STE WILLIAMS

An Illinois man is charged with hacking into more than 550 accounts that belong to entertainment industry figures and others.

A federal court charged an Illinois man with hacking into hundreds of iCloud and Gmail accounts, some of which belonged to celebrities, after duping them into sharing their log-in information via a phishing scheme, according to the Department of Justice.

Emilio Herrera, a 32-year-old Chicago resident, signed a plea agreement and is expected to enter a guilty plea to one count of unauthorized access to a protected computer to obtain information under the Computer Fraud and Abuse Act, the DOJ states.

Herrera sent phishing emails to victims from April 2013 through August 2014 claiming to be from the Internet service providers’ security department, the DOJ alleges. Victims were asked to share their username and password information and, after they obliged, Herrera went trolling through their personal information, including private videos and photographs, the DOJ claims.

Herrera, however, is not believed to have uploaded, shared, or to have leaked any of the obtained information, the DOJ states. The 32-year-old Chicago man is the third person to be charged in this phishing case, which resulted in another Illinois man receiving a nine-month federal prison sentence and a Pennsylvania man an 18-month prison sentence.

Read more about Herrera’s case here.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/third-man-charged-in-hacking-celebrities-icloud-and-gmail-accounts-/d/d-id/1330222?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Advances in analytics technologies promise to make identity management smarter and more transparent to users. But the process is neither straightforward nor easy.

The digital transformation of business processes is forcing CISOs to implement security processes that move at customer speed and reduce friction. This is placing greater strain on access management, because organizations need to protect themselves from account compromise and other digital threats while simultaneously providing a better user experience.

An approach known as adaptive access management can support run-time use cases that address CISOs’ security needs while reducing speed bumps for the CIO. Today, advances in analytics involving multiple vendors and technologies are providing the foundation to make this possible by enabling real-time automated decision-making that doesn’t require human intervention.

For example, an organization could monitor user access and activity in real time to capture and forward attributes, such as how a person holds his or her phone, device configuration, or apps used most frequently, into a risk engine. As described in a recent Wall Street Journal post, machine learning analytics create an individual risk score for each user. When actions deviate significantly from each user’s baseline normal behavior, the risk score is increased. When risk thresholds are exceeded, the app may restrict access to certain functions or request another form of authentication before allowing the user to proceed.

Traditional approaches to adaptive access control were based on static roles and rules. These were created and maintained by security administrators, which resulted in a lag between a threat being identified and when a new rule was deployed. The emergence of machine learning techniques produces greater automation since more factors can be used to detect new threats with less human effort and reduced time frames.

Deploying adaptive access management and automated security responses that are dramatically smarter and more agile is neither straightforward nor easy. Let’s consider six different implementations of analytics that are required to reduce security “friction.”

Implementation 1: Risk Scoring
Adaptive access management requires a large number of factors be assessed together rather than individually. This is important because high risk in one factor can be compensated by another. Let’s say a company’s business partner makes an access request from a country where they don’t operate. This may indicate a high risk. However, an access request from a longtime business partner in a fast-growing company that is opening up a new office in a new country may be low-risk. Under these circumstances, the country risk is contextual, not absolute. Making sophisticated access management decisions requires using an overall risk score to mediate conflicts.

Implementation 2: Behavior Analytics
By ingesting and monitoring activity data (typically logs from different sources) of a user’s behavior, and following several weeks of training, behavior analytics can determine in real time whether an access request is normal. This form of analytics can identify when a user’s credentials have been compromised, so access can be revoked in real time before damage occurs.

Implementation 3: Anomaly Detection
Analytics that use machine learning can identify when actions deviate from what is normal or expected. Traditionally, anomaly detection processes have created large numbers of false positives. Advanced analytics, meanwhile, can greatly reduce these.

Implementation 4: Dynamic Peer-Group Analysis
Analytics and machine learning can generate and use dynamically generated peer groups to further refine the analysis of what is normal and abnormal behavior to reduce false positives. If a new group member performs a sensitive action for the first time, it might be flagged as high risk. However, if other group members regularly perform the action, then it would not be considered high risk, even if it represents an anomaly for that specific user.

