STE WILLIAMS

Sophos Security Chet Chat – Episode 220 – Nov 4, 2015

Join Sophos experts Chester Wisniewski and Paul Ducklin for the latest episode of our security podcast.

Listen to the week’s news in a way that’s fun, informative and educational – all in a tight, quarter-hour format.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In this episode:

• [0’50”] The “Dance like no one’s watching” #sophospuzzle
• [1’56”] Cool T-shirts, socks and even surfboards at the Sophos Store
• [2’22”] A $1,000,000 hole in the iPhone?
• [4’43”] Data breach dilemma continues to stalk TalkTalk
• [6’28”] Should you do the Encryption Dance?
• [7’07”] No, no, no, 000Webhost!
• [10’03”] Yahoo’s “crypto witch” exploits the HSTS security feature
• [13’53”] The demotion of (ex-) Planet Pluto

Other podcasts you might like:

• Chet Chat 219 – It’s not CLOUD computing, it’s CLOWN computing!

• Chet Chat 218 – You make your PRIVATE key PUBLIC, right?

• Sophos Techknow – Malware on Linux – When Penguins Attack

• Sophos Techknow – Dealing with Ransomware

Get this and other Sophos podcasts:

Follow @NakedSecurity

Follow @duckblog

Lotsa dollars – image courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Sag__tNBCtE/

Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor.

In one case, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.

GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net that’s only accessible using TOR.

The cybercrime or cyber-espionage toolkit was offered for sale at 1.25 Bitcoin ($420, at current rates, or $1,000 at the time) before the seller began selling it privately.

This type of illicit trade is far from a one off.

InfoArmor found other posts promoting code-signing certificates¹ in various underground marketplace. Hackers price these certificates at between $600-$900 depending on the issuing company. Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy – firms well known for supplying digital credentials to legitimate software developers – are among those on offer.

Andrew Komarov, president and chief intelligence officer at InfoArmor, explained that these sellers are courting hackers and cyberspies looking to mount targeted attacks.

“[The buyers are] blackhats (mostly state-sponsored), malware developers,” Komarov told El Reg. “It is pretty professional audience, as typical script kiddies and cybercriminals don’t need such stuff. It is used in APTs, organised for targeted and stealth attacks. The appearance of such services on the blackmarket allow [hackers] to perform them much more easily, rather like Stuxnet.”

Stolen or fake certificates were discovered in the Stuxnet worm and the Sony hack, both high profile attacks. InfoArmor’s research suggests the technique is being made available to a far wider range of potential attackers.

“It is a pretty specific niche of modern underground market,” Komarov added. “It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

InfoArmor estimates crooks are getting hold of these certificates through resellers. “Bad actors buy digital certificates through resellers, where the due diligence of customers is pretty poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in several minutes.”

The certs can be used to sign far more than just executable files. It’s also possible to sign drivers, Microsoft Office documents, Java content and many other file types.

Russian-speaking hackers behind these sales boast that certification revocation, a process that would invalidate rogue code-signing certificate, is slow and (in any case) rare.

Some cybercriminals have even begun offering malware-signing-as-a-service, using prepared digital certificates. One such service ran from a website called certs4you.org before the domain was suspended. The hacker behind the operation is still in business, according to InfoArmor.

RAT pack

The GovRAT tool uses special tools for code signing such as Microsoft SignTool and WinTrust to digitally sign malicious code.

The same unidentified hacker also sold code signing certificates that used Authenticode technology².

The GovRAT malware is probably designed for cyber espionage APT campaigns. The use of a digital certificate is designed to fool antivirus software. Once planted, malware signed using the tool can communicate over SSL, obscuring the exfiltration of sensitive data.

In samples intercepted by InfoArmor, miscreants are using one certificate per malware sample, signing each binary individually. GovRAT victims include political, diplomatic and military employees of more than 15 governments worldwide.

Seven banks, some in the US, and 30 defence contractors have also been targeted for attack. In addition, more than 100 corporations have been hit by malware developed using GovRAT since early 2014.

GovRAT features advanced self-encryption and anti-debugging tools. InfoArmor’s report on GovRAT and the wider trade in purloined code signing certificates can be downloaded from its website here (registration required).

Bootnote

¹Code signing certificates are special certificates that allow developers to sign their software and its components (drivers, dlls, etc.). Signed software is normally interpreted as trusted on users computers and operating systems, making the abuse of signing technology interesting to spies and cybercriminals alike. Hackers use purloined certificates (stolen, or registered on another names and companies) in order to sign their malware.

²Microsoft Authenticode is used for digital certificates validation on Microsoft Windows. Redmond’s support means many publishers and developers use it in their own applications.

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/code_signing_malware/

Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor.

In one case, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.

GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net that’s only accessible using TOR.

The cybercrime or cyber-espionage toolkit was offered for sale at 1.25 Bitcoin ($420, at current rates, or $1,000 at the time) before the seller began selling it privately.

This type of illicit trade is far from a one off.

InfoArmor found other posts promoting code-signing certificates¹ in various underground marketplace. Hackers price these certificates at between $600-$900 depending on the issuing company. Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy – firms well known for supplying digital credentials to legitimate software developers – are among those on offer.

Andrew Komarov, president and chief intelligence officer at InfoArmor, explained that these sellers are courting hackers and cyberspies looking to mount targeted attacks.

“[The buyers are] blackhats (mostly state-sponsored), malware developers,” Komarov told El Reg. “It is pretty professional audience, as typical script kiddies and cybercriminals don’t need such stuff. It is used in APTs, organised for targeted and stealth attacks. The appearance of such services on the blackmarket allow [hackers] to perform them much more easily, rather like Stuxnet.”

Stolen or fake certificates were discovered in the Stuxnet worm and the Sony hack, both high profile attacks. InfoArmor’s research suggests the technique is being made available to a far wider range of potential attackers.

“It is a pretty specific niche of modern underground market,” Komarov added. “It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

InfoArmor estimates crooks are getting hold of these certificates through resellers. “Bad actors buy digital certificates through resellers, where the due diligence of customers is pretty poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in several minutes.”

The certs can be used to sign far more than just executable files. It’s also possible to sign drivers, Microsoft Office documents, Java content and many other file types.

Russian-speaking hackers behind these sales boast that certification revocation, a process that would invalidate rogue code-signing certificate, is slow and (in any case) rare.

Some cybercriminals have even begun offering malware-signing-as-a-service, using prepared digital certificates. One such service ran from a website called certs4you.org before the domain was suspended. The hacker behind the operation is still in business, according to InfoArmor.

RAT pack

The GovRAT tool uses special tools for code signing such as Microsoft SignTool and WinTrust to digitally sign malicious code.

The same unidentified hacker also sold code signing certificates that used Authenticode technology².

The GovRAT malware is probably designed for cyber espionage APT campaigns. The use of a digital certificate is designed to fool antivirus software. Once planted, malware signed using the tool can communicate over SSL, obscuring the exfiltration of sensitive data.

In samples intercepted by InfoArmor, miscreants are using one certificate per malware sample, signing each binary individually. GovRAT victims include political, diplomatic and military employees of more than 15 governments worldwide.

Seven banks, some in the US, and 30 defence contractors have also been targeted for attack. In addition, more than 100 corporations have been hit by malware developed using GovRAT since early 2014.

GovRAT features advanced self-encryption and anti-debugging tools. InfoArmor’s report on GovRAT and the wider trade in purloined code signing certificates can be downloaded from its website here (registration required).

Bootnote

¹Code signing certificates are special certificates that allow developers to sign their software and its components (drivers, dlls, etc.). Signed software is normally interpreted as trusted on users computers and operating systems, making the abuse of signing technology interesting to spies and cybercriminals alike. Hackers use purloined certificates (stolen, or registered on another names and companies) in order to sign their malware.

²Microsoft Authenticode is used for digital certificates validation on Microsoft Windows. Redmond’s support means many publishers and developers use it in their own applications.

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/code_signing_malware/

Executives at TalkTalk, including CEO Dido Harding herself, may face a grilling from Members of Parliament over the shoddy security practices which led to the theft of than a million Britons’ data from her company.

This morning the Culture, Media and Sport Committee announced it had “launched an inquiry into cyber-security following the recent attack on TalkTalk’s website.”

The inquiry will be titled “Cyber security: Protection of personal data online inquiry” and follows confusion at TalkTalk as to how many customers’ details had been lost, and how dangerous such a loss might be to those customers.

