Tuesday, July 02, 2013

July 2 Tuesday

My students have been following this one, since they do use encryption. It's legal logic which is far removed from logical logic. “Your Honor, the defendant claims he does not know the password to this file. We would like you to require him to reveal the password he does not know so that there is no chance he could forget the password at some future date and claim he doesn't know the password. And while we're at it, could you hold him in contempt for claiming he has a Fifth Amendment right?”
New Argument in Forced-Decryption Case: Defendant’s Memory Is Ticking Clock
Federal prosecutors are urging a federal judge to demand a Wisconsin man immediately decrypt several hard drives they believe contain child pornography.
The authorities have been litigating the constitutionality of the decryption issue for months, and want the suspect, Jeffrey Feldman, to decrypt the drives before he forgets the passwords. Federal prosecutors say Feldman can, even after decrypting, continue litigating his claim that the Fifth Amendment protects him from having to unlock at least seven hard drives in the case.
“As more time passes, it is increasingly possible that Feldman could forget his passwords, and currently-encrypted evidence may be lost as a result,” federal prosecutor Karine Moreno-Taxman wrote in a brief filing (.pdf) Friday. “The Court can reduce this risk by requiring Feldman to provide the Court with the decrypted contents of his hard drives now, ex parte and under seal, so that they can be securely retained pending the adjudication of the Fifth-Amendment question.”
The suspect’s attorney, Robin Shellow, scoffed at the government’s proposal, saying it was a backdoor attempt to get his client thrown in jail immediately. That’s because, she said, Feldman is not going to decrypt his drives, no matter what, meaning the government’s offer essentially hastens a potential contempt-of-court charge.
… The Supreme Court has never decided the issue of whether decryption orders, which are rare, breach the Fifth Amendment right against compelled self-incrimination. The issue is likely to become a more commonplace legal flap as the public slowly embraces a technology that comes standard today on most computer operating systems.

(Related) In case you thought encryption was only used by criminal...
I love it when states publicly post the data breach notifications they receive, but California’s Attorney General Kamala Harris just raised the bar for other states by actually analyzing and reporting on the breaches involving California residents. From California’s Attorney her press release:
Attorney General Kamala D. Harris today released the first report detailing the 131 data breaches reported to her office in 2012, showing that 2.5 million Californians had personal information put at risk through an electronic data breach.
The report found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network.
… While not required by law, Attorney General Harris is issuing this report that analyses the data breach notices reported in 2012, provides information to the public about those breaches, and makes recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those recommendations include practices that would decrease the number of data breaches, make it easier for consumers to recover from the loss or theft of their personal information, and call for law enforcement agencies to more aggressively target breaches involving unencrypted personal information.
First, companies should encrypt digital personal information when moving or sending it out of their secure network. In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information.
In addition, companies should review and tighten their security controls on personal information, including training employees and contractors.
Companies should make the breach notices they send easier to read. The report found that the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade. Recipients need to be able to understand the notices so that they can take appropriate action to protect their information.
Finally, the report recommends that legislators consider expanding the law to require notification of breaches involving passwords. Attorney General Harris is supporting legislation, SB 46 by Senator Ellen Corbett, which would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Additional key findings of the report include:
  • The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
  • More than 1.4 million Californians would not have been put at risk, and 28 percent of the data breaches would not have required notification, if the data had been encrypted.
  • The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
  • More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
  • More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.
… A complete copy of the data breach report and a list of all 131 breaches are attached to the online version of this release at http://oag.ca.gov.

Does no one ever look at the design decisions entry level programmers make? Where is management?
Jenny Anchondo reports from Indianapolis:
A security breach with a local health insurance company has been exposing members’ home addresses, cell phone numbers, prescriptions and extensive medical information in an online portal.
The company had no clue about the issue, until Fox 59 notified them. So how many people might have been impacted?
Fox 59 is taking action, to find out and make sure it never happens again.
“I was just in shock when I saw it for the first time,” said a man who we’ll refer to as “Steve”.
We agreed to keep the identities of the customers who we interviewed private.
He said he couldn’t believe how easy it was to log onto his Advantage Health Solutions account and see other users’ private information.
Steve showed us how it works.
“I clicked on the little people icon and got a screen that allowed me to put in a name or a date of birth and it brought up anyone with that name or date of birth and I could click on it and look at their records. I was astounded,” Steve said.
Read more on Fox59.

