STE WILLIAMS

So you’re thinking about becoming an illegal hacker – what’s your business plan?

It’s something every aspiring crook needs to consider before they attempt to break into the world of cyber-crime: what’s the business plan?

Fortunately this week, a couple of pointers have emerged thanks to miscreants who broke into production company HBO, and the ongoing US federal case against Michael Kadar, who allegedly made nearly 250 threatening calls and bomb threats to Jewish community centers in America.

First up, as with any new business, you need to assess market needs and how your current job skills fit within them. Plus, of course, the resources you have at hand.

In Kadar’s case, the 18-year-old’s hacking skills were, according to the FBI, pretty poor and his resources limited. So he had to start small. And that means lots of little, short-term contracts that give you enough to survive on until you can build up your business.

And so he settled for a very reasonable $30 for an email bomb threat – with a premium option of framing the threat on someone else for an additional $15, according to court files unsealed this week. On the dark-web souk AlphaBay, Kadar offered bulk-buying threats and offered to refund any unsuccessful bomb threats, the Feds claim:

  1. Emailed Bomb Threat to a School – $30.00
  2. Emailed Bomb Threat to a School + Framing Someone for it – $45.00
  3. Emailed Bomb Threat to a School DistrictMultiple Schools – $60.00
  4. Emailed Bomb Threat to School DistrictsMultiple Schools + Framing Someone for it – $90.00

This is quick and easy money, but it does carry with it a high risk of exposure. In large part because the FBI tends to take bomb threats very seriously and is pretty good at investigating them.

Despite the fact that he was subsequently collared by Israeli police in March, and charged by US prosecutors in April, Kadar did make a couple of early smart decisions: he found a decent marketplace and he didn’t over-promise, apparently.

“There is no guarantee that the police will question or arrest the framed person,” he allegedly explained about the popular $15 premium framing fee, “I just add the person’s name to the email.”

And he was upfront about the risks in doing so. Kadar, an Israeli-American citizen, allegedly told punters on AlphaBay: “In addition, my experience of doing bomb threats putting someone’s name in the emailed threat will reduce the chance of the threat being successful. But it’s up to you if you would like me to frame someone.”

User reviews

Clearly demonstrating his expertise and giving fair warning of the service that can be expected, it’s no wonder that Kadar allegedly built a solid reputation for low-key hacking, and received some good user reviews, the Feds claim. He also made it easy for people to order a bomb threat, providing a template for people to fill in, according to the g-men.

“Amazing on time and on target,” reported one AlphaBay user. “We got evacuated and got the day cut short.”

While the FBI claims Michael Kadar did an excellent job breaking into the low-cost bomb threat market, if he is found guilty by a Georgia district court, he would still be a world away from high-end hacking, which comes with much greater rewards but also requires a steadier hand and much more preparation.

The hackers behind the HBO assault, reported last month, take an entirely different tack: aiming at high-value clients and spending significant time working on a single account for greater gains.

As the criminals themselves noted, it took a good six months to break into the US cable channel’s computers – and that’s six months potentially without pay. Not for the faint hearted or those with a mortgage to pay who don’t have savings to fall back on.

Aside from the time taken, there is also a high cost of tools at the hacking top-end. According to the ransom note sent to HBO’s president, the team has a $500,000 annual budget for purchasing exploits for zero-day holes in systems in order to break in in the first place. In other words, the HBO hackers spend half a million bucks a year buying tools from shady developers to compromise corporate networks before security patches are available to address the leveraged bugs, it is claimed.

Those are significant upfront capital costs with no guarantee of success – so be sure to know what you are getting into before you start out on your hacking career. A wise move would be to team up with others to spread both the workload and the financial risks.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/hacker_business_plans/

GCHQ techie deputisation powers conundrum: The thick plottens

Analysis The Home Office’s ambiguous response has puzzled a security pro trying to understand whether the Investigatory Powers Act gave the government the authority to force anyone to work for GCHQ.

Simon Clubley’s initial concerns, based on the unclear wording of Section 190 of that Act, generated a lively debate among legal experts and security pros, covered by The Register back in May.

The law was ambiguously worded enough so that not even experts could discern whether or not the compulsion to assist in surveillance operations applied only to telecoms firms or whether it meant security experts could be press-ganged into assisting the UK’s law enforcement and intel agencies.

Clubley decided to ask the Home Office for clarification directly, an inquiry that recently solicited a curious response (extract below).

Section 190 of the IPA allows equipment interference authorities to require the assistance of any person in giving effect to a bulk equipment interference warrant (section 126 of the Act provides for this in the context of targeted equipment interference warrants). A warrant can only be served on a person whom the equipment interference authority considers may be capable of providing the assistance required by the warrant. In some circumstances equipment interference agencies and other persons will work co-operatively together, without the need to serve a warrant.