Implementation 5: Continuous Monitoring
The use of analytics enables more actions to be monitored, analyzed, and acted upon without long delays and a lot of false positives. This makes it possible to both evaluate risk at the initial time that access is requested and continue to monitor it for the entire length of a session. If an authorized user, for example, accesses an application and leaves to get coffee, this valid session could be hijacked.

Implementation 6: Predictive Analytics
Analytics can also be used to predict future events and recommend how an access management system should operate. For example, predictive analytics could determine that an authentication attempt from an IP address associated with past fraud events will likely be involved in new fraud attempts. The session could be flagged as higher risk for closer monitoring, or if other risk factors were present, be terminated.

Advances in analytics promise to make security smarter and more transparent to users. The challenge for CISOs is stitching together the systems needed to both gather the big data to make analytics-based decisions and implement the appropriate adaptive responses.

• Game Change: Meet the Mach37 Fall Startups
• How Security Metrics Fail Us How We Fail Them (Video)
• How Apple’s New Facial Recognition Technology Will Change Enterprise Security

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

 

 

 

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an … View Full Bio

Article source: https://www.darkreading.com/endpoint-security/advanced-analytics-+-frictionless-security-what-cisos-need-to-know-/a/d-id/1330210?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nudity will always get people’s attention.

Which is probably a large part of the motive behind the latest attack by The Dark Overlord, the hacker group that gained an international profile in the past year-plus by advertising millions of medical records on the dark web, threatening schools and businesses and leaking Netflix shows.

Now it is apparently looking to raise its profile further, diversifying into lurid sensationalism with threats to leak graphic photos from a hack of a high-profile London-based plastic surgery clinic that caters to celebrities including, according to the group, some royals.

The Daily Beast reported on Monday that a member of the group contacted it using an email account from the victim – the London Bridge Plastic Surgery Aesthetic Clinic (LBPS)– and included a cache of photos they said were from LBPS surgeries:

Many are highly graphic and close-up, showing surgery on male and female genitalia. Others show apparent patients’ bodies post-operation, and some include faces. None of a selection of tested photos returned any matches from Google reverse image searches, implying that they were indeed obtained from a private source.

The clinic acknowledged in a statement on its website that it had been breached.

We can confirm that the Clinic has been the victim of a cyber attack. We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation.

Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.

The clinic’s public relations firm, Marco Richards, did not respond to a request for comment on whether the hackers had been in touch with the clinic and if there are any extortion demands. But according to the hackers, the stolen data includes a lot more than graphic photos of famous people.

“We have TBs [terabytes] of this shit. Databases, names, everything,” a member of the hacker group told The Daily Beast, adding that they intended to make it all public:

We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.

And if they do have what they claim, once the sensational element of the photos fades the other stolen data could mean more long-term risk to the clinic’s customer base. As is the case with other high-profile hacks, medical records and personally identifiable information (PII) can lead to continuing nightmares ranging from blackmail to identity theft – criminals posing using the PII of victims to get medical services, tax refunds, lines of credit and more.

This latest hack follows what seems to be the standard Dark Overlord MO: Break into an organization, steal data and then seek a level of publicity that will pressure the victim into complying with any ransom demand.

Motherboard reported in June 2016 that after the group stole hundreds of thousands of health care records, rather than immediately posting them, it advertised them on the dark web. It followed that with a claim that it had possession of 9 million health insurance records.

An encrypted chat with one of the hackers led to a loose description of the method:

First, he posts a database; then, he gives samples of the data to reporters, who go out and verify them. These articles, and the subsequent reblogging of them by other outlets, convinces companies that the hacker is a legitimate threat. These steps repeat over and over, building up the hacker’s reputation as someone to be taken seriously.

“I have a reputation with this handle now,” the hacker added. “Every time I put a new listing up it gets reported without hesitation now.”

Indeed, the group’s exploits have drawn plenty of press. It is also reportedly responsible for the hack late last year of Larson Studios, a Hollywood audio post-production firm, that led to the company paying them $50,000 in Bitcoin, but still ended up with the group leaking nine unreleased episodes of the Netflix hit “Orange is the New Black” this past spring after the network refused to pay an extortion demand.

Then just weeks ago in mid-September, the entire Flathead Valley, Montana school district shut down for three days after the group targeted several schools with death threats to parents and promises to release the PII of students, teachers and administrators unless a ransom was paid.

The Flathead County sheriff said the physical threats were more hot air than serious, in part because the group is believed to be overseas, not in the US. Still, out of caution, the district shut down for three days.

That may be in part because, as Motherboard noted, “depending on who they are communicating with, The Dark Overlord pushes itself as playful jester, ruthless criminal, or calculated professional.”

The variety of targets the group has attacked – which also include Gorilla Glue and a US defense contractor – are also a reminder that mega-corporations like Netflix or credit bureau Equifax are not the only targets of interest to hackers. Given that data is today’s real currency just about every organization has things of value, which means no matter what an organization does, or its size, security matters.

LBPS is obviously now more aware of that. In their statement, they said they were “horrified” at the hack, adding:

Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily. We are deeply saddened that our security has been breached.

Chances are that horror and deep sadness aren’t going to mollify their clients.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/orvspqEHEQw/

Ministry of Defence plans to cut costs on “non-competitive procurement” look nice but won’t work unless the cash-strapped ministry keeps a close eye on its contracts, the public sector spending watchdog said today.

The National Audit Office’s latest report into the MoD’s financial situation, snappily titled “Improving value for money in non-competitive procurement of defence equipment”, reveals that in financial year 2016-17 about 45 per cent of MoD contracts awarded that year were non-competitive, meaning the department awarded them directly to suppliers.

The NAO report focused on non-competitively awarded military equipment contracts, of which the MoD has a total of 1,891, discounting contracts let through the Cabinet Office, cross-departmental contracts and others.

“Of the 1,891 non-competitive equipment contracts that were shown as ‘live’ on 21 August 2017, 914 had contract end dates before 31 August, suggesting there was still work to do,” said the NAO. “Without accurate data, the Department may struggle to identify contracts due for renewal or amendment that may fall within the scope of the Regulations.”

The regulations in question are the Since Source Contract Regulations, government regs introduced in 2014 to put the MoD’s directly awarded procurement efforts on a statutory footing. Any contract worth more than £5m and awarded directly without a competitive element is subject to the regs, with their stated aim being to increase transparency and ultimately cut defence costs.

While part of the aim is that MoD suppliers should be paid a fair and reasonable price, “some of the Department’s largest contracts were set up before the Regulations in the form of framework contracts, with individual procurements or packages of support work then being contracted for as required,” said the NAO. “These arrangements were negotiated on the basis that they would deliver significant savings compared with more traditional contracts… [but] presents considerable challenges if the benefits of the approach are to be retained.”

Moreover, crafty suppliers, conscious that the aim of this game is to trim their profit margins down, this in itself creates more cost headaches. In one case of items that have to be reworked due to shoddy workmanship, although the contractor has to bear the cost of the work, the NAO found that “the supplier is now setting up a system to record the causes of re-work, but validating these claims will create extra work for the Department.”

“Some contractors have resisted complying with the UK’s Regulations,” noted the auditor, “partly because they already comply with the United States’ Federal Acquisition Regulations.” These, explained the NAO, “are more permissive than the UK’s in areas such as sales and marketing, and research and development.” This resistance comes on the grounds that clawing back costs “ignores the government’s broader ‘prosperity agenda’,” in the NAO’s words.

