immediately decrypt several
hard drives they believe contain child pornography.
The authorities have been litigating
the constitutionality of the decryption issue for months, and want
the suspect, Jeffrey Feldman, to decrypt the drives before he forgets
the passwords. Federal prosecutors say Feldman can, even after
decrypting, continue litigating his claim that the Fifth Amendment
protects him from having to unlock at least seven hard drives in the
case.
“As more time passes, it is
increasingly possible that Feldman could forget his passwords, and
currently-encrypted evidence may be lost as a result,” federal
prosecutor Karine Moreno-Taxman wrote in a brief
filing (.pdf) Friday. “The Court can reduce this risk by
requiring Feldman to provide the Court with the decrypted contents of
his hard drives now, ex parte and under seal, so that they
can be securely retained pending the adjudication of the
Fifth-Amendment question.”
The suspect’s attorney, Robin
Shellow, scoffed at the government’s proposal, saying it was a
backdoor attempt to get his client thrown in jail immediately.
That’s because, she said, Feldman is not going to decrypt his
drives, no matter what, meaning the government’s offer essentially
hastens a potential contempt-of-court charge.
… The Supreme Court has never
decided the issue of whether decryption orders, which are rare,
breach the Fifth Amendment right against compelled
self-incrimination. The issue is likely to become a more commonplace
legal flap as the public slowly embraces a technology
that comes standard today on most computer operating systems.
(Related) In case you thought
encryption was only used by criminal...
I love it when states publicly post the
data breach notifications they receive, but California’s Attorney
General Kamala Harris just raised the bar for other states by
actually analyzing and reporting on the breaches involving California
residents. From California’s Attorney her press release:
Attorney General
Kamala D. Harris today released the first report detailing the 131
data breaches reported to her office in 2012, showing that 2.5
million Californians had personal information put at risk through an
electronic data breach.
The
report found that 1.4 million Californians would have been protected
if companies had encrypted data when moving or sending the data out
of the company’s network.
… While not
required by law, Attorney General Harris is issuing this report that
analyses the data breach notices reported in 2012, provides
information to the public about those breaches, and makes
recommendations to companies, law enforcement agencies, and the
legislature about how data security could be improved. Those
recommendations include practices that would decrease the number of
data breaches, make it easier for consumers to recover from the loss
or theft of their personal information, and call for law enforcement
agencies to more aggressively target breaches involving unencrypted
personal information.
First, companies
should encrypt digital personal information when moving or sending it
out of their secure network. In 2012, encryption would have
prevented reporting companies and agencies from putting over 1.4
million Californians at risk. The Attorney General’s
Office will make it an enforcement priority to investigate breaches
involving unencrypted personal information.
In addition,
companies should review and tighten their security controls on
personal information, including training employees and contractors.
Companies should
make the breach notices they send easier to read. The
report found that the average reading level of the notices submitted
in 2012 was 14th grade, much higher than the average U.S. reading
level of 8th grade. Recipients need to be able to
understand the notices so that they can take appropriate action to
protect their information.
Finally, the
report recommends that legislators consider expanding the law to
require notification of breaches involving passwords. Attorney
General Harris is supporting legislation, SB 46 by Senator Ellen
Corbett, which would require notification of a breach involving a
user name or email address, in combination with a password or
security question and answer that would permit access to an online
account.
Additional key
findings of the report include:
- The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
- More than 1.4 million Californians would not have been put at risk, and 28 percent of the data breaches would not have required notification, if the data had been encrypted.
- The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
- More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
- More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.
… A complete
copy of the data breach report and a list of all 131 breaches are
attached to the online version of this release at http://oag.ca.gov.
Does no one ever look at
the design decisions entry level programmers make? Where is
management?
Jenny Anchondo reports from
Indianapolis:
A security breach
with a local health insurance company has been exposing members’
home addresses, cell phone numbers, prescriptions and extensive
medical information in an online portal.
The
company had no clue about the issue, until Fox 59 notified
them. So how many people might have been impacted?
Fox 59 is taking
action, to find out and make sure it never happens again.
“I was just in
shock when I saw it for the first time,” said a man who we’ll
refer to as “Steve”.
We agreed to keep
the identities of the customers who we interviewed private.
He said he
couldn’t believe how easy it was to log onto his Advantage
Health Solutions account and see other users’ private
information.
Steve showed us
how it works.
