STE WILLIAMS

Following a decade-long legal battle, the details of a US national security letter (NSL) sent to ISP owner Nicholas Merrill can finally be revealed.

The broad details have been known for some time, and a recent court decision all but listed the personal information that Merrill was told to hand over on all of his ISPs’ customers.

However, the decision by the FBI to not continue appealing the federal court’s judgment means people are now able to formally see the personal information that the US government believes it has a right to be granted access to without a warrant.

Merrill celebrated his legal victory on Twitter, noting: “Today my National Security Letter gag order is gone after over 11 years of litigation. I hope others who get NSLs find ways to challenge them”, adding: “I risked my freedom to speak out about my National Security Letter because I feel strongly about the need to protect privacy and free speech.”

At the same time the gag order built into the NSL was officially lifted, an unredacted version [PDF] of a court decision from Judge Victor Marrero was published listing in full all the details that the FBI requested be handed over by Calyx Internet Access back in 2004.

It is the first time that a National Security Letter gag order has been lifted. There are approximately 10,000 NSLs sent each year but the FBI refuses to provide hard statistics.

All in the details

Judge Marrero’s decision was carefully worded to effectively reveal the sort of details the FBI had requested but the unredacted version makes them explicit: an individual’s complete web browsing history; the IP addresses of everyone a person has corresponded with; and records of all online purchases.

The FBI also claims it has the authority to ask for mobile phone location data. According to the Feds, they have stopped asking for that data when sending out NSLs, although that doesn’t mean the agency doesn’t feel it continues to have the authority to do so under its reading of the law (originally the Patriot Act).

Merrill refused to hand over the information, and sued both the FBI and the US Department of Justice to lift the gagging order and let him say what they had demanded – claiming the ban restricted his First Amendment rights.

That was the start of an 11-year court battle in which Merrill himself was not allowed to be named, since he was under a gagging order, and the case name changed three times to reflect different attorneys general.

“For more than a decade, the FBI has been demanding extremely sensitive personal information about private citizens just by issuing letters to online companies like mine,” said Merrill.

“The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs,” he added. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/30/isp_national_security_letter_details_published_following_11year_legal_battle/

Blackberry will pull out of Pakistan on New Year’s Eve in protest of its government’s demand to intercept and decrypt people’s communications.

The Canadian company refuses to open what it considers a backdoor in its BlackBerry Enterprise Service (BES).

Pakistan’s Telecommunication Authority in July asked BlackBerry and other mobile operators in the country to open up encrypted services to its intelligence agencies meaning that the BES would be booted from 30 December unless it was compliant.

“While we regret leaving this important market and our valued customers there, remaining in Pakistan would have meant forfeiting our commitment to protect our users’ privacy,” chief operating officer Marty Beard says.

“That is a compromise we are not willing to make.

“The truth is that the Pakistani Government wanted the ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES email and BES BBM (BlackBerry Message) but BlackBerry will not comply with that sort of directive.”

The ban was extended overnight by one month to 30 December. It is not known if this is intended to sway BlackBerry but the company appears to be prepared to leave.

Beard says the company has not granted any Government backdoor-like access.

It has, however, assisted law enforcement in other ways. Decrypted BlackBerry messages were provided to British police during the 2011 London Riots. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/blackberry_to_quit_pakistan/

Scores of big brands – from ATT and Yahoo! to Netflix, GoPro and Macy’s – are being sued because their HTTPS websites allegedly infringe an encryption patent.

It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes “auto-escrowable and auto-certifiable cryptosystems.”

CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent – so it’s suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic.

Starting in July, CryptoPeak began pursuing companies through the courts in the eastern district of Texas. Just in the past week or so, the patent-holding biz filed infringement claims against ATT, Priceline, Pinterest, Hyatt Hotels, Best Western, and Experia.

CryptoPeak has almost 70 cases in play now. It wants damages, royalties, and its legal bills paid. Here’s the paperwork [PDF] it filed against insurance giant Progressive on November 25, as an example.

“The defendant has committed direct infringement by its actions that comprise using one or more websites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security protocol,” CryptoPeak alleged in its lawsuit against Progressive.

“A representative example of a website owned, operated and/or controlled by the defendant that utilizes ECC Cipher Suites for TLS is progressive.com.”

According to Qualys’ SSL Labs, progressive.com does indeed support elliptic curve Diffie-Hellman key exchanges among other cipher suites.

The patent in question was crafted by crypto gurus Dr Adam Young and Dr Marcel “Moti” Yung, and granted in 1997. Its outline states:

This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software, but is also applicable to cryptosystems implemented in hardware.

Perhaps crucially, it describes a means for “generating public keys” and “publishing public keys”, and it’s certainly true that ECC does involve generating public keys and using them.

