STE WILLIAMS

Mattel’s Hello Barbie doll, the Wi-Fi-equipped playmate that talks to its owner and reports back on the conversations to mummy and daddy, has more security problems than first thought – this time on the software side.

Last week security researcher Matt Jakubowski found that it was relatively easy to purloin wireless network names, account IDs, and MP3 files from the toy. Now an examination by a different team has found that both the mobile app controlling the doll and the server-side systems used by the plastic playthings also have serious issues.

After unboxing, Hello Barbie is set up with a Wi-Fi connection that allows the owner’s questions to be sent to a remote server, analyzed, and an appropriate response sent back. The iOS and Android mobile app required to do this has some fairly basic errors, according to Bluebox Labs and Andrew Hay, director of research at OpenDNS.

The app uses client certificate authentication to talk to the main servers, and password-protects the certificate. But the password is hardcoded into the app’s executable and can be reverse-engineered, the researchers report, or the certificate obtained from the app after it has been decrypted.

The doll is also set up as a wireless access point with the name “Barbie” followed by four random alphanumeric characters. When the mobile app searches for an access point, it will connect to any network with the phrase Barbie in its name. This makes spoofing a connection easy and resulting traffic susceptible to surveillance.

On the server side, the team spotted that ToyTalk, Mattel’s tech partners on Hello Barbie, use SSLv3 for encryption – meaning it is susceptible to the POODLE attack first reported in October last year.

None of these problems are unfixable, and the researchers are in contact with ToyTalk and are patching up the holes. But, given the somewhat sensitive nature of the doll in these days of worry over privacy, they should really have been fixed earlier.

“ToyTalk were great to work with,” Bluebox’s lead security analyst Andrew Blaich, told The Reg. “Within a day of us getting in touch they were patching their systems, which is almost unheard of for this kind of internet of things device, and they had already updated SSLv3 to bar POODLE attacks.”

So if you’re buying a Hello Barbie for your little snowflake this Christmas, there shouldn’t be too much to worry about – apart from the doll’s option to report back its conversations with children to their parents. That could cause a few problems, particularly if the little tyke asks why mummy shouts to Jesus when the postman comes around. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/wireless_barbie_slipshod_security/

Toymaker VTech – already under heavy fire for a massive security breach and insecure apps – faces fresh security criticism: researchers have discovered it was possible to easily lift data from its Innotab tablet.

Tests by UK security consultancy Pen Test Partners revealed that it was easy to harvest data left on any lost, stolen, or resold Innotab slabs. Passwords, PINs, email addresses, app data, and more are all potentially exposed because of a lack of security controls or built-in encryption.

VTech’s Innotab tablet is based on the RockChip CPU. Pen Test Partners previously discovered that the RockChip allows data to be read if the device is in a “bricked” or crashed state.

Most devices need a mode in order to recover from a bricked state, for example where an update went wrong. It should be possible to write firmware to a device in this Flash mode but not to read off data, which Pen Test Partners were able to lift using a USB cable and the application of a modest degree of technical know-how.

The Innotab tablet – which VTech markets for use by children – runs Android version of 4.1.1.

Pen Test Partners further discovered that it was possible to dump the data partition. This dump could be mounted and read, again with a minimum of technical common sense.

“This bug has been known about for well over 2 years,” Ken Munro, a director at Pen Test Partners, explains in a blog post. “It’s a bit lame of VTech to continue shipping vulnerable tablets – tablets that expose children’s data.

“Most other Android tabs do offer encryption, even cheap ones,” Munro told El Reg.

In addition, the tablet enabled Android Debug Bridge, aka “developer mode,” by default. This security weakness allowed the Pen Test Partners team to easily gain root access to a vulnerable Innotab tablet.

Finally, Pen Test Partners found a microSD card on the motherboard, which was glued on but that took just seconds to pry off.

The easily removable memory card housed filesystem and user data. “Other than making for another easy route to extract sensitive data, that’s also asking for reliability trouble down the line,” Munro warned. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/vtech_android_tablet_insecure/

A security hole that has been known and patched for the last three years remains vulnerable in over 6.1 million connected devices.

This according to Trend Micro, who says its researchers have discovered that a collection of remote code execution vulnerabilities in a software library used by mobile devices, smart TVs, and routers to stream media files has gone unpatched.

The buffer overflows lie in the libupnp, or Portable SDK for UPnP. The library is commonly used by devices to stream media files over a network. First patched in 2012, the flaws potentially allow an attacker to take control over the targeted device.

“These vulnerabilities were actually fixed in December 2012, however, many apps still use the older, vulnerable version of the SDK,” wrote Trend Micro mobile analyst Veo Zhang.

“We found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store.”

Zhang notes that in order for the vulnerability to be exploited, the vulnerable library must be accessible remotely, and in some cases vendors can use mitigation techniques such as ASLR or DEP to prevent an exploit.

Still, Zhang estimates that at least 20 of the apps Trend found could be subjected to the exploits. As many as 6.1 million devices were vulnerable to apps such as Tencent QQMusic and LinPhone (both of which have since been patched).

The findings underscore what is likely to be a growing problem with IoT devices. As more devices are connected to networks and integrated with internet protocol, hardware and appliance manufacturers who have not traditionally had experience in application development will be tasked with creating and maintaining secure software stacks, leaving the possibility for widespread exposure of major security vulnerabilities. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/smart_stuff_security_hole_open_three_years/

What’s This?

Previewing 2020 to inform long-term security strategies.

My last post previewed the threat trends and developments likely to shape the cybersecurity space in 2016. This post revisits the McAfee Labs Threat Predictions Report to preview the 2020 threat landscape and the likely cybersecurity industry responses to it.

The Intel Security report reflects the insights of 21 cybersecurity thought leaders within our McAfee Labs, Office of the CTO, Foundstone Professional Services, and Advanced Threat Research teams. The resulting look ahead attempts to predict how the types of threat actors will change, how attackers’ behaviors and targets will change, and how the industry will meet these challenges over the next five years.

If there’s one underlying message, it is that the future, more than ever, will require security technologies that enable rather than hinder their businesses, and collaboration that helps them better understand and preempt the threats confronting them over the long term.

Here are some key threat predictions from the report through 2020:

• Below-the-OS attacks. Attackers could look for weaknesses in firmware and hardware as applications and operating systems are hardened against conventional attacks. The lure would be the broad control attackers can potentially gain through these attacks, as they can conceivably access any number of resources and commandeer administration and control capabilities.
• Detection evasion. Attackers will attempt to avoid detection by targeting new attack surfaces, employing sophisticated attack methods, and actively evading security technology. Difficult-to-detect attack styles could include fileless threats, encrypted infiltrations, sandbox evasion malware, exploits of remote shell and remote control protocols, and the aforementioned below-the-OS attacks targeting and exploiting master boot records (MBR), BIOS, and firmware.
• New devices, new attack surfaces. The ease and affordable cost of developing connected devices will fuel an explosion of new products. While there has not yet been a surge in IoT and wearable technology, by 2020 we may see installed bases of these systems reach substantial enough penetration levels that they will attract attackers. To ensure that security and privacy aren’t playing catchup to innovation, technology vendors and vertical-solution providers will work to establish user education and industry best practices, as well as build security controls into device architectures where appropriate.
• Cyber espionage goes corporate. As is the case in so many other areas of crime-ware, the dark market for malware code and hacking services could enable cyber espionage malware used in public sector and corporate attacks to be used at scale for financial intelligence-gathering and the manipulation of markets in favor of attackers’ financial interests.
• Security industry response. The security industry will develop more effective tools to detect and correct sophisticated attacks. Behavioral analytics could be developed to detect irregular user activities that might indicate compromised accounts. Shared threat intelligence is likely to deliver faster and better protection of systems. Automated detection and correction technology promises to protect enterprises from the most common attacks, freeing up IT security staff to focus on the most critical security incidents.

Anticipating and preempting adversary attacks requires that we match the intelligence exchange, cloud computing and delivery power, platform agility, and human resource assets that cyber criminals regularly leverage on the dark Web. To win the battles against future threats, organizations must see more, learn more, detect and respond faster, and fully utilize all the technical and human resources at their disposal.

Long viewed as a security liability, the cloud, together with on-premises defenses, will allow organizations to leverage the power and scale of shared threat intelligence, behavioral analytics, and machine-learning capabilities that would otherwise be beyond their reach.