While a warrant can be served on any person, the duty to comply [our italics] with providing assistance in relation to a targeted or bulk equipment interference warrant, is only enforceable against a telecommunications operator, as set out in section 128 of the IPA.

A telecommunications operator who has been served with a warrant must take all steps for giving effect to a warrant which are notified to them. A telecommunications operator will not be required to take steps which are not reasonably practicable to take.

Clear? You’re all right, though, because there are safeguards against misuse. And you – those individual readers who are not working for a telecommunications operator – still do not necessarily have to comply with what appears to be a warrant that has been … oh hang on, approved by the Secretary of State?!

Bulk equipment interference warrants will be subject to a “double-lock” system whereby a Secretary of State and a Judicial Commissioner must be satisfied that the warrant is necessary and proportionate before it may be issued.

Any individual who thinks that surveillance powers have been used against them unlawfully can apply to the Investigatory Powers Tribunal to review their case.

That’s all right then….

Clubley told El Reg: “The Home Office are saying that, yes, literally anyone can be served with a warrant but they are also saying that only telecommunications companies can be compelled to assist.

“The disconnect between those two statements doesn’t seem to make sense. After all, why give yourself the power to do something if you cannot then enforce it?”

He added: “The only conclusion I have been able to reach is that the government knew it would never get a law passed which compelled everyone to cooperate with GCHQ, so they are instead relying on the actual act of serving a warrant to intimidate people into cooperating.”

The Home Office statement indicates that paragraph (3)(f) of Section 132 of the IPA comes into play, so that anyone served with a warrant – even if they are under no obligation to assist the government – is still liable to prosecution simply by revealing they had been served with a warrant, said Clubley.

“This leaves the government free to shop around, serving warrants on multiple experts, until they find one they can intimidate into working with them,” according to Clubley. For myself, if I received such a warrant, I would simply tell the government to get lost, but I can imagine for some people, actually receiving such a warrant, along with threats about what would happen if they revealed its existence, would be enough to scare them into cooperating with the government,” he added.

Prof Alan Woodward, a computer scientist at the University of Surrey, agreed that the Home Office letter was “ambiguous”.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/gchq_techie_deputisation_powers/

US court system bug opened hole for hackers to scoop up legal docs for free on victims’ dime

A cross-site forgery vulnerability in the American court system’s document archive PACER has been fixed. The bug could have been exploited to hijack accounts and retrieve civil and criminal lawsuit files on victims’ dime.

PACER, run by the Administrative Office of the US Courts, is a massive searchable trove of records, exhibits, indictments, complaints and more, on legal battles working their way through America’s courtrooms. It’s mainly used by lawyers and journalists, and costs 10 cents a page when pulling up PDFs and webpages of files, up to three bucks per document.

The Free Law Project says the cross-site forgery flaw could have allowed an attacker to set up a website that would be able to harvest the PACER account credentials of anyone who visited. This information could be used to download PDFs, charging the victims cash in the process.

According to the researchers, the flaw stems from PACER’s use of cookies to store login credentials. Because those cookies are not securely handled, any site would be able to call them up and retrieve the visitor’s PACER login details with just a bit of JavaScript.

The researchers have presented a proof of concept to demonstrate the flaw, but say it was not exploited in the wild prior to being published.

“For users of PACER, unpaid fees can result in damage to their credit, and debt collectors sent to their door at the behest of the Administrative Office,” the researchers explain. “They would never know why their PACER bill skyrocketed.”

What’s worse, researchers say the vulnerability has likely been around since the 1990s, when PACER first went online. The Free Law Project says it reported the issue in February, and it was finally fully fixed on Wednesday this week.

While the flaw would allow for an attacker to use stolen accounts to view documents for free, researchers were worried it could have more sinister implications if the right credentials were stolen.

“Purchasing documents using somebody else’s account is one possibility. We also speculate, but were unable to prove without a testing version of PACER/ECF, that this vulnerability could be used to file documents on behalf of an attorney without their knowledge or consent,” the Free Law Project explained.

“The administrators of PACER/ECF have indicated to us that they have determined that filing documents was not possible.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/pacer_legal_doc_site_flaw/

Carbon Black denies its IT security guard system oozes customer secrets

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle.

On Wednesday, security consultancy DirectDefense published a blog post claiming endpoint security vendor Carbon Black’s Cb Response protection software would, once installed for a customer, spew sensitive data to third parties. This included customers’ AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly.

Jim Broome, president of DirectDefense, said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties. If the Cb Response installation doesn’t recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and if they’re safe or need quarantining.

“This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” he explained.

“Welcome to the world’s largest pay-for-play data exfiltration botnet.”