The Register understands the committee is fully booked for November. It is not known whether Harding is expected to provide testimony, but it would be unusual for such an inquiry not to request an audience with the company’s CEO.

The extraordinary range of contradictory comments offered publicly by Harding following the attack has focused the inquiry on the “questions and concern [arising] over the ways companies store and secure information about their customers.”

“TalkTalk has already been subject to two previous attacks this year,” the committee noted, “in light [of which the committee has decided] to hold an inquiry into the circumstances surrounding the TalkTalk data breach and the wider implications for telecoms and internet service providers.”

The Committee is interested to receive views in response to the following areas.

• The nature of the cyber-attacks on TalkTalk’s website and TalkTalk’s response to the latest incident
• The robustness of measures that telecoms and internet service providers are putting in place to maintain the security of their customers’ personal data and the level of investment being made to ensure their systems remain secure and anticipate future threats
• The nature, role and importance of encryption in protecting personal data
• The adequacy of the supervisory, regulatory and enforcement regimes currently in place to ensure companies are responding sufficiently to cyber-crime
• The adequacy of the redress mechanisms and compensatory measures for consumers when security breaches occur and individuals’ personal data are compromised
• Likely future trends in hacking, technology and security

The inquiry page is located here, and those wishing to submit written evidence to the committee must do so by Monday 23 November. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/talktalk_inquiry/

Executives at TalkTalk, including CEO Dido Harding herself, may face a grilling from Members of Parliament over the shoddy security practices which led to the theft of than a million Britons’ data from her company.

This morning the Culture, Media and Sport Committee announced it had “launched an inquiry into cyber-security following the recent attack on TalkTalk’s website.”

The inquiry will be titled “Cyber security: Protection of personal data online inquiry” and follows confusion at TalkTalk as to how many customers’ details had been lost, and how dangerous such a loss might be to those customers.

The Register understands the committee is fully booked for November. It is not known whether Harding is expected to provide testimony, but it would be unusual for such an inquiry not to request an audience with the company’s CEO.

The extraordinary range of contradictory comments offered publicly by Harding following the attack has focused the inquiry on the “questions and concern [arising] over the ways companies store and secure information about their customers.”

“TalkTalk has already been subject to two previous attacks this year,” the committee noted, “in light [of which the committee has decided] to hold an inquiry into the circumstances surrounding the TalkTalk data breach and the wider implications for telecoms and internet service providers.”

The Committee is interested to receive views in response to the following areas.

• The nature of the cyber-attacks on TalkTalk’s website and TalkTalk’s response to the latest incident
• The robustness of measures that telecoms and internet service providers are putting in place to maintain the security of their customers’ personal data and the level of investment being made to ensure their systems remain secure and anticipate future threats
• The nature, role and importance of encryption in protecting personal data
• The adequacy of the supervisory, regulatory and enforcement regimes currently in place to ensure companies are responding sufficiently to cyber-crime
• The adequacy of the redress mechanisms and compensatory measures for consumers when security breaches occur and individuals’ personal data are compromised
• Likely future trends in hacking, technology and security

The inquiry page is located here, and those wishing to submit written evidence to the committee must do so by Monday 23 November. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/talktalk_inquiry/

Protecting members of Parliament from mass surveillance by bulk collection is “exceedingly simple”, according to the US co-inventor of the high technology devices and programs now used by GCHQ to intercept optical fibre cables carrying Internet data in and out of Britain.

Bill Binney, formerly Technical Director of the NSA’s Operations Directorate, dismissed as “absolute horseshit” claims by government lawyers to the Investigatory Powers Tribunal (IPT), reported in an adjudication last month, that “there is so much data flowing along the pipe” that “it isn’t intelligible at the point of interception”.

“These statements are false”, he told The Register. “They have been made by someone who does not understand the technology. The tribunal was misled.”

Green Party MP Caroline Lucas said: “These revelations from an ex-NSA operative are deeply concerning. It would appear that the Government has either willfully misled the public, or they simply don’t have a proper understanding of their own surveillance systems.”

“Parliamentary protections should be built into law”, she added. “Ministers must use the forthcoming Investigatory Powers Bill to enshrine the Wilson Doctrine protections into law and ensure that constituents and whistle-blowers can contact parliamentarians without fear of being spied upon.”

