Category: Security

Countries using spyware exposed

October 18, 2015 Abby Shulman Leave a comment Citizen Justice, Cybercrime, Government, Human Rights, Privacy, Security

A Citizen Lab report released Thursday revealed that 33 countries are likely using FinFisher, a prominent spyware program. Many of these countries—including Ethiopia, Bangladesh, and Egypt—have suspect human rights standards.

FinFisher enables an organization or government to capture the keystrokes of a computer, as well as use the device’s microphone and camera to surreptitiously eavesdrop on a target. This type of surveillance tool was once only used by advanced governments, but is now available to anyone willing to invest in the service. In the U.S., journalists and dissidents are especially targeted.

Hackings in the past two years have informed researchers about the mechanics of spyware companies. FinFisher was hacked last year, revealing confidential company logistics, and its competitor Hacking Team was hacked this past year, exposing vital emails and files. Errors in spyware servers help Citizen Lab researchers figure out which governments are using the services of companies like FinFisher or Hacking Team.

Spyware servers used by governments often infect and control target computers with malware disguised behind proxies. Researchers found that 135 servers matched the “technical fingerprint” of shady spyware after scanning the Internet, yet they were always directed to a decoy page after typing the server’s Internet address into a Web browser. The decoy pages were most often www.google.com or www.yahoo.com.

However, the decoy sites showed local search results of the server’s origin, and not of the location that the researchers were in when they used the site. One proxy server seemed to be from the United States, then returned an IP address from Indonesia, indicating that the country’s government may be using FinFisher’s services.

Article via The Washington Post, 16 October 2015

Photo: Patrons use computers in an internet cafe via World Bank Photo Collection [Creative Commons Attribution-NonCommercial-NoDerivs]

Lawyers should wipe smartphones after use

October 9, 2015 Astrid Countee Leave a comment Business, Ethics, Privacy, Security

Lawyers, like everyone else, have been quick to adapt to use of smartphones for business use. Having a little computer in your  pocket that is attached to the internet makes it easy for lawyers to reach and respond to clients and keep up with industry news. Law firms have become dependent on this technology and as a result smartphones have become a ubiquitous device. Since the time of the reign of blackberry, lawyers have been handed smartphones for company use on a regular basis.

But what is happening to these phones once the firms are done with them? More specifically, what is happening to all the client data that is collected on these phones while they were in use? Large firms usually have an enterprise solution for handling old smartphones. But it is less likely that the same is the case with smaller firms.

A recent study by the Blanco Technology Group revealed that data is sometimes left behind on second hand devices. They found that one-third of discarded smartphones had residual data left on them. Of the mobile devices with residual data, over half was left there after an attempted deletion. This means that even for those who were trying to protect their data by deleting it, they were unsuccessful and did not realize it.

For lawyers, this type of liability can make the stakes much higher. Possibly leaving confidential client information on a device can be extremely detrimental. This means that law firms, large and small, will need to take extra steps to make sure that their mobile devices are wiped clean. This includes not just smartphones, but also tablets and hard drives as well.

Lawyers will need to upgrade their tech savvy to make sure that their data and their clients stay safe.

Article via Above The Law, 8 October 2015

Photo: The iphone 4 via Jorge Quinteros [Creative Commons Attribution-NonCommercial-NoDerivs]

Snowden wants to come back to the US, and willing to go to jail

October 7, 2015 Astrid Countee Leave a comment Criminal Law, Government, Justice, Security

Edward Snowden fled the US in 2013 after leaking classified documents to reporters. These documents revealed domestic surveillance by the NSA on United States citizens and ignited outrage and debate about security and surveillance. To escape arrest, Snowden left the country and resides in Russia, where he has been since 2013. Now he wants to come back home.

In an interview that aired Monday with the BBC, Snowden says that he has offered to go to jail in exchange for coming home, but has not received a response from the government. He stated, “I’ve volunteered to go to prison with the government many times”. He continues saying that “what I won’t do is I won’t serve as a deterrent to people trying to do the right thing in difficult situations.” This echoes a sentiment that he expressed in a Wired interview in 2014 where he said that he wouldn’t mind going to jail as long as his sentence “serves the right purpose.”

Snowden has been charged with 3 felonies in accordance to the Espionage act that  carry a sentence of over 30 years. His lawyers have objected to Snowden returning to the US because they believe that a trial with charges under the espionage act would not be fair. “The Espionage Act finds anyone guilty who provides any information to the public, regardless of whether it is right or wrong,” Snowden told the BBC. “You aren’t even allowed to explain to a jury what your motivations were for revealing this information. It is simply a question of, ‘Did you reveal information?’ If yes, you go to prison for the rest of your life.”

There continues to be ongoing debate as to whether Snowden is a patriot or a traitor. Those who see his actions as an act of patriotism have called for President Obama to grant Snowden a full pardon. But, when Secretary of State John Kerry visited Moscow in 2013 he called Snowden a traitor and a coward. Former Attorney General Eric Holder has indicated that a plea deal could be possible that can met the request of both the government and Snowden.

In the meantime, Snowden continues to use his status to speak out about issues of security and surveillance.