The first of 161 similar stories to come?
Spiegel Online – “NSA Snoops on 500 Million German Data Connections”
By Laura Poitras, Marcel Rosenbach and Holger Stark: “America’s National Security Agency (NSA) is apparently spying on Germany more than previously believed. Secret documents from the US intelligence service, which have been viewed by SPIEGEL journalists, reveal that the NSA systematically monitors and stores a large share of the country’s telephone and Internet connection data. Internal NSA statistics indicate that the agency stores data from around half a billion communications connections in Germany each month. This data includes telephone calls, emails, mobile-phone text messages and chat transcripts. The metadata — or information about which call or data connections were made and when — is then stored at the NSA’s headquarters in Fort Meade, near Washington, DC. The documents show for the first time the scope of American surveillance in Germany. Previously, it had only been clear that Germany had been one of the major targets of NSA spying. A map published by the Guardian shows that Germany is on a par with targets such as China, Iraq and Saudi Arabia in terms of the intensity of electronic snooping. For weeks now, new details have emerged from documents collected by whistleblower Edward Snowden about the NSA’s Prism and Britain’s Tempora digital spying programs.”

(Related) God help you, if you didn't contribute to your local Democratic candidate's election campaign?
I missed this one last week:
Judicial Watch announced today that it has obtained records from the Consumer Financial Protection Bureau (CFPB) revealing that the agency has spent millions of dollars for the warrantless collection and analysis of Americans’ financial transactions. The documents also reveal that CFPB contractors may be required to share the information with “additional government entities.”
The records were obtained pursuant to a Freedom of Information Act (FOIA) request filed on April 24, 2013, following the April 23 Senate Banking Committee testimony of CFPB Director Richard Cordray. The documents uncovered by Judicial Watch include:
  • Overlapping contracts with multiple credit reporting agencies and accounting firms to gather, store, and share credit card data as shown in the task list of a contract with Argus Information & Advisory Services LLC worth $2.9 million
  • Deloitte Consulting: solicitation issue date 11/30/2011, award effective date 05/29/2012;
    • Deloitte Consulting: solicitation issue date 11/30/2011, award effective date 05/29/2012;
    • Argus: solicitation issue date 02/14/2012, award effective date 03/15/2012;
    • Experian: solicitation issue date 07/03/2012, award effective date 09/24/2012
  • A provision stipulating that “The contractor recognizes that, in performing this requirement, the Contractor may obtain access to non-public, confidential information, Personally Identifiable Information (PII), or proprietary information.”
  • A stipulation that “The Contractor may be required to share credit card data collected from the Banks with additional government entities as directed by the Contracting Officer’s Representative (COR).”
The full extent of the CFPB personal financial data collection program is revealed in a document obtained by Judicial Watch entitled “INDEFINITE-DELIVERY INDEFINITE-QUANTITY (IDIQ) STATEMENT OF WORK.” Issued by CFPB Contracting Officer Xiaoling Ang on July 3, 2012, the IDIQ document’s stated objective: “The CFPB seeks to acquire and maintain a nationally representative panel of credit information on consumers for use in a wide range of policy research projects… The panel shall be a random sample of consumer credit files obtains from a national database of credit files.”
Read more on Judicial Watch.

For my Conputer Security students (and your Computer Security manager)
Pair of PC viruses help each other survive
Two computer viruses that collaborate are proving hard to clean from infected PCs, Microsoft research suggests.
The pair of viruses foil removal by regularly downloading updated versions of their malware partner.
The novel versions are usually unknown to anti-virus programs which let the malicious programs persist.
Once present on a PC, the viruses let thieves take over a machine so it can be mined for saleable data or used to send spam or to attack other machines.
The close relationship between the two viruses was revealed in a blogpost by Microsoft malware research Hyun Choi.

No comments: