Monday, May 09, 2016
No one ever suspects the Swiss of having international hit squads.
SwissInfo.ch reports on what is potentially a very serious breach that could put lives at risk:
The bad news on Wednesday that hackers had targeted the Swiss defence ministry in January became worse news on Sunday, when the weekly newspaper NZZ am Sonntag reported that the identities of members of a secret Swiss army unit may have been revealed.
Whereas Defense Minister Guy Parmelin had spoken on May 4 of spying that took place during the annual meeting of the World Economic Forum in Davos, the NZZ am Sonntag reported that Russian IT specialists had gained access to personal data of members of a special unit known as AAD 10, which carries out risky operations in foreign countries.
According to a press statement released by the Defence Ministry on Wednesday, the government works closely with defense contractor RUAG, whose IT system was the target of the attacks.
Read more on SwissInfo.ch.
People seem to tell these sites more than they tell their doctor or their bank. Anything for sex, I guess.
Joseph Cox reports:
A hacker claims to be selling tens of millions of user accounts for adult dating site Fling.com on the dark web, including information on sexual desires, preferences, and other personal details.
“Find sex by contacting fellow Fling members and get laid tonight,” the site reads. “Check out millions of fun photos and watch webcams that allow you to party with members live on the best adult personals.” Users can send private messages to each other, upload pictures and more.
The data is being sold on the Real Deal market, a dark web site specialising in the peddling of stolen data and computer exploits, by a hacker who goes by the name Peace.
Read more on Motherboard.
Note that Fling has reportedly confirmed the authenticity of the data, but claims it is from a breach in 2011. Did they detect the breach in 2011, and did they ever notify anyone about it? Anyone know?
The article explores security risks beyond the “script kiddie” level.
Jane Brown of Lane Powell PC writes that hackers have upped the ante from the “good old days:”
…. A case with espionage, extortion and pseudonyms is a sign of things to come.
Wire Swiss GmbH (Wire Swiss) is currently seeking a declaratory judgment and alleges civil extortion against its competitor, Quiet Riddle Ventures dba Open Whisper Systems, and Moxie Marlinspike. The litigants develop end-to-end encrypted messaging software. Wire Swiss claims the defendants threatened to accuse Wire Swiss of infringing on copyrighted software code and publicize “vulnerabilities” in the security of Wire Swiss’ encryption software. Wire Swiss’ payment of a $2 million licensing fee would prevent the threatened action. Wire Swiss claims that the specter of publication of security vulnerabilities in its encryption software could cause catastrophic damage to its reputation. Wire Swiss further claims that the defendants’ threat coincided with the announcement that their Signal software had been incorporated into the WhatsApp messaging application. If true, the plaintiff’s allegations are a prime example of how data saboteurs profit from their hacks. This case may also be fodder for legislation to create a safe harbor for security self-evaluation.
Read more on JD Supra.
The real “Why” might be interesting… Is it really so they look “anti-surveillance?”
Twitter Bars Intelligence Agencies From Using Analytics Service
Twitter Inc. cut off U.S. intelligence agencies from access to a service that sifts through the entire output of its social-media postings, the latest example of tension between Silicon Valley and the federal government over terrorism and privacy.
The move, which hasn’t been publicly announced, was confirmed by a senior U.S. intelligence official and other people familiar with the matter. The service—which sends out alerts of unfolding terror attacks, political unrest and other potentially important events—isn’t directly provided by Twitter, but instead by Dataminr Inc., a private company that mines public Twitter feeds for clients.
Twitter owns about a 5% stake in Dataminr, the only company it authorizes both to access its entire real-time stream of public tweets and sell it to clients.
… The senior intelligence official said Twitter appeared to be worried about the “optics” of seeming too close to American intelligence services.
Twitter said it has a long-standing policy barring third parties, including Dataminr, from selling its data to a government agency for surveillance purposes. The company wouldn’t comment on how Dataminr—a close business partner—was able to provide its service to the government for two years, or why that arrangement came to an end.
… Analysis of Twitter and other social-media services has become increasingly important to intelligence and law-enforcement agencies tracking terror groups. Islamic State posts everything from battlefield positions [Drop bombs here! Bob] to propaganda and threats over Twitter.
… In a speech last September, David S. Cohen, a deputy director of the Central Intelligence Agency, discussed the importance of “open source” social-media data gathered by the CIA, saying Islamic State’s “tweets and other social-media messages publicizing their activities often produce information that, especially in the aggregate, provides real intelligence value.”
… Its product goes beyond what a typical Twitter user could find in the jumble of daily tweets, employing sophisticated algorithms and geolocation tools to unearth relevant patterns.
Dataminr has a separate, $255,000 contract to provide its breaking news-alert service to the Department of Homeland Security, which is still in force.
Too subtle? Would a third-party, “professional smartphone searcher” solve the problem?
The Post-Riley Search Warrant: Search Protocols and Particularity in Cell Phone Searches
by Sabrina I. Pacifici on May 8, 2016
The Post-Riley Search Warrant: Search Protocols and Particularity in Cell Phone Searches, Adam M. Gershowitz · Apr-19-2016 · 69 Vand. L. Rev. 585 (2016)
“Last year, in Riley v. California, the Supreme Court required police to procure a warrant before searching a cell phone. Unfortunately, the Court’s assumption that requiring search warrants would be “simple” and very protective of privacy was overly optimistic. This article reviews lower court decisions in the year since Riley and finds that the search warrant requirement is far less protective than expected. Rather than restricting search warrants to the narrow evidence being sought, some magistrates have issued expansive warrants authorizing a search of the entire contents of the phone with no restrictions whatsoever. Other courts have authorized searches of applications and data for which no probable cause existed. And even when district and appellate courts have found these overbroad search warrants to be defective, they have almost always turned to the good faith exception to save the searches and allow admission of the evidence. This Article calls on courts to take the Fourth Amendment’s particularity requirement seriously before issuing search warrants for cell phones. Just as magistrates cannot authorize police to search for a fifty-inch television in a microwave, nor should officers be permitted to rummage through all of the files on a cell phone when a narrower search will suffice. In order to effectuate the privacy guarantee in Riley, this Article proposes two approaches to narrow cell phone search warrants. First, I argue that judges should impose search protocols that specify in advance exactly how police should execute warrants and sift through electronic data. Second, this Article challenges the common assumption that all cell phone searches require full forensic analysis. In many cases involving street crimes, magistrates should initially restrict warrants to a manual search of the particular functions or applications for which there is probable cause. These two ex ante restrictions on cell phone searches will protect privacy and prevent overuse of the good faith exception, while still permitting police to examine all data they have probable cause to investigate.”
The Fourth Amendment in the Information Age
by Sabrina I. Pacifici on May 8, 2016
Robert S. Litt, The Fourth Amendment in the Information Age, 126 YALE L.J. F. 8 (2016), http://www.yalelawjournal.org/forum/fourth-amendment-information-age.
“To badly mangle Marx, a specter is haunting Fourth Amendment law—the specter of technological change. In a number of recent cases, in a number of different contexts, courts have questioned whether existing Fourth Amendment doctrine, developed in an analog age, is able to deal effectively with digital technologies. Justice Sotomayor, for example, wrote in her concurrence in United States v. Jones, a case involving a GPS tracking device placed on a car, that “the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties . . . is ill suited to the digital age.” And in Riley v. California, the Chief Justice more colorfully rejected the government’s argument that a search of a cell phone was equivalent to a search of a wallet: That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. I intend to discuss the application of the Fourth Amendment in the information age, and I want to start with two important caveats…”