But the patent is focused on “a key recovery agent to recover the user’s private key or information encrypted under said user’s corresponding public key” – which is really not the point of ECC. Yet, CryptoPeak seems to think there’s some overlap between today’s ECC implementations and the patent it holds.

It is not clear just what else, if anything, the outfit does. The company has little in the way of an online footprint outside of the litigation related to the ‘150 patent. Some people might even call it a “patent troll.”

The wealthy giants being sued also seem to have a less-than-favorable view of CryptoPeak. Netflix has filed a motion for dismissal [PDF] of the case on the grounds that the infringement claims are invalid and do not clearly show infringement.

“The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims,” Netflix’s legal eagles wrote in their filing.

Tadlock, the Texan law firm representing CryptoPeak, told us: “We are not in a position to comment on the pending cases.”

El Reg also contacted a bunch of the organizations accused of infringing the patent; all were not immediately available for comment, except ATT – which told us: “We cannot comment on pending litigation.” ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/cryptopeak_sues_/

Oops: Cisco has announced a privilege escalation bug in its Aggregation Service Router 1000 Series.

There’s a lot of cases where local privilege escalation isn’t such a big deal, but it’s moderately-serious when it means a low-privilege sysadmin can get root access to a unit that has 100 Gbps-plus configurations in carrier and ISP deployments.

Described here, the “root shell license bypass vulnerability”, CV-2015-6383, arises from a lack of input filename validation in the CLI.

“An attacker could exploit this vulnerability by authenticating to the affected device and crafting specific file names for use when loading packages”, the advisory explains.

That bypasses the license required for root shell access, Cisco says – and that means they’d thoroughly own the device.

Of course, there’s also the matter of people getting root access who haven’t paid the appropriate license fee, but surely no customer would take advantage of a bug merely to break their license conditions and save money.

The vulnerability affects ASR 100 Series devices running at version 15.4(3)S, and they have to be patched because there’s no workaround. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/cisco_asr_1000s_get_root_vuln_patch/

Belkin’s home routers can be commandeered by hackers, thanks to a Telnet backdoor, a cross-site request forgery (CSRF) vulnerability and other bugs, we’re told.

Security researcher Rahul Pratap Singh warns that the Belkin N150‘s builtin web server, provided so users can configure their kit, doesn’t perform enough checks on requests heading its way.

That means when someone visits a malicious webpage, JavaScript on that page can manipulate the device’s settings to knock it offline, redirect internet traffic to hacker-controlled servers by tampering with DNS settings, and so on. This is possible by brute-forcing the session cookie, and exploiting the web app’s CSRF weakness, Singh says.

The devices also leave a Telnet server running on port 23 with the default username and password “root”, revealing a BusyBox Linux system under the hood, we’re told. This can be accessed by anything on the local network.

And malicious JavaScript can be injected into the N150’s webpages, which is executed in the browser when the user logs into their own device, according to Singh.

He told us the flaws could be used in combination, some using a direct connection to the router, and others remotely via a browser, to gain ownership over the Belkin boxes.

“An attacker may have a machine on the local network, either by physically connecting, or by compromising a machine on the local network through other means – for example, via malware,” he explained. “Then it can use Telnet to do rest of the stuff to compromise the router.”

He has also posted a video demonstrating a script-injection exploit on a Belkin N150 running firmware version 1.00.09.

Youtube Video

Singh said he first reported the security issues to Belkin on October 20, and again on November 25, to no response. The flaws are reported to be unpatched.

Belkin did not respond to a request for comment on the security disclosure, and at this point it is not clear when a fix or mitigation will be released.

Belkin routers are like a barrel of fish for security researchers to shoot into, or rather a barrel of fish that Belkin has riddled with holes: its boxes have been vulnerable to DNS spoofing and Wi-Fi security cracking tricks in the past few months. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/hole_in_belkin_home_router/

Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities.

The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued.

The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.

The second, CVE-2015-6764, is an out-of-bounds access vulnerability only affects v4.x and v5.x. An attacker can trigger an out-of-bounds access and/or denial-of-service “if user-supplied JavaScript can be executed by an application”, the advisory says.

The foundation reckon’s the second bug is only of medium severity.

The fixes are scheduled 1 December USA time / 2 December UTC.

The node.js Foundation community manager Mikeal Rogers told Infoworld there are so far no exploits for the bugs in the wild. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/nodejs_sysadmins_get_ready_to_patch/

A band of merry world police lead by the United States Customs and Border Protection service shut down 37,479 copyright-infringing websites hawking counterfeit goods in the lead up to the Cyber Monday buying blitz.

The takedown involved varying forms of collaboration between 27 countries including the Britain, France, Denmark, and Spain.