As everyone knows, defence contracts infamously involve eye-watering sums of money being flung around, often with limited oversight from the MoD. The watchdog pointed out that within the MoD, just five people have the in-depth expert knowledge to advise colleagues on implementing the regulations, while the department has “no requirement for staff to attend training on the regulations before implementing them.” With that being the case, it looks likely that public money will continue being blatted off down the ranges. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/mod_nao_contract_report/

The privacy notices used by websites and apps to tell users what data they collect and how it will be used fail to offer the necessary specifics, an international study has found.

The work, carried out by 24 data protection regulators across the world, assessed the notices, communications and sign-up processes used by 455 websites and apps.

Just 22 per cent told users where there was a data retention policy

The regulators were scathing in their conclusions, finding a whole range of holes in the notices used, saying that examples of good practice “were in the minority”.

The litany of errors revealed by the study (PDF) include that organisations fail to specify who they’ll share the data with, and aren’t clear on where data is stored or how it will be protected. Some don’t even tell users exactly what information they’ll collect.

Across the whole 455 organisations, half didn’t specify with whom the data will be shared, while a quarter don’t even mention whether personal information would be shared with third parties.

The UK is below average in this category, with 26 of the 30 sites assessed failing to properly explain whether they pass data on to third parties, and if they did, the identity of the third parties.

Organisations are also unclear on where data will be stored – 67 per cent don’t say which country it will end up in – and international data transfers are often particularly vague.

Although organisations might have safeguards like access controls or encryption in place, 35 per cent didn’t specify what they were. Just 22 per cent told users where there was a data retention policy.

Even the most basic information didn’t manage to make it into some organisations’ notices, with 23 per cent failing to make it clear what data they’d slurp, and 17 per cent failing to get adequate consent to collect it.

However, more than half the organisations offered users instructions on how to access their data; a similar number told them how to remove their personal data from the database.

Further indication of organisations’ lack of interest in making sure privacy notices are up to date is that some still referred to the Safe Harbor agreement on trans-Atlantic data flows, which was revoked in 2015.

Adam Stevens, research group manager at the UK’s Information Commissioner’s Office – which led the study – said the situation “just won’t do”.

Businesses need to fix the problems ahead of the General Data Protection Regulation “if they don’t want to be breaking the new law”, he said.

Neil Brown, internet lawyer for Decoded:Legal, said it was “no surprise” that data controllers needed to up their game when it came to communicating with data subjects.

“Organisations working towards consistency with the information provisions of the GDPR should take this opportunity to be clearer and more transparent,” he said.

“In reality though, who reads privacy notices? If an organisation really wants to be transparent, they should consider providing information at the point of collection — for example, at the point of account registration, or when asking for permission to use certain data — rather than just via a linked page.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/data_watchdogs_slam_websites_vague_and_generic_privacy_notices/

A major offshore law firm admitted it had been hacked on Tuesday, prompting fears of a Panama Papers-style exposé into the tax affairs of the super rich.

Bermuda-based Appleby only admitted it had suffered the breach – which actually happened last year – after a group of journos from the International Consortium of Investigative Journalists (ICIJ), who had seen the leaked information, began asking awkward questions.

In a statement, Appleby denied allegations of any tax evasions or other wrongdoing by itself or its clients while admitting that it was “not infallible”. The law firm went on to state that it had shored up its security since the hack.

We are committed to protecting our clients’ data and we have reviewed our cyber security and data access arrangements following a data security incident last year which involved some of our data being compromised. These arrangements were reviewed and tested by a leading IT Forensics team and we are confident that our data integrity is secure.

The Daily Telegraph reports that the leak involved some of Britain’s wealthiest people, who were said to be consulting lawyers and public relations executives in preparations for possible fallout from the hack.

News of the breach of Appleby follows nearly 18 months after the release of the so-called Panama papers, which provoked huge embarrassment (and worse) for wealthy figures in politics and business as well as spawning a debate about the ethics of tax havens.

Iceland’s prime minister Sigmundur Gunnlaugsson resigned after documents leaked from the Panama Papers revealed politically embarrassing details of his family’s tax arrangements.