In our next post, my colleague Michael Sentonas will discuss the cloud’s cybersecurity “silver lining.” This prospect of matching and eclipsing adversaries’ capabilities through cloud-based capabilities is one of many things that have my peers and I optimistically looking forward to 2016, 2020, and beyond. 

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He’s also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent’s team … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/mcafee-labs-2016-2020-threat-predictions-part-2-/a/d-id/1323425?_mc=RSS_DR_EDT

Dorkbot’s command and control servers have been sinkholed.

Microsoft researchers, working in tandem with other researchers and law enforcement officials in several countries, helped disrupt a malware family dubbed Dorkbot that is believed to have infected more than 1 million computers worldwide.

Researchers from Microsoft’s Malware Protection Center and Digital Crimes Unit teamed up with counterparts at ESET and CERT Polska in providing detailed information and telemetry on Dorkbot to law enforcement in the US, Canada, and Europe. US-CERT, the FBI, Interpol, and the Royal Canadian Mounted Police, all worked on the case.

Microsoft yesterday in a post announcing the Coordinated Malware Eradication (CME) campaign  offered no details on how exactly Dorkbot was disrupted. But ESET said the effort had involved sinkholing the command and control servers that threat actors were using to remotely control compromised systems.

Dorkbot is malware that first surfaced in April 2011 and has been used since then to steal passwords and personal information from people logging into sites like Facebook, Gmail, Netflix, PayPal, Twitter, and YouTube.

The malware works by disabling security software on a system and then blocking access to the security websites that update the software. Once on a system, Dorkbot connects via Internet Relay Chat to a remote command and control server and downloads other malware on to it. Compromised systems become part of large Dorkbot botnets used in denial-of-service attacks and for spam distribution purposes.

The malware spreads through removable drives, drive-by downloads, spam emails, instant messaging clients, and social networks.  Microsoft said that over the past six months, it detected an average of 100,000 Dorkbot infected systems per month, largely in India, Indonesia, and the Russian federation. A Microsoft “heat map” showing Dorkbot machine detections over the past three months shows the U.S. as having a relatively large number of infected systems as well.

“Dorkbot is an old botnet that has been reinventing itself through the years,” malware researcher Jean-Ian Boutin wrote on the ESET blog. “Dorkbot uses old tricks to compromise new systems.” 

Dorkbot’s creator or creators have made the malware available as a ready-to-use kit called NgrBot, which is available to criminals through underground forums, Microsoft said. The kit comes with a complete set of instructions on how to create a botnet and helpfully lists all the different functions that are available and how to use them. Included in the documentation are tips for command settings and IRC settings.

Microsoft’s Coordinated Malware Eradication campaign, launched in January 2014, is an effort to get security vendors, researchers and other stakeholders to pool their resources and information in coordinated, large scale anti-malware campaigns. The company has said that it is only through coordinated efforts that the industry has a chance to deter destructive malware campaigns.

According to Microsoft, security vendors can help by sharing malware data and detection methods with law enforcement. Computer emergency response teams and Internet Services Providers can help by blocking or taking down known malware sites and command and control servers, while financial services companies can help by choking off the money supply to known criminals, Microsoft says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/microsoft-leads-effort-to-disrupt-dorkbot-botnet/d/d-id/1323429?_mc=RSS_DR_EDT

This just in from the “All the better to target ads at you” department:

Microsoft last month released to developers a public beta of Project Oxford, a set of cloud-based algorithms that go beyond facial recognition to identify facial expressions in images and recognize emotions.

Wait, does this news make your face twist in anger, disgust, contempt, fear or surprise?

Great! Microsoft’s onto those emotions!

Eventually, there’ll very likely be an app that knows you’re growling at your phone: just send in an image!

According to the Project Oxford site, Microsoft’s so-called Emotion API takes an image as input and returns the confidence level across a set of emotions for each face in the image, as well as a bounding box for the face, using the company’s Face API.

Here’s what it can detect:

• Anger
• Contempt
• Disgust
• Fear
• Happiness
• Neutral
• Sadness
• Surprise

These facial expressions are universal.

You might not speak French, for example, but you can be disgusted in any language: Microsoft says that these emotions are “cross-culturally and universally communicated” with particular facial expressions.

In its emotion recognition demo, you can see that Microsoft’s managed to train its artificial intelligence algorithms to pick up on happiness quite well: many of the photos with grinning people were rated with a “happiness” level of 1 and miniscule, if any, reading on any other emotion, with the exception of an occasional, tiny possibility of “neutral” or other emotions thrown in.