It was the first time that Interpol had brought in support through eight member countries including Argentina, Chile, China, and Thailand.

Copyright holders including tech companies, entertainment industry houses, and fashion outfits joined police and Europol in the massive operation.

Europol and Interpol helped target offending Top Level domains.

It was the sixth and largest counter copyright and fraud operation of its kind for both the US Immigration and Customs Enforcement agency and Europol.

“This effort highlights the global commitment to take aggressive action against online piracy,” says Bruce Foucart director of the Homeland Security’s National Intellectual Property Rights Coordination Center.

“The IPR Center will continue to collaborate with international law enforcement and industry to protect consumers from purchasing counterfeit goods online, which could expose sensitive financial information and present a health and safety threat.”

Europol’s December 2013 takedown, its third, clipped 690 fraud web sites, while the most recent December 2014 operation busted 292 counterfeit domains.

The recent takedown is also the first time Interpol has pulled in support from its member countries.

More cases are expected to be filed against the downed web site operators from aggrieved private sector companies.

“Cooperation with private industry remains crucial and is key to monitoring and reporting IP-infringing websites to the concerned countries via Europol, to ultimately make the Internet a safer place for consumers,” EuroPol says in a statement.

“Operation IOS VI followed a new format, in line with the EU Action Plan on the enforcement of intellectual property rights, which resulted in the triggering of seven additional operations. Moreover, several new cases are expected to be initiated due to the huge demand from the rights holders in private industry.” ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/01/world_police_take_down_37479_counterfeit_sites/

Localities and education networks suffered twice as many infections of the infamous CyptoWall ransomware than other sectors.

Small- and midsized businesses (SMBs) aren’t the only ones in the bulls eye of ransomware and other malware attacks: worldwide, nearly 70% of state and local government networks triggered malware or ransomware alerts, as did more than 70% of education networks.

Intrusion prevention firm Sentinel IPS found that about 39% of its other customers in its IPS sensor-based network sounded alerts for malware or ransomware between July 1 and November 9 of this year, among some 30 million alerts. An alert signals that malicious traffic is attempting to leave the organization, such as malware trying to “phone home” to its command and control server, for example. The IPS then blocks that traffic.

“We would think that SMBs would map fairly well with state and local government customers and education. You’d think security would be similar across the board,” but the alerts show otherwise, says Ted Gruenloh, director of operations for Sentinel IPS.

State local government agencies studied in the data include not only agencies but water districts, utilities and police departments, for example. These localities and education sector institutions and departments suffered twice as many infections of the infamous CyptoWall ransomware, according to the sensor data. Overall, state local governments and education networks made up just 32% of all the of the traffic alerts, but they encompassed 77% of critical alerts of attempted “extrusion,” according to Sentinel IPS’s data.

The older, more rudimentary Kovter ransomware was spotted as well, 95% of the time in the state local government and education networks.

Tim Francis, cyber enterprise lead at Travelers, says it’s no surprise that ransomware is on the rise, nor that state and local governments are becoming a big target for it. “What we saw CryptoLocker do a couple of years ago … was fairly game-changing,” Francis says. “Prior attacks, were [typically]  an individual singular attack at a time. CryptoLocker obviously changed that” with its massive botnet infrastructure and ability to hit multiple targets, he says.

State and local municipalities are often cobbling together different systems with few security resources, so it makes them more vulnerable to ransomware attacks, he says.

“If I’m an SMB,” he says, “a class action or other lawsuit is something I’d be worried about if it’s significantly expensive. That could cause me to have to close my doors.”

Cyber-extortion is becoming part of some cyber insurance policies, he says.

Another big and well-known malware annoyance, BrowseFox, was found on 67% of education networks and 23% of state and local government networks, amassing some 1.3 million alerts. Gruenloh says that’s a bit surprising because it’s one of the easiest ones to manage and prevent. “But a lot of stuff gets inside” these smaller organizations, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/state-and-local-government-hit-by-malware-ransomware-more-than-smbs/d/d-id/1323355?_mc=RSS_DR_EDT

The law has grown quite adept at flipping on the light switch in the dark web to unmask crooks, be they child predators, kids buying poison, people hiring hitmen, or operators of contraband sites like Silk Road or Utopia.

(Well, if not “adept” with the technology themselves, then perhaps adept at simply buying Tor-cracking know-how from Carnegie Mellon or court-ordering it out of CMU researchers.)

You would think that somebody whose business it is to be up on technology and information privacy would know this.

You would be wrong, at least with this one particular IT manager.

As the National Crime Agency (NCA) reports, Darren Hillyer, a 38-year-old from the UK, has been jailed for 5 years after trying to buy a gun on the dark web.

Hillyer posed as a woman who was gunning for an ex-lover whom “she” had discovered was a child abuser.