Lucas, along with Green peer Jenny Jones and former MP George Galloway, brought the IPT case against the government, alleging that their parliamentary phone calls and e-mails had been intercepted in bulk by GCHQ using its mass surveillance systems, rather than by lawful individually named warrants.

The three had claimed that this was contrary to the Wilson Doctrine, a statement by former prime minister Harold Wilson in 1966 that parliamentarians’ communications would not be subject to interception. The Wilson policy was re-affirmed by Margaret Thatcher, and again by Tony Blair in 2006, who confirmed that it applied to e-mails as well as phone calls. It was re-confirmed by Home Secretary Teresa May earlier this year.

Since then, GCHQ and the government have pushed back on parliamentary protections, including by claiming that the doctrine does not cover members of devolved parliaments, nor “bulk collection” covering all British citizens’ communications, including MPs.

Government lawyer James Eadie QC, representing the intelligence agencies and the government, had told the tribunal that it was not possible to filter out parliamentarians’ communications from the mass of data scooped up by GCHQ’s bulk interception operations. He conceded that parliamentarians’ emails “may have been collected” by GCHQ in these operations, but claimed that, technically, this could not have been prevented because the data could not be understood.

Binney, who resigned from the NSA after becoming aware of illegal and unconstitutional surveillance programmes launched after 9/11, spoke out while visiting Europe to speak at an Amsterdam privacy conference.

As one of the NSA’s most senior and respected scientists, Binney says he was a frequent and welcome visitor to GCHQ’s Cheltenham headquarters for thirty years. During the Cold War and the 1990s, he said, “I had many friends there. We co-operated extremely closely. I gave them the source code for our projects. They called me ‘the bottom line’”– meaning that they expected him to rule on the resolution of shared technical difficulties in intelligence gathering.

“I would be very happy to be invited back to GCHQ now to remind them how to manage bulk collection without violating privacy and the law“, he said. The key point is to “lose irrelevant data straight after sessionising.”

“Smart selection is smart collection”, he explained. “It’s essential to do it properly. Sessionised data is in fact highly intelligible, and can be automatically sorted in milliseconds or even less. You have to lose as much data and content as you can as quickly as you can, so as to stay focused on the communications that might really matter.”

“Selectors are the key. We use selectors to do smart selection and smart collection, to save resources. If you do unconstrained bulk collection, the amount content is not manageable. We use deselectors to minimize data.”

“Everything that wasn’t wanted wasn’t allowed to pass through and get stored”, he added. “If it wasn’t on your zone of suspicion, you automatically did not take it in,” he added.

Binney said that secret NSA and GCHQ documents provided by Edward Snowden and published by news media around the world now confirmed that the selection and protection techniques he and his team helped develop were still in use, but only when the agencies had been legally compelled to use them.

These revelations showed that hardening existing domestic exclusion systems and extending them to throw away Congressional or Parliamentary communications would be “trivial in technology terms”, Binney said. “I could do it in an hour, using standard NSA and GCHQ methods.”

“What NSA and GCHQ are supposed to do is vitally important”, Binney added. “I want them to succeed – but they are doing the absolute wrong thing now. They are dooming themselves to failure by bulk acquisition.”

GCHQ said it did not want to comment. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/gchq_smart_collection_nsa_man_bill_binney/

Protecting members of Parliament from mass surveillance by bulk collection is “exceedingly simple”, according to the US co-inventor of the high technology devices and programs now used by GCHQ to intercept optical fibre cables carrying Internet data in and out of Britain.

Bill Binney, formerly Technical Director of the NSA’s Operations Directorate, dismissed as “absolute horseshit” claims by government lawyers to the Investigatory Powers Tribunal (IPT), reported in an adjudication last month, that “there is so much data flowing along the pipe” that “it isn’t intelligible at the point of interception”.

“These statements are false”, he told The Register. “They have been made by someone who does not understand the technology. The tribunal was misled.”

Green Party MP Caroline Lucas said: “These revelations from an ex-NSA operative are deeply concerning. It would appear that the Government has either willfully misled the public, or they simply don’t have a proper understanding of their own surveillance systems.”

“Parliamentary protections should be built into law”, she added. “Ministers must use the forthcoming Investigatory Powers Bill to enshrine the Wilson Doctrine protections into law and ensure that constituents and whistle-blowers can contact parliamentarians without fear of being spied upon.”