Pakistani prime minister Nawaz Sharif was removed from office as a result of revelations about his family finances that came out from the Panama paper leak.

Data exposed in the breach has been analysed by the ICIJ, the same group that investigated the Panama papers breach, which stemmed from a leak of sensitive information from Panama-based law firm Mossack Fonseca. Poor security allowed the compromise of Mossack Fonseca’s email server. The firm had apparently routinely used unencrypted email for sensitive communications. Around 11.5 million documents related to 200,000 plus offshore firms spilled as a result of the 2015 breach (which was revealed in 2016).

Unpatched WordPress and Drupal bugs as well as a SQL Injection flaw in its content management system were subsequently identified on Mossack Fonseca’s systems, though whether any of these actually resulted in the 2015 breach is unclear.

Appleby – which employs 470 staffers and operates from 10 offices across the world – states that it offers services to global public and private companies, financial institutions as well as “high net worth individuals”. Media reports suggests its clients include FTSE 100 companies. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/bermuda_law_firm_hack/

Crypto researchers from the University of Pennsylvania, working with Johns Hopkins cryptographer Matthew Green, have found a serious security issue and branded it DUHK, which stands for Don’t Use Hardcoded Keys.

The attack, explained at the “silly logo” (Green’s words) Website here, is in an ancient pseudo-random number generator (PRNG) protocol, deprecated in many products, but still present in plenty including around 25,000 devices made by Fortinet.

The protocol in question is the ANSI X9.31, which lingers from the 1990s. Until 2016 it was approved by the US government’s FIPS Cryptographic Module Program, and uses a fixed key as one of the inputs to generate pseudorandom numbers.

As Green explains:

“If an attacker were to obtain K (one of the pseudorandom number generator’s (PRG’s) input values somehow, and then was able to learn only a single 16-byte raw output block (Ri) from a working PRG, she could do the following: (1) guess the timestamp T, (2) work backwards (decrypting using K) in order to recover the corresponding state value V, and now (3) run the generator forwards or backwards (with guesses for T) to obtain every previous and subsequent output of the generator.

“Thus, if an application uses the ANSI generator to produce something like a random nonce (something that is typically sent in a protocol in cleartext), and also uses the generator to produce secret keys, this means an attacker could potentially recover those secret keys and completely break the protocol.”

Fortinet’s exposure (for which patches are available, you know what to do) was discovered by combing US government certifications to identify possibly-vulnerable vendors, and combing documentation to identify how the PRNG was configured.

Other vendors identified as formerly supporting X9.31 included:

• Those who have offered updates: BeCrypt, Cisco (Aironet products), MRV Communications’ LX-4000T/LX-8020S, Neopost Technologies, and Vocera Communications;
• The group was unable to confirm fixes for products from Deltacrypt Technologies, Neoscale Systems, Renesas Technology, TechGuard Security, Tendyron, or ViaSat.

While the paper – and many headlines – draw attention to Fortinet, there’s a good reason for that: of the twelve devices the researchers identified as potentially vulnerable, they could only access Fortinet’s firmware for analysis.

This raises the possibility that other un-patched systems are still out there, which use crypto modules that support X9.31.

A handy example is processor vendor Xylinx. The company licenses Helion Technology crypto modules for use in its devices; if a downstream OEM designed a product with a fixed K, Green confirmed to The Register the product would be vulnerable.

As he writes in his post: “It’s almost certain that this small Fortinet vulnerability is just the tip of the iceberg”.

Returning to the Fortinet example: the group was able to get through what ranks as a Holy Grail of decryption, successfully recovering data sent over VPN sessions.

The co-authors on the paper are Shaanan Cohney and Nadia Heninger of the University of Pennsylvania. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/duhk_season/

After a long campaign, the Internet Engineering Task Force (IETF) has decided that users deserve to know why pages were blocked and created HTML error 451. Now the body will consider a proposal to extend it to give users more information.