Chris Bishop, head of Microsoft Research Cambridge, in November demonstrated the technology at Microsoft’s Future Decoded conference on the future of business and technology.

Microsoft said that its artificial intelligence can be trained for facial/emotions recognition on sets of images:

The system can learn to recognize certain traits from a training set of pictures it receives, and then it can apply that information to identify facial features in new pictures it sees.

In fact, earlier that week, before it released the Emotion API, in honor of the men’s health, facial-hair-growing fundraising effort Movember, Microsoft also released MyMoustache, which uses the technology to recognize and rate facial hair.

OK, moustache rating. That’s fun.

But why emotions, you ask? Why in the world would you want apps to be developed that recognize your emotions?

Well, when it comes to recognizing emotions, you’re talking marketing gold.

Ryan Galgon, a senior program manager within Microsoft’s Technology and Research group, suggests that developers might want to use the tools to create systems that marketers can use to “gauge people’s reaction to a store display, movie or food.”

Another option he suggested: developers might find an emotion recognition API valuable for creating a consumer tool, such as a messaging app, that offers up different options based on what emotion it recognizes in a photo.

I must confess, my imagination is running a little wild here. I can’t help but wonder, what might facial recognition kingpins like Facebook get up to with this technology?

What new things could be done by surveillance agencies when it comes to reading emotions in photos?

Your thoughts are welcome in the comments section below.

Follow @NakedSecurity

Follow @LisaVaas

Image of set of emojis courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U3CUcYcwLYA/

Many of us have had unsolicited technical support calls, sometimes several of them.

It’s a scam that’s been going on for years, and it goes something like this.

Your phone rings, or an SMS arrives, or a popup appears when you visit a website, and the message tells you that there’s a virus of some sort on your computer.

If the “warning” arrives in an SMS or a pop-up, you’re urged to call a “support line,” typically a free number that seems harmless enough to dial.

Whatever the route, you end up talking to an earnest-sounding “support techie” who will typically imply that he’s from Microsoft, or Windows, and has some official-sounding reason to be talking to you.

We’re using “air quotes” here because everything about these calls is bogus, and you’re about to be squeezed into paying for a service you don’t need, and which wouldn’t fix your problem even if the caller were telling the truth.

There are various storylines the call will follow, but, in the end, the scammer will insist that a virus infection has been traced to your computer, and that you need to let him help you fix it.

If you don’t act now, you could lose all your data, be sued, get cut off by your ISP, or worse: a pack of scary lies to squeeze you even harder.

If you cave in, you’ll end up paying by credit card for a remote-access support session or some software that you didn’t need, that you can’t trust, and that won’t solve the problem you didn’t have.

Encourage your less tech-savvy friends and family not to yield to this sort of pressure.

End the call right away, because there is nothing useful to hear, and nothing useful to say.

DEALING WITH FAKE SUPPORT CALLS

Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZJN0tRisEmw/

Operations of the Dorkbot botnet have been disrupted following an operation that brought together law enforcement agencies led by the FBI, Interpol and Europol, and various infosec firms.

The Dorkbot infrastructure, including command and control servers in Asia, Europe, and North America, has been knocked sideways and domains seized, with the latter affecting the ability of crooks to control compromised computers. Infected Windows PCs will still need to be cleaned up, however.

Dorkbot has been doing the rounds for more than four years, essentially since April 2011.

Security firms, including ESET, shared technical analysis of Dorkbot.

The information included the domains and internet addresses of the botnet’s command and control servers, vital intelligence for the subsequent takedown operation. Microsoft and CERT.PL also assisted in the disruption effort.

Dorkbot is a well-established botnet distributed via various channels, such as social networks, spam, removable media and exploit kits. The malware is a password-stealer targeting popular web services, such as Facebook and Twitter.

Dorkbot typically installs secondary malware on compromised machines. Favourite flavours include Kasidet (AKA Neutrino bot), malware used to conduct DDoS attacks and Lethic, a well-known spambot.

Unwitting conduits for spreading the infection included celebrity cook Jamie Oliver’s website back in February. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/04/dorkbot_botnet_takedown/

There is no such thing as a company that can’t afford security. But where do you start?