Lucas, along with Green peer Jenny Jones and former MP George Galloway, brought the IPT case against the government, alleging that their parliamentary phone calls and e-mails had been intercepted in bulk by GCHQ using its mass surveillance systems, rather than by lawful individually named warrants.

The three had claimed that this was contrary to the Wilson Doctrine, a statement by former prime minister Harold Wilson in 1966 that parliamentarians’ communications would not be subject to interception. The Wilson policy was re-affirmed by Margaret Thatcher, and again by Tony Blair in 2006, who confirmed that it applied to e-mails as well as phone calls. It was re-confirmed by Home Secretary Teresa May earlier this year.

Since then, GCHQ and the government have pushed back on parliamentary protections, including by claiming that the doctrine does not cover members of devolved parliaments, nor “bulk collection” covering all British citizens’ communications, including MPs.

Government lawyer James Eadie QC, representing the intelligence agencies and the government, had told the tribunal that it was not possible to filter out parliamentarians’ communications from the mass of data scooped up by GCHQ’s bulk interception operations. He conceded that parliamentarians’ emails “may have been collected” by GCHQ in these operations, but claimed that, technically, this could not have been prevented because the data could not be understood.

Binney, who resigned from the NSA after becoming aware of illegal and unconstitutional surveillance programmes launched after 9/11, spoke out while visiting Europe to speak at an Amsterdam privacy conference.

As one of the NSA’s most senior and respected scientists, Binney says he was a frequent and welcome visitor to GCHQ’s Cheltenham headquarters for thirty years. During the Cold War and the 1990s, he said, “I had many friends there. We co-operated extremely closely. I gave them the source code for our projects. They called me ‘the bottom line’”– meaning that they expected him to rule on the resolution of shared technical difficulties in intelligence gathering.

“I would be very happy to be invited back to GCHQ now to remind them how to manage bulk collection without violating privacy and the law“, he said. The key point is to “lose irrelevant data straight after sessionising.”

“Smart selection is smart collection”, he explained. “It’s essential to do it properly. Sessionised data is in fact highly intelligible, and can be automatically sorted in milliseconds or even less. You have to lose as much data and content as you can as quickly as you can, so as to stay focused on the communications that might really matter.”

“Selectors are the key. We use selectors to do smart selection and smart collection, to save resources. If you do unconstrained bulk collection, the amount content is not manageable. We use deselectors to minimize data.”

“Everything that wasn’t wanted wasn’t allowed to pass through and get stored”, he added. “If it wasn’t on your zone of suspicion, you automatically did not take it in,” he added.

Binney said that secret NSA and GCHQ documents provided by Edward Snowden and published by news media around the world now confirmed that the selection and protection techniques he and his team helped develop were still in use, but only when the agencies had been legally compelled to use them.

These revelations showed that hardening existing domestic exclusion systems and extending them to throw away Congressional or Parliamentary communications would be “trivial in technology terms”, Binney said. “I could do it in an hour, using standard NSA and GCHQ methods.”

“What NSA and GCHQ are supposed to do is vitally important”, Binney added. “I want them to succeed – but they are doing the absolute wrong thing now. They are dooming themselves to failure by bulk acquisition.”

GCHQ said it did not want to comment. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/gchq_smart_collection_nsa_man_bill_binney/

Home Secretary Theresa May revealed today that British spooks have, for years, been using section 94 of the 1984 Telecommunications Act to intercept bulk communications data of people based in the UK.

Her comments came as the Secretary of State introduced her 299-page-long draft Investigatory Powers Bill to the House of Commons on Wednesday.

Under the proposed law, s.94 of the Telecomms Act will be repealed and replaced with a new “Bulk Acquisition” warrant to allow spooks to intercept comms data.

May said that key aspects of the proposed legislation included the “use of equipment interference powers to obtain data covertly from computers” including the bulk slurping of such data to try to hunt down terror and criminal suspects overseas.

The Home Sec continued: “This Bill will also allow the police to identify which communications services a person or device has connected to – so-called internet connection records.”

She claimed that it was wrong for such actions to be “characterised” as “having access to people’s full web browsing histories. Let me be clear – this is simply wrong.”

May added:

An Internet Connection Record is a record of the communications service that a person has used, not a record of every web page they have accessed.

So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said.