Broome said that his team had discovered this flow of data while working for a client last year, and have since found multiple organizations using the Cb Response system. He said his team went public with its findings to warn people – without informing the vendor – and put out a press release to highlight the supposed danger.

However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts wrong. It’s not a bug causing the data emissions – it’s a feature.

Bug? Feature?

“This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats,” said Michael Viscuso, cofounder of Carbon Black.

“In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google.”

He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network. There’s also a popup warning page telling admins that they are sending data outside the company network.

He also notes that DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue.

A spokeswoman for DirectDefense told The Register that they didn’t tip off Carbon Black about the issue because it didn’t consider the data transmission a vulnerability, instead describing Cb Response as suffering “a function of how the tool is architected” in the original blog.

“Yes, we’ve seen this feature setting in the product and in the manual that stated this is off by default,” the firm said in a followup blog post.

“However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”

So DirectDefense decided to “educate users” about the issue, albeit in somewhat alarmist terms. Education or PR stunt that backfired – you decide. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/carbon_black_denies_sec_sys_broken/

Microsoft bins unloved Chinese cert shops

Microsoft’s decided not to support digital certificates issued by Chinese outfits WoSign and StartCom, but the first-mentioned CA disputes the decision.

Google, Apple and Mozilla binned WoSign certs in 2016.

Microsoft says it has now “… concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program.”

“Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.”

The decision means that “Windows 10 will not trust any new certificates from these CAs after September 2017” and allow “natural deprecation of WoSign and StartCom certificates by setting a “NotBefore” date of 26 September 2017.”

WoSign has labelled Microsoft’s post “misleading”. In a post we’ve shoved through online translation engines, the company says its replaced its root certificate in November and that its recent certificates present no risk to users. StartCom’s online presences are silent on the matter. The company claims to be “the 6th biggest CA in the world, securing more than half a million websites worldwide.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/10/microsoft_windows_10_will_not_recognise_chinese_cas_wosign_and_startcom/

Sextortionist caught by investigators’ booby-trapped video

This is the type of threat that sextortionist “Brian Kil” posted publicly to Facebook, directed at one of many underage girls he victimized, along with sexually explicit photos he coerced out of them:

(Source: Criminal complaint)

In December 2015, “Brian Kil” went on to list the bombs and guns he purportedly had in his possession and with which he threatened to slaughter all of the students at one victim’s high school, saving her for last. The cyberthreats he made against that particular victim went on for 16 months.

Fortunately, in spite of hiding his identity and location behind Tor, he was wrong about the police not having a clue. Ultimately, they had much more than a clue: they had his IP address, secured through a booby-trapped video that the FBI had presented to him as being a sexually explicit recording.

On Monday, the US attorney’s office for the Southern District of Indiana announced charges against Buster Hernandez, 26, of Bakersfield, California. He’s suspected of using the alias “Brian Kil” and has been charged with threats to use an explosive device and sexual exploitation of a child.

In December 2015, multiple high schools and shops in the towns of Plainville and Danville, Indiana, were shut down due to Kil’s terrorist threats. The following month, the community, along with police, held a forum to discuss the threats.

After the forum, Kil posted notes about who attended, what they wore, and what was said, as reported to him by a victim whom he’d coerced into attending and reporting back to him.

(Source: Criminal complaint)

Kil might well have been “lmfao” over the idea of ever being caught, but he wouldn’t be for much longer. Six months later, on June 7 2017, a judge authorized the FBI to use an NIT: a Network Investigative Technique

NIT, also known as police malware, is the bureau’s blanket term for malware that forces suspects’ devices to cough up their IP addresses. The FBI infamously used the technique in its Playpen operation, an investigation into child abuse imagery being shared via Tor that resulted in nearly 900 arrests worldwide.

How many of the Playpen prosecutions will end in conviction is an unanswered question. The question of whether the NIT warrant was constitutional is still playing out and has been deemed unconstitutional in at least one trial.

Playpen was a dark web site dedicated to child sex abuse. After finding Playpen’s original operator, the FBI took over the site and ran it for 13 days, from February 20 to March 4 2014. During that time, the FBI served up illegal child abuse imagery and planted an NIT on to more than 8,000 computers. Besides coughing up their IP addresses, the NIT also snagged the devices’ MAC addresses; open ports; lists of running programs; operating system types, versions and serial numbers; preferred browsers and versions; registered owners and registered company names; current logged-in user names; and their last-visited URL.

The case against Hernandez shows that the FBI’s spyware can also be targeted against individuals.

As the criminal complaint describes, after getting court authorization, the FBI inserted “a small piece of code” into a normal video file created by one of Kil’s victims. Unlike the illegal child abuse materials the