Many SMB’s today have the mindset that they are “not big enough” to be targeted by cyber criminals. Having smaller budgets than their enterprise counterparts, SMB’s are also often not willing to invest in adequate protection. As a result, many SMBs fail to both prevent breaches and respond effectively when they are breached.

A successful attack can cost hundreds of thousands, even millions of dollars. For an SMB with limited financial resources, the damage can be catastrophic. There’s no such thing as a company that “can’t afford” security. But where do you begin? Here are four steps to get you started.

Step 1: Understand the real threat – it’s not about compliance
Many SMB’s make two very common errors. First of all, they believe that they are not a target. In years past, the Verizon Data Breach Investigations Report has noted that 60% of all successful attacks were aimed at the SMB — not the Target and Home Depot’s of the world. Why? SMB’s typically do not have the expertise, resources, or processes required to appropriately monitor and manage security products in their environment. Interestingly, while Verizon didn’t look at the percentage of SMBs successfully attacked in its 2015 report, they did find that the cost of a breach is not necessarily lower for small businesses. However, larger organizations do have higher losses per breach, but really only because they typically lose more records.

Another reason is that many SMB’s believe that if they are compliant, whether it’s HIPPA, GLBSA, SOX, or others, that they are also secure. The reality is that it is possible to be 100 percent compliant yet 100 percent insecure. Compliance does not equal security, or vice versa. Compliance, depending on the regulatory body you are dealing with, can address only those aspects of security required to protect the data in question. Security is a much more holistic strategy, involving multiple data/access sources and threat vectors. Achieving compliance will not make you secure. Being secure may not make you compliant, as there is no such thing as 100 percent security. Focus must be brought to bear on both independently.

Step 2: Security is a business imperative
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60% go out of business within six months of an attack. You need to protect your business, but a McAfee study showed that almost 90% of SMBs do not adequately protect their data. Often SMB’s believe that security boils down to technology purchases, when in reality, technology products are only part of the equation. Technology tools aid in implementing security policies that protect the business, but without the right people and the right processes behind the technology, an SMB is not fully protected.

As a business you should: know where your business vulnerabilities are (data, bank account access, and operational dependencies); be able to quantify the impact of any business vulnerabilities that are compromised; determine what risk is acceptable and what risk must be eliminated and have implemented the technology, people, and processes that are necessary to eliminate that risk.

At the end of the day, security is a business decision, not a technology decision.

Step 3: Put your investment where the threat is the greatest
An SMB security budget is often an afterthought and, as a result, small. There are numerous vendors that will sell you point products for every attack vector known to man or woman. By understanding your business and its vulnerability points, you can prioritize your investment in technologies and resources that will mitigate that threat.

When investing in your security strategy, it is important to consider the additional expenditures required to make your technology decisions effective. Regardless of the technology tool purchased, you must also have trained resources – people — who can configure and manage the tool; alerting capability during non-business hours so you know when a threat has been detected; and senior-level, expert practitioners who know how to respond to and remediate threats before damage can be done.

A tool is only as good as the expertise of the person using it.

Step 4: Chose the right partner
SMB’s are focused on growing their business, not building an IT department. Often in a small business, the owner is also the IT manager, and, in many cases, the SMB has a partner that has, in effect, become their outsourced IT department, providing hardware, implementation services, break-fix, and even hands-on management services. Those partners advise SMB owners on what new products to buy, but when it comes to security, you can be left “holding the bag” when an event occurs.

In choosing security partners, consider their level of expertise, resources, and 24×7 infrastructure. They should be knowledgeable about security products, but also have the capability to deliver security services that detect and remediate threats. Putting the right security strategy in place to mitigate threats that can jeopardize your business is not just a good idea – it’s mandatory to sustain and grow your business.

Gustavo has over 17 years of experience across a range of technologies and industries with emphasis on security strategy, management, architecture, and security protocols. Gustavo graduated with an MBA from Cranfield School of Management in the United Kingdom and acquired … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/the-power-of-prevention-what-smbs-need-to-know-about-cybersecurity/a/d-id/1323409?_mc=RSS_DR_EDT

Be careful where you park your car: if it’s in a neighborhood known for prostitution, there’s a chance that you – or whoever gets to the mailbox first – could find a “Dear John” letter that gently, unsubtly offers advice about avoiding sexually transmitted diseases (STDs), among other completely unsolicited and potentially unwarranted “advice.”

