Connect with us

Biz & IT

Law enforcement needs to protect citizens and their data

Published

on

Over the past several years, the law enforcement community has grown increasingly concerned about the conduct of digital investigations as technology providers enhance the security protections of their offerings—what some of my former colleagues refer to as “going dark.”

Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. However, these efforts have also had what Android’s security chief called the “unintended side effect” of also making this data inaccessible to law enforcement. Consequently, many in the law enforcement community want the ability to compel providers to allow them to bypass these protections, often citing physical and national security concerns.

I know first-hand the challenges facing law enforcement, but these concerns must be addressed in a broader security context, one that takes into consideration the privacy and security needs of industry and our citizens in addition to those raised by law enforcement.

Perhaps the best example of the law enforcement community’s preferred solution is Australia’s recently passed Assistance and Access Bill, an overly-broad law that allows Australian authorities to compel service providers, such as Google and Facebook, to re-engineer their products and bypass encryption protections to allow law enforcement to access customer data.

While the bill includes limited restrictions on law enforcement requests, the vague definitions and concentrated authorities give the Australian government sweeping powers that ultimately undermine the security and privacy of the very citizens they aim to protect. Major tech companies, such as Apple and Facebook, agree and have been working to resist the Australian legislation and a similar bill in the UK.

Image: Bryce Durbin/TechCrunch

Newly created encryption backdoors and work-arounds will become the target of criminals, hackers, and hostile nation states, offering new opportunities for data compromise and attack through the newly created tools and the flawed code that inevitably accompanies some of them. These vulnerabilities undermine providers’ efforts to secure their customers’ data, creating new and powerful vulnerabilities even as companies struggle to address existing ones.

And these vulnerabilities would not only impact private citizens, but governments as well, including services and devices used by the law enforcement and national security communities. This comes amidst government efforts to significantly increase corporate responsibility for the security of customer data through laws such as the EU’s General Data Protection Regulation. Who will consumers, or the government, blame when a government-mandated backdoor is used by hackers to compromise user data? Who will be responsible for the damage?

Companies have a fiduciary responsibility to protect their customers’ data, which not only includes personally identifiable information (PII), but their intellectual property, financial data, and national security secrets.

Worse, the vulnerabilities created under laws such as the Assistance and Access Bill would be subject almost exclusively to the decisions of law enforcement authorities, leaving companies unable to make their own decisions about the security of their products. How can we expect a company to protect customer data when their most fundamental security decisions are out of their hands?

phone encryption

Image: Bryce Durbin/TechCrunch

Thus far law enforcement has chosen to downplay, if not ignore, these concerns—focusing singularly on getting the information they need. This is understandable—a law enforcement officer should use every power available to them to solve a case, just as I did when I served as a State Trooper and as a FBI Special Agent, including when I served as Executive Assistant Director (EAD) overseeing the San Bernardino terror attack case during my final months in 2015.

Decisions regarding these types of sweeping powers should not and cannot be left solely to law enforcement. It is up to the private sector, and our government, to weigh competing security and privacy interests. Our government cannot sacrifice the ability of companies and citizens to properly secure their data and systems’ security in the name of often vague physical and national security concerns, especially when there are other ways to remedy the concerns of law enforcement.

That said, these security responsibilities cut both ways. Recent data breaches demonstrate that many companies have a long way to go to adequately protect their customers’ data. Companies cannot reasonably cry foul over the negative security impacts of proposed law enforcement data access while continuing to neglect and undermine the security of their own users’ data.

Providers and the law enforcement community should be held to robust security standards that ensure the security of our citizens and their data—we need legal restrictions on how government accesses private data and on how private companies collect and use the same data.

There may not be an easy answer to the “going dark” issue, but it is time for all of us, in government and the private sector, to understand that enhanced data security through properly implemented encryption and data use policies is in everyone’s best interest.

The “extra ordinary” access sought by law enforcement cannot exist in a vacuum—it will have far reaching and significant impacts well beyond the narrow confines of a single investigation. It is time for a serious conversation between law enforcement and the private sector to recognize that their security interests are two sides of the same coin.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Home alarm tech backdoored security cameras to spy on customers having sex

Published

on

Getty Images / Aurich Lawson

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee of home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Aviles told prosecutors that he routinely added his email address to the list of users authorized to access customers’ ADT Pulse accounts, which allow customers to remotely connect to the ADT home security system so they can turn on or off lights, arm or disarm alarms, and view feeds from security cameras. In some cases, he told customers that he had to add himself temporarily so he could test the system. Other times, he added himself without their knowledge.