Hiding behind the alias “Emma,” he ordered a Luger LC9 9mm handgun and 50 rounds of ammunition from a gun trader on a dark web forum.

Then, he got a middleman to pick it up and forward it to him.

To that end, he got in touch with 47-year-old Ian MacPhee, from Newton Abbot, Devon: a man whom he’d met in a chat room but never in person.

MacPhee obligingly went by to pick up the mystery package from a post office in Newton Abbott.

He didn’t know what was in it, but if he’d opened it, he’d have found out that it wasn’t a gun: rather, NCA agents had tucked a plastic replica inside a Digital Audio Broadcasting (DAB) radio that was under their control.

NCA officers arrested MacPhee on the morning of July 28.

They traced the package’s forwarding address to Hillyer later that day and arrested him at an insolvency company in Euston, London, where he worked as an IT manager.

What type of IT professional wouldn’t know that the cops are waiting for crooks to make illicit deals on the dark web?

Unfortunately, in this man’s case, it sounds like it’s the type of person who’s delusional.

Hillyer’s colleagues told the agents that he’s a “fantasist” and a “Walter Mitty type character.”

They said that Hillyer had claimed that he worked for intelligence and security services who’d issued him a gun.

While being interviewed, Hillyer told police that his activity on the dark web was part of research to help him apply to join the NCA.

Hillyer and MacPhee appeared at Bristol Crown Court in mid-September.

Hillyer pled guilty to conspiracy to import a firearm and ammunition. MacPhee pled guilty to attempting to evade the duty on an imported item.

According to The Register, Hillyer was given a 5-year sentence at his sentencing hearing in Bristol Crown Court on Thursday.

At the same time, MacPhee was ordered to pay a £275 fine.

I don’t see the point in admonishing people who can’t tell the difference between fantasy and reality.

Let’s hope this poor man gets psychiatric care, and that he gets it long before he ever has a second chance to make his dreams come true on the dark web.

For others, it’s thankfully getting tougher to buy guns online.

That’s because the dark web gun trade has been infiltrated by cops and scams, as Motherboard reported recently.

In other words, AK-47s and pistols are getting tougher to casually buy with a few clicks and some bitcoin: a rare piece of good news in an era stained with horrifying gun-related violence.

Follow @NakedSecurity

Follow @LisaVaas

Image of SIG Pro SP2022 autoloading pistol (not a Luger, sorry) and 50 rounds of 9mmx51mm ammo courtesy Augustas Didžgalvis via Wikipedia.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KC2phjMxgHY/

An anti-racism group in Brazil is waging an intriguing campaign against intolerant internet commenters – ironically, by attempting to make racist comments as visible as possible.

The group Criola (a Portuguese word meaning “Creole”) is bringing offensive comments made on Facebook and Twitter from the virtual world into the real world by publishing them on giant billboards in neighborhoods where the commenters live.

Criola says on a website publicizing the “Virtual Racism, Real Consequences” campaign that it’s trying to educate people about the effects of racist comments, and hopes it will make people think twice before posting.

The group launched its campaign last July in response to what it says were racist attacks on an Afro-Brazilian TV broadcaster, Maria Julia Coutinho, after the news organization Journo Nacional posted her photo on its Facebook page.

Because some of the commenters had geolocation turned on, Criola was able to track down those users to their home cities and plaster their comments on billboards in their neighborhoods.

One billboard in the city of Feira de Santana, in the state of Bahia, shows a Facebook comment reading:

If you washed properly, you wouldn’t be so dirty.

We’re not fluent in Portuguese, but according to the BBC, that was one of the milder comments highlighted by the campaign.

In an interview with the BBC, Criola founder Jurema Werneck said the campaign is supposed to encourage people to report racism they encounter online.

The billboards don’t show the names or faces of the commenters and the profile images and names are blurred out – Criola says it has “no intention of exposing anyone.”

But there is an intimidation factor too – Werneck told the BBC abusive commenters think they can “do whatever they want” in the comfort of their own homes, but they “can’t hide” from her group:

Those people [who post abuse online] think they can sit in the comfort of their homes and do whatever they want on the internet. We don’t let that happen. They can’t hide from us, we will find them.

The campaign is definitely shining a bright spotlight on big issues facing social media users, including harassment, trolling and even free speech (in Brazil, racist comments are illegal).

There’s another lesson in here for people concerned about their online privacy: anything you say online can come back to haunt you in the real world.

Consider turn off geolocation on your mobile devices – it can save you from online harassers coming straight to your doorstep.

And one more technique to avoid being outed as a racist: don’t be a racist.

Follow @JohnZorabedian

Image of Brazil flag courtesy of Shutterstock.com. Billboard image courtesy of Criola.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ATwO0v9b9OE/