“Error 451” entered the canon in December 2015, with the name honouring Ray Bradbury’s “Fahrenheit 451” and a rationale that users deserved to know if legal constraints (such as censorship) were being applied to pages they wished to view.

The original spec provided only minimal information: if used, it would return a status code stating a resource was unavailable for legal reasons, and the response should include a reason.

One Shivan Kaul Sahib now thinks more information is needed, and is asking the IETF to expand the Error 451 with some new protocol elements.

His suggestions in this draft are that the protocol elements include:

• A header field that identifies the “blocking authority”;
• A response element that indicates to users if they’re geo-blocked from a particular site.

The suggestions are the result of an implementation report that’s been looking at Error 451 since it was adopted as a standard in February 2016.

That report, published in July 2017, noted that geoblocking was primarily associated with gambling sites.

There’s another reason the IETF would consider encouraging the use of 451, and enhancing it: since it’s machine readable, it provides a potentially-useful research tool (for example, to answer “how much content is blocked for reasons pertaining to intellectual property rights ?”), and it can be returned by encrypted Web pages. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/25/ietf_mulls_adding_geoblock_info_to_error_code_451/

Organizations in Russia and Ukraine were under siege on Tuesday 24 October 2017 from Bad Rabbit, a strain of ransomware with similarities to NotPetya.

By evening, the outbreak was reportedly spreading into Europe, including Turkey and Germany. Victims reported so far include airports, train stations and news agencies.

Russia’s Interfax news agency reported on Twitter that the outbreak had felled some of its servers, forcing Interfax to rely on its Facebook account to deliver news.

Starts with social engineering

The Bad Rabbit outbreak appears to have got its start via files on hacked Russian media websites, using the popular guise of pretending to be an Adobe Flash installer.

If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware. These credentials include passwords straight out of a worst passwords list. Another reminder, if one were needed, that all your passwords need to be strong, even the ones you use behind the safety of a corporate firewall.

From there, it encrypts not only your files, adding encrypted at the end of each filename, but also your computer’s MBR (Master Boot Record). You are then greeted with the following message and asked to submit payment via a Tor hidden service (an anonymous Dark Web website):

Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible. 
You Might have been looking for a way to recover your files. 
Don't waste your time. No one will be able to recover them 
without our decryption service.

We guarantee that you can recover all your files safely. 
All you need to do is submit the payment and get the 
decryption password.

Visit our web service at [redacted]

Bad Rabbit’s geographic spread so far resembles that of NotPetya, which circled the globe in June after erupting in Ukraine. 

Defensive measures

Sophos currently blocks the Bad Rabbit malware as Troj/Ransom-ERK. 

Additionally, Sophos Intercept X proactively prevents the malware from attacking your data: the CryptoGuard component stops the ransomware from scrambling your files, and WipeGuard prevents the low-level disk writes that modify the boot sector.

(For further information about Sophos protection, please see our Support Knowledge Base article entitled Bad Rabbit ransomware: What to do.)

Here are some general tips to raise your defenses againt this sort of outbreak:

• Ditch Flash altogether. Fake flash installers and updates only work as a social engineering tactic if you use or want Flash. By removing Flash entirely you not only protect yourself from Flash zero-day holes , but also eliminate the temptation to download fake updates.
• Patch promptly. Outbreaks such as NotPetya and WannaCry exploited a vulnerability for which patches were already available. Don’t lag behind once patches are available for known security holes – the crooks will be only too happy to take advantage.
• Remember your backups. Make them regularly, and keep a recent backup both offline and offsite, so you can access it even if your workplace ends up off limits due to fire, flood or some other cause not related to malware.
• Don’t make users into administrators. When you want to perform administrative tasks, promote yourself to an administrator account, and relinquish those privileges as soon as you can. Network-aware malware like Bad Rabbit can spread without even needing to guess passwords if you already have administrator-level access to other computers on the network.

