Energy firm cyber-defence is ‘too weak’, insurers say (BBC, 26 Feb 2014) – Power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak, the BBC has learned. Underwriters at Lloyd’s of London say they have seen a “huge increase” in demand for cover from energy firms. But surveyor assessments of the cyber-defences in place concluded that protections were inadequate. Energy industry veterans said they were “not surprised” the companies were being refused cover.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

Hulu hoops: standing & damages as threshold issues in privacy cases (Paul Hastings, Jan 2014) – Imagine you are in the mall, and you overhear an interaction between a clerk and another shopper. The clerk asks to see a drivers’ license to verify their identity. The clerk then remarks, “Your age makes you eligible for our senior discount-you get 10% off on this order!” The shopper, aghast, threatens to sue the store. It’s seemingly an empty threat-you can’t sue without being hurt, right? According to a California magistrate judge, that’s not necessarily true-at least in the context of privacy lawsuits. And as the number of privacy suits continue to skyrocket, that means the cost of doing business is about to go up. That commonsense inkling that someone must be injured in some tangible way to pursue a lawsuit (at least, a lawsuit in federal court) is codified in Article III of US Constitution, in a legal doctrine known as “standing.” To show standing, a plaintiff must allege an injury that is (1) “concrete and particularized” and “actual or imminent,” (2) traceable to an action by a defendant, and (3) able to be redressed by a decision of the court. This hurdle has been historically difficult to overcome in privacy suits, where the “injuries” are often nebulous concepts like a “violation of privacy” or “slowing down my computer with cookies.” See, e.g., In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (rejecting plaintiffs’ damages theories under the CFAA, holding that the cost of “remediate” cookies and the alleged decreased value of personal information fail to meet the CFAA damages requirement). But times, they are changing. The Ninth Circuit-a hotbed of innovation and the home jurisdiction for many of the tech companies being sued-has decided that in some cases, simply invoking the name of a federal statute and alleging its violation can provide standing.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

A new “target” on their backs: Target’s officers and directors face derivative action arising out of data breach (Global Regulatory Enforcement Law Blog, 30 Jan 2014) – In the wake of its massive data breach, Target now faces a shareholder derivative lawsuit, filed January 29, 2014. The suit alleges that Target’s board members and directors breached their fiduciary duties to the company by ignoring warning signs that such a breach could occur, and misleading affected consumers about the scope of the breach after it occurred. Target already faces dozens of consumer class actions filed by those affected by the breach, putative class actions filed by banks, federal and state law enforcement investigations, and congressional inquiries. This derivative action alleges that Target’s board members and directors failed to comply with internal processes related to data security and “participated in the maintenance of inadequate cyber-security controls.” In addition, the suit alleges that Target was likely not in compliance with the Payment Card Industry’s (PCI) Data Security Standards for handling payment card information. The complaint goes on to allege that Target is damaged by having to expend significant resources to: investigate the breach, notify affected customers, provide credit monitoring to affected customers, cooperate with federal and state law enforcement agency investigations, and defend the multitude of class actions. The derivate action also alleges that Target has suffered significant reputational damage that has directly impacted the retailer’s revenue.

Provided by MERL

Image courtesy of FreeDigitalPhotos.net/Grant Cochran

FBI surveillance malware in bomb threat case tests constitutional limits (ArsTechnica, 6 Dec 2013) – The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report. The growing sophistication of the spyware—which can report users’ geographic locations and remotely activate a computer’s camera without triggering the light that lets users know it’s recording—is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday. Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known. The 2,000-word article recounts an FBI hunt for “Mo,” a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new. “The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed onto his Yahoo e-mail account, from any computer anywhere in the world, according to the documents,” reporters Craig Timberg and Ellen Nakashima wrote. “The goal of the software was to gather a range of information—Web sites he had visited and indicators of the location of the computer—that would allow investigators to find Mo and tie him to the bomb threats.” “We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. “Judges are having to make up these powers as they go along.”

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/renjith krishnan.