Article via TechCrunch, 6 October 2015

Photo: snowden via duluoz cats[Creative Commons Attribution-NonCommercial-NoDerivs]

Law firm uses security certification to attract clients

October 5, 2015 Shelby Bice Leave a comment Security

The international firm Shook, Hardy & Bacon has started using their new security certification to woo potential clients. The security certification, ISO 27001, took two years and multiple consultants and analysts to obtain, but Shook’s CIO, John Anderson, thinks the work was worth it. He started the process toward obtaining the certification  based on the opinions of Shook’s information governance committee because they wished to have “a methodology and a framework that ensures [they’re] using best practices for information security” and “third-party verification that proved [their] commitment to information security to external parties”, according to Anderson. Now, the hard work is paying off. Anderson states that the certification is a “differentiator” and a “competitive advantage” for the firm.

In a recent poll of 1, 322 CEOS, 61% of them listed cyberattacks as a key concern. With the average data breach costing approximately $3.8 million dollars, it’s no wonder that organizations are asking firms about how they implement cybersecurity. Some, according to John Murphy, Shook’s chair, even specifically ask if the law firm has the ISO 27001 certification. Their clients’ questions are unsurprising, considering that the firm handles highly confidential and regulated information on a regular basis, sometimes for organizations within the pharmaceutical industry.

Just having the ISO 27001 security certification isn’t necessarily enough, though. An analyst at Constellation research, Steve Wilson, explains that the certification is simply a “management process standard–it doesn’t tell you what to do exactly in security; it tells you how to go about managing the security function.” Shook’s executives point out, though, that the certification does require the firm to routinely evaluate and update their security standards, and if nothing else demonstrates their commitment to keeping their clients’ data secure. The firm, in addition to the spending required to obtain the certification, also has funds dedicated towards the other aspects of their security strategy. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” Murphy explains.

Article: CIOAugust 28, 2015

Photo: Security via Robert Wallace [Creative Commons Attribution-NonCommercial-NoDerivs]

Hackings in healthcare, education, and government

September 24, 2015 Abby Shulman Leave a comment Cybercrime, Education, Government, Health Justice, Privacy, Security

Recent hackings have been found to especially target three main platforms: healthcare, education, and government. This has compromised the security of healthcare provider Excellus BlueCross BlueShield, the Cal State University System, and the U.S. Department of Energy.

It was discovered last week that over 10 million people are at risk due to a Excellus computer system hacking that’s been occurring since December of 2013. It doesn’t appear that the hackers stole or utilized any important personal information, though they were able to access and view customer names, birth dates, social security numbers, and financial claims. The attack was one of the worst 20 breaches in healthcare of all time. The hacking also parallels recent incidences at Anthem, Office of personnel Management, Sony and Ashley Madison. In all cases, the attacks were committed by people disguised as employees, using stolen credentials to gain access to corporate networks.

Roughly 80,000 students from the Cal State University System lost general information after enrolling in a class on sexual harassment. Their names, numbers, emails, gender, race, and relationship status were provided to a contractor as part of a program on sexual harassment. The contractor, “We End Violence” was hacked, as reported in the Los Angeles Times earlier this month.

The U.S. Department of Energy’s computer systems were attacked 159 times between 2010 and 2014. Officials declined to comment, however, on the nature of what was accessed by hackers or whether any foreign governments were responsible.

Article via ECT News NetworkSeptember 16, 2015

Photo: Longmont Power and Communications-3 via You Belong in Longmont [Creative Commons Attribution-NonCommercial-NoDerivs]

Intel takes cybersecurity measures to protect cars

September 15, 2015 Shelby Bice Leave a comment Cybercrime, Security, Tech

Innovation has allowed cars to be outfitted with rear-end cameras, internet connectivity, computerized maintenance systems, and other technological components that can greatly benefit drivers. Unfortunately, new technology sometimes leads to new problems. The instant a car connects to networks,  it is opened up to cyberattacks, which could eventually lead to hackers controlling the car remotely. This could potentially create a multitude of problems, which has caused Intel to create the Automotive Security Review Board. The goal of the ASRB is to diminish the risk that cyberattacks present to vehicles. Chris Young, the Senior Vice President and General Manager of Intel Security, states that “with the help of the ASRB, Intel can establish security best practices and encourage that cyber-security is an essential ingredient in the design of every connected car.”

The board seeks to use ongoing security tests and audits to determine how best to advise automobile manufacturers. This, in turn, will keep cars and their drivers safer. Considering that some companies are already recalling cars due to security breaches, the ASRB and their findings will be useful to automotive companies. Intel will provide its advanced development platforms to assist with the board’s research into security and has already published an initial version of its automotive cybersecurity best practices that will be updated as the ASRB continues to conduct research. A key component of Intel’s advice centers on the fact that vehicle security is something that needs to be monitored and updated even after the sale of the car is finalized. As Intel stated in their report on best practices, “Threat analysis and risk assessment continues throughout the life of the car as old vulnerabilities are patched and new ones come to light, so the risk of attack can even increase with time.” As new threats are presented to technology, especially to its applications in cars, manufacturers will need the cybersecurity research that organizations like the Automotive Security Review Board are conducting.

Article via CNET, September 14, 2015

Photo: Urban Congestion via Doug [Creative Commons Attribution-NonCommercial-NoDerivs]