For more information about ransomware read How to stay protected against ransomware, or listen to our Techknow podcast:

LISTEN NOW

(Audio player above not working? Download, or listen on Soundcloud.)

If you’re a home user, why not register for the free Sophos Home Premium Beta? This includes the CryptoGuard and WipeGuard features mentioned above that block the unauthorised scrambling of files and disk sectors.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cw4Y18jcJPY/

Analysis A battle has broken out in US Congress over a controversial spying program.

Two competing pieces of draft legislation have been pushed into the lawmaking process: one that would officially endorse domestic spying, and a second that would explicitly ban it.

The Senate Intelligence Committee is behind the first, which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) for another eight years – which is due to expire at the end of the year.

However, that reauthorization legislation would give official blessing to a highly questionable interpretation of the law that allows the FBI to search a vast database of what is supposed to only be foreign surveillance targets for information on US citizens thought to have committed a domestic crime.

In direct response to that effort, a bipartisan group of lawmakers has proposed a new piece of legislation – the USA Rights Act – that would explicitly prevent American citizens from being targeted, as well as close the loopholes created by the security services to spy on domestic targets.

Unsurprisingly, Uncle Sam’s snoops – the NSA and FBI in particular – are strongly behind the reauthorization effort, particularly since they are increasingly using their interpretation of FISA to fill in for other spying programs that were taken away after they were exposed by Edward Snowden and later ruled unconstitutional.

What does ‘foreign’ mean, anyway?

Despite the explicit purpose of the Foreign Intelligence Surveillance Act – keyword: foreign – the US intelligence services have used it to build a vast database of information on US citizens by tapping domestic communication lines and then claiming any information picked up on said citizens is “incidentally collected.”

While pretending that such intelligence is gathered by mistake, the g-men retain it all and then claim that information does not come with constitutional protections because it has already been gathered. As a result, the FBI is allowed to search it for US citizens using identifiers like name, email address, phone number, etc.

That situation has been painstakingly revealed through years of queries. But the exposure has simply lead to the security services putting pressure on Congress to formally include its questionable interpretations into law.

In section five of the reauthorization act, the entire premise of FISA – that it only be used to spy on foreign targets – is thrown out by allowing the US Attorney General to use information gathered by Uncle Sam’s spies to search for evidence of domestic crimes including death, kidnapping, serious bodily injury, child protection, destruction of infrastructure, cybersecurity, and trafficking.

The “exemptions” are so broad that it encompasses pretty much any investigation likely to be undertaken by the FBI.

Even more worrying, the draft law explicitly says that any decision by the Attorney General in this respect will not be subject to judicial review. In effect, the proposal turns a foreign spying law into a domestic one.

The law is also wide open to abuse.

Dangerous developments

In a number of in-depth reviews of ongoing cases, civil liberties journalist Marcy Wheeler has made convincing arguments that the intelligence agencies are using and tweaking section 702 to carry out ever broader searches of information.

In one, nodes of the Tor anonymizing network appear to have been designated Russian government assets despite very little evidence that they are, thereby bringing the network under the NSA’s authorization to extend its surveillance over it.

In another, a Boeing engineer thought to be supplying information to the Chinese government had his communications monitored, which led to a trial for allegedly having child abuse images on his computer.

Despite the head of the FBI explicitly stating that child abuse images are not a part of the Section 702 program, it appears as though the security service tweaked the rules to allow them to be included after the fact – and then immediately charged the engineer with their possession.

The proposed reauthorization act includes such images as being a valid use of section 702, further reinforcing suspicion that the g-men have been using the program to go far beyond what they are entitled to do legally.

That case contains so many unusual happenings and coincidences that one has to wonder whether section 702 is being used to illegally gather information to then pressure US citizens into confessing to other crimes.

Another indicator that section 702 may be being used to carry out spying far beyond what has been disclosed comes in the wording of the proposed USA Rights Act, which has been designed to shut down domestic spying efforts through the foreign intelligence surveillance act.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/congress_pushes_competing_laws_in_spy_program_battle/