It is simply the modern equivalent of an itemised phone bill.

The government had originally hoped to push the investigatory powers legislation through the Palace of Westminster before DRIPA’s sunset provision expires at the end of 2016.

However, it will need to happen sooner than that now: the Data Retention and Investigatory Powers Act – which was rushed through Parliament as an “emergency” measure backed by all sides of the House in 2014 – was found to be unlawful by the High Court in July this year.

It means the government only has until March next year to rewrite DRIPA or all together replace it with fresh legislation.

One of the key things to come out of that decision was that judicial oversight of poking around and retaining netizens’ web data needed to be baked into DRIPA to square it with the European Court of Justice and Blighty’s High Court.

So any noise today about the government making concessions to placate privacy advocates is in fact a red herring, since it’s now required by law to ensure such judicial oversight is there from the get-go.

The full draft Investigatory Powers bill can be viewed here (PDF).

May told MPs that she planned to publish a revised IPB in the spring, after the current draft has been scrutinised by peers and politicos. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/investigatory_powers_bill/

Home Secretary Theresa May revealed today that British spooks have, for years, been using section 94 of the 1984 Telecommunications Act to intercept bulk communications data of people based in the UK.

Her comments came as the Secretary of State introduced her 299-page-long draft Investigatory Powers Bill to the House of Commons on Wednesday.

Under the proposed law, s.94 of the Telecomms Act will be repealed and replaced with a new “Bulk Acquisition” warrant to allow spooks to intercept comms data.

May said that key aspects of the proposed legislation included the “use of equipment interference powers to obtain data covertly from computers” including the bulk slurping of such data to try to hunt down terror and criminal suspects overseas.

The Home Sec continued: “This Bill will also allow the police to identify which communications services a person or device has connected to – so-called internet connection records.”

She claimed that it was wrong for such actions to be “characterised” as “having access to people’s full web browsing histories. Let me be clear – this is simply wrong.”

May added:

An Internet Connection Record is a record of the communications service that a person has used, not a record of every web page they have accessed.

So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said.

It is simply the modern equivalent of an itemised phone bill.

The government had originally hoped to push the investigatory powers legislation through the Palace of Westminster before DRIPA’s sunset provision expires at the end of 2016.

However, it will need to happen sooner than that now: the Data Retention and Investigatory Powers Act – which was rushed through Parliament as an “emergency” measure backed by all sides of the House in 2014 – was found to be unlawful by the High Court in July this year.

It means the government only has until March next year to rewrite DRIPA or all together replace it with fresh legislation.

One of the key things to come out of that decision was that judicial oversight of poking around and retaining netizens’ web data needed to be baked into DRIPA to square it with the European Court of Justice and Blighty’s High Court.

So any noise today about the government making concessions to placate privacy advocates is in fact a red herring, since it’s now required by law to ensure such judicial oversight is there from the get-go.

The full draft Investigatory Powers bill can be viewed here (PDF).

May told MPs that she planned to publish a revised IPB in the spring, after the current draft has been scrutinised by peers and politicos. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/investigatory_powers_bill/

The Crown Prosecution Service has been slapped with a £200,000 fine by the Information Commissioner’s Office for negligence that led to the theft of laptops containing police interviews regarding violent and sexual cases.

The interviews were with 43 victims and witnesses and involved 31 investigations. Some of those related to historical allegations against a high-profile individual.

Many of the victims were vulnerable and had already endured distressing interviews with police and had referred to the names of the offenders in the videos, said the CPS.

The videos were being edited by a Manchester-based film company so that they could be used in criminal proceedings, but an ICO investigation found the videos were not being kept secure.

The residential flat the studio used was burgled on 11 September 2014 and two laptops containing the videos were stolen.

“The laptops, which were left on a desk, were password protected but not encrypted and the studio had no alarm and insufficient security,” said the ICO in a statement.

The police recovered the laptops eight days later and apprehended the burglar. As far as the Commissioner is aware, the laptops had not been accessed by anyone else.

The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.

Head of enforcement at the ICO Stephen Eckersley said: “The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information. The consequences of failing to keep that data safe should have been obvious to them.”

He added: “If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”

The CPS reported the incident to the ICO and informed the victims and witnesses involved. The ICO received complaints from three affected people.

The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.

The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/ico_fines_cps_200000_for_stolen_laptops/