“I clicked on
the little people icon and got a screen that allowed
me to put in a name or a date of birth and it brought up anyone with
that name or date of birth and I could click on it and look at their
records. I was astounded,” Steve said.
Read more on Fox59.
The first of 161 similar stories to
come?
Spiegel
Online – “NSA Snoops on 500 Million German Data Connections”
By Laura Poitras, Marcel
Rosenbach and Holger Stark: “America’s National Security
Agency (NSA) is apparently spying on Germany more than previously
believed. Secret documents from the US intelligence service, which
have been viewed by SPIEGEL journalists, reveal that the NSA
systematically monitors and stores a large share of the country’s
telephone and Internet connection data. Internal NSA statistics
indicate that the agency stores data from around half a billion
communications connections in Germany each month. This data includes
telephone calls, emails, mobile-phone text messages and chat
transcripts. The metadata
— or information about which call or data connections were made and
when — is then stored at the NSA’s headquarters in Fort Meade,
near Washington, DC. The documents show for the first time the scope
of American surveillance in Germany. Previously, it had only been
clear that Germany had been one of the major targets of NSA spying.
A map
published by the Guardian
shows that Germany is on a par with targets such as China, Iraq and
Saudi Arabia in terms of the intensity of electronic snooping.
For weeks now, new details have emerged from documents collected by
whistleblower Edward Snowden about the NSA’s Prism and Britain’s
Tempora digital spying programs.”
(Related)
God help you, if you didn't contribute to your local Democratic
candidate's election campaign?
I missed this one last week:
Judicial
Watch announced today that it has obtained
records from the Consumer Financial Protection Bureau (CFPB)
revealing that the agency has spent millions of dollars for the
warrantless collection and analysis of Americans’ financial
transactions. The documents also reveal that CFPB contractors may be
required to share the information with “additional
government entities.”
The records were
obtained pursuant to a Freedom of Information Act (FOIA) request
filed on April 24, 2013, following the April 23 Senate Banking
Committee testimony of CFPB Director Richard Cordray. The documents
uncovered by Judicial Watch include:
- Overlapping contracts with multiple credit reporting agencies and accounting firms to gather, store, and share credit card data as shown in the task list of a contract with Argus Information & Advisory Services LLC worth $2.9 million
- Deloitte Consulting: solicitation issue date 11/30/2011, award effective date 05/29/2012;
- Deloitte Consulting: solicitation issue date 11/30/2011, award effective date 05/29/2012;
- Argus: solicitation issue date 02/14/2012, award effective date 03/15/2012;
- Experian: solicitation issue date 07/03/2012, award effective date 09/24/2012
- An “indefinite delivery, indefinite quantity” contract with Experian worth up to $8,426,650 to track daily consumer habits of select individuals without their awareness or consent
- $4,951,333 for software and instruction paid to Deloitte Consulting LLP
- A provision stipulating that “The contractor recognizes that, in performing this requirement, the Contractor may obtain access to non-public, confidential information, Personally Identifiable Information (PII), or proprietary information.”
- A stipulation that “The Contractor may be required to share credit card data collected from the Banks with additional government entities as directed by the Contracting Officer’s Representative (COR).”
The full extent of
the CFPB personal financial data collection program is revealed in a
document obtained by Judicial Watch entitled “INDEFINITE-DELIVERY
INDEFINITE-QUANTITY (IDIQ) STATEMENT OF WORK.” Issued by CFPB
Contracting Officer Xiaoling Ang on July 3, 2012, the IDIQ document’s
stated objective: “The CFPB seeks to acquire and maintain a
nationally representative panel of credit information on consumers
for use in a wide range of policy research projects… The panel
shall be a random sample of consumer credit files obtains from a
national database of credit files.”
Read more on Judicial
Watch.
For my Conputer Security students (and
your Computer Security manager)
Pair
of PC viruses help each other survive
Two
computer viruses that collaborate are proving hard to clean from
infected PCs, Microsoft research suggests.
The pair of viruses foil removal by
regularly downloading updated versions of their malware partner.
The novel versions are usually
unknown to anti-virus programs which let the malicious
programs persist.
Once present on a PC, the viruses let
thieves take over a machine so it can be mined for saleable data or
used to send spam or to attack other machines.
The close relationship between the two
viruses was
revealed in a blogpost by Microsoft malware research Hyun Choi.
No comments:
Post a Comment