The Los Angeles Daily News reports that last Wednesday, the Los Angeles City Council voted to have the city attorney’s office analyze the proposal to use license plate readers to determine who owns the vehicles and to send “John letters” to those owners if they’ve been parking, or driving slowly through, such neighborhoods.

The hope is that the mail will be opened by mothers, girlfriends or wives.

The proposal comes from Councilwoman Nury Martinez, who represents a San Fernando Valley district that has a thriving street prostitution problem.

Martinez has said that many of the prostitutes are either children or exploited women.

She also said something that makes absolutely no sense whatsoever: that only those guilty of soliciting have anything to worry about.

From a statement issued by her office last Wednesday:

If you aren’t soliciting, you have no reason to worry about finding one of these letters in your mailbox. But if you are, these letters will discourage you from returning. Soliciting for sex in our neighborhoods is not OK.

She said in a release that the letters will be generated only with probable cause:

While we can’t discuss the specifics of LAPD’s implementation of this tool, there will need to be probable cause to generate a letter – you won’t simply get a letter because you’re in the area. In short, if you aren’t soliciting, you won’t have to worry about one of these letters ending up in your mailbox.

This is patently absurd, many claim.

Nick Selby, CEO of StreetCred Software, a Texas police detective and a general supporter of using license plate readers for police work, writes that Martinez is flat-out wrong: you don’t need to hire a prostitute to get one of these letters.

Rather, this is a “legislated abuse of technology that’s already controversial”:

Have Ms. Martinez and the Los Angeles City Council taken leave of their senses? This scheme makes, literally, a state issue out of legal travel to arbitrary places deemed by some — but not by a court, and without due process — to be “related” to crime in general, not to any specific crime.

There isn’t “potential” for abuse here, this is a legislated abuse of technology that is already controversial when it’s used by police for the purpose of seeking stolen vehicles, tracking down fugitives and solving specific crimes.

Selby says it’s “theoretically possible” that police could spot a car driving in that slow cruising style typical of johns looking to solicit, see the car stop in front of somebody who could be, or is, a prostitute, and so decide to investigate.

(That’s actually not very common, he said: it takes way too much manpower and time.)

The City Council wants to “automate” this process of reasonable suspicion, Selby says, thereby reducing it to mere presence at a certain place, and then deploy it “on a massive scale.”

So not only is LA looking at sending out letters that apparently have no legal standing and that could have significant adverse consequences to recipients – who could be perfectly innocent – there are “grave issues of freedom of transportation and freedom of association here.”

Selby:

Guilt by association would be a higher standard.

What makes the plan of action – namely, going after people who’ve done nothing outside of traveling legally on city streets – even more outrageous is that it would be funded with municipal funds, Selby points out.

It would involve accessing state-funded Department of Motor Vehicle records to get car owners’ data and would entail taxpayers funding the writing, packaging and posting of such letters.

Those records would then be subject to Freedom of Information laws, which would enable anybody to get a list of all vehicles driving in the neighborhoods in question – all without an investigation having been launched into the guilt or innocence of a particular vehicle owner.

The Electronic Freedom Foundation (EFF), along with the American Civil Liberties Union (ACLU) has an ongoing lawsuit against the LAPD and the Los Angeles sheriff.

The suit, originally filed in 2013, demands the release of a week’s worth of license plate data accumulated through the use of license plate readers and accuses the agencies of violating the California Public Records Act by withholding the data.

As news reports have pointed out, cities including Minneapolis, Des Moines and Oakland, Calif., are already sending these type of john letters.

Many of those cities are using a markedly different approach than that being considered in Los Angeles: one that relies on citizen participation, Selby told me.

It’s not any better, but at least it’s on a smaller scale, he said:

It’s just as offensive, but the scale is smaller. But the content of the letters is universally horrible.

One example: in Escambia County, the letters included the phrase, “The above named person and his/her significant other may have been exposed to a sexually transmitted disease…”

That’s weasel-speak, Selby said, that enables attorneys to have it both ways, as in, “We didn’t say they HAD an STD … Just that they might.”

All that, based on where somebody’s car was seen.

If it doesn’t scare you, Selby said, it should.

Follow @NakedSecurity

Follow @LisaVaas

Image of prostitute by car courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ylP1URwnpI0/