More legal fallout

An ADT spokesman said the company brought the illegal conduct to the attention of prosecutors last April after learning Aviles gained unauthorized access to the accounts of 220 customers in the Dallas area. The security company then contacted each customer “to help make this right.” The company has already resolved disputes with some of the customers. ADT published this statement last April and has continued to update it.

“We are grateful to the Dallas FBI and the US Attorney’s Office for holding Telesforo Aviles responsible for a federal crime,” the company wrote in an update posted on Friday.

In the aftermath of the breach discovery, ADT has been hit by at least two proposed class-action lawsuits, one on behalf of ADT customers and the other on behalf of minors and others living inside the homes. A plaintiff in one of the suits was allegedly a teenager at the time that the breach occurred. ADT informed her family that the technician spied on her home almost 100 times, according to the lawsuit.

The suits alleged that ADT marketed its camera systems as a way for parents to use smartphones to check in on kids and pets. ADT, the plaintiffs said, failed to implement safeguards—including as two-factor authentication or text alerts when new parties access the accounts—that could have alerted customers to the invasion. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system.

Continue Reading

Biz & IT

Chrome and Edge want to help with that password problem of yours

Published

on

Enlarge / Please don’t do this.

Getty Images

If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or when changing an existing password,” members of Microsoft’s Edge team wrote. “Just look for the browser-suggested password drop down in the password field and when selected, it will automatically save to the browser and sync across devices for easy future use.”

Edge 88 is also rolling out a feature called the “password monitor.” As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches lists published online.

Checking passwords in a secure way is a difficult task. The browser needs to be able to check a password against a large, always-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

In an accompanying post also published Thursday, Microsoft explained how that’s done:

Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.

First, the client communicates with the server to obtain a hash H of the credential, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result (True or False) encrypted under the same client key. The matching function operation looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users’ needs.

Not to be outdone, members of the Google Chrome team this week unveiled password protections of their own. Chief among them is a fuller-featured password manager that’s built into the browser.

“Chrome can already prompt you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).”

Chrome 88 is also making it easier to check if any saved passwords have wound up on password dumps. While password auditing came to Chrome last year, the feature can now be accessed using a security check similar to the one shown below:

Google

Many people are more comfortable using a dedicated password manager because they offer more capabilities than those baked into their browser. Most dedicated managers, for instance, make it easy to use dice words in a secure way. With the line between browsers and password managers beginning to blur, it’s likely only a matter of time until browsers offer more advanced management capabilities.

Continue Reading

Biz & IT

Phishing scam had all the bells and whistles—except for one

Published

on

Enlarge / The query window for username and password on a webpage can be seen on the monitor of a laptop.

Criminals behind a recent phishing scam had assembled all the important pieces. Malware that bypassed antivirus—check. An email template that got around Microsoft Office 365 Advanced Threat Protection—check. A supply of email accounts with strong reputations from which to send scam mails—check.

It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was just one problem: the scammers stashed their hard-won passwords on public servers where anyone—including search engines—could (and did) index them.

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers,” researchers from security firm Check Point wrote in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”

Check Point researchers found the haul as they investigated a phishing campaign that began in August. The scam arrived in emails that purported to come from Xerox or Xeros. The emails were sent by addresses that, prior to being hijacked, had high reputational scores that bypass many antispam and antiphishing defenses. Attached to the messages was a malicious HTML file that didn’t trigger any of the 60 most-used antimalware engines.

The email looked like this:

Check Point

Once clicked, the HTML file displayed a document that looked like this:

Check Point

When recipients were fooled and logged into a fake account, the scammers stored the credentials on dozens of WordPress websites that had been compromised and turned into so-called drop-zones. The arrangement made sense since the compromised sites were likely to have a higher reputational score than would be the case for sites owned by the attackers.

The attackers, however, failed to designate the sites as off-limits to Google and other search engines. As a result, Web searches were able to locate the data and lead security researchers to the cache of compromised credentials.

“We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google,” Thursday’s post from Check Point read. “This allowed anyone access to the stolen email address credentials with a simple Google search.”

Based on the analysis of roughly 500 of the compromised credentials, Check Point was able to compile the following breakdown of the industries targeted.

Simple Web searches show that some of the data stashed on the drop-zone servers remained searchable at the time this post was going live. Most of these passwords followed the same format, making it possible that the credentials didn’t belong to real-world accounts. Check Point’s discovery, however, is a reminder that, like so many other things on the Internet, stolen passwords are ripe for the picking.

Continue Reading

Trending