New documents show how the NSA infers relationships based on mobile location data (Washington Post, 10 Dec 2013) – Everyone who carries a cellphone generates a trail of electronic breadcrumbs that records everywhere they go. Those breadcrumbs reveal a wealth of information about who we are, where we live, who our friends are and much more. And as we reported last week, the National Security Agency is collecting location information in bulk — 5 billion records per day worldwide — and using sophisticated algorithms to assist with U.S. intelligence-gathering operations. How do they do it? And what can they learn from location data? The latest documents show the extent of the location-tracking program we first reported last week. Read on to learn more about what the documents show. The NSA doesn’t just have the technical capabilities to collect location-based data in bulk. A 24-page NSA white paper shows that the agency has a powerful suite of algorithms, or data sorting tools, that allow it to learn a great deal about how people live their lives. Those tools allow the agency to perform analytics on a global scale, examining data collected about potentially everyone’s movements in order to flag new surveillance targets. For example, one NSA program, code-named Fast Follower, was developed to allow the NSA to identify who might have been assigned to tail American case officers at stations overseas. By correlating an officer’s cellphone signals to those of foreign nationals in the same city, the NSA is able to figure out whether anyone is moving in tandem with the U.S. officer.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Arvind Balaraman.

How one small American VPN company is trying to stand up for privacy (ArsTechnica, 27 Oct 2013) – In recent months, I’ve started to take my own digital security much more seriously. I encrypt my e-mail when possible, I’ve moved away from Gmail , and I’ve become much more vigilant about using a VPN nearly all the time. Just as cryptographers and security researchers are auditing tools like TrueCrypt , I’ve started to kick the tires of the products that I rely upon on a daily basis. When I lived in Germany between 2010 and 2012, my wife and I paid $40 a year for a commercial VPN so we could continue to watch Hulu. But upon our return stateside, I kept paying for it anyway, for privacy-minded reasons. There are lots of VPNs out there, but the one I use isPrivate Internet Access (PIA). Why PIA? No particular reason, really. I don’t remember exactly how I came to choose it, but I remember seeing it in a roundup of VPNs listed on TorrentFreak . I now use PIA nearly every day, almost all the time, and that got me wondering: how does the company respond to real-world legal requests? Has it ever been compelled to hand over user data? Were those users ever notified? Unfortunately, Private Internet Access’ website doesn’t really make clear who is behind its site. The site’s footer points to London Trust Media , which also provides nothing more than an e-mail address. A little searching led me to find, and then get in touch with, the CEO of London Trust Media, Andrew Lee-one of the firm’s two owners. Lee has a background in the world of Bitcoin (he was one of the original founders of Mt. Gox), but he has had an interest in online privacy for years. PIA has been around since August 2009. Today, it has around 100,000 users. One of PIA’s biggest selling points (like other VPN providers) is that it does not log anything, and thus has little data to actually hand over to law enforcement. “We’ve never been asked for keys, nor [have we] handed over user data,” Lee told Ars. “What happens is that if anybody asks us for information, first and foremost, we confirm that they are a legit agency or government body that has any jurisdiction to even attempt to ask for that data. Then we go through and see that that complies with the letter and the spirit of the law. We don’t have any logs whatsoever. We don’t log metadata [or] session data either. We will comply with anything, but we can’t comply because we do not provide any logs. We don’t log, period.” Of course, one of the biggest problems is that there’s essentially no way for me to verify PIA’s (or anyone else’s) practices. Lots of VPN firms claim not to log, and I’d like to believe them, but there’s really no way for me to know for sure that Lee can’t see that I’m loading Ars about 100 times a day. Lee also told me that his firm has spoken with the Electronic Frontier Foundation (EFF) and other related groups to try to come up with a third-party audit system that would attempt to alleviate this exact problem. That way, ordinary consumers like me would at least have a little bit more of a reason to trust that no logs are being kept. “You have to trust the VPN-they have access to your data,” Dan Auerbach of the EFF told Ars. “Even if they’re really good, the government can come in and say we have a warrant… You have to take it on faith that there will be no CALEA -type orders, [where] the government will come in and say you have to come in and do logging. This is the reason that Tor was developed, was that people realized that we want some sort of anonymity service that doesn’t require you to trust just one party. That’s the basic problem with VPNs.” * * *

Vince Polley : This continues, with interesting discussion about legal issues, including possible use of a “ warrant canary ”. For many of the reasons stated in this story, I’ve decided to cancel my VPN account with GetCloak.com; it comes down to my inability to trust any third-party service provider that might log, or steal, my traffic. I’d suggested to GetCloak that they make public security promises that might be enforceable by the FTC, but even those might not be sufficient to enable me to use my financial log-in credentials over their network. So, I’m back to using AT&T, via my iPhone tethering, to secure my sensitive traffic, notwithstanding NSA interception. Better the NSA than somebody I don’t know and really cannot trust.]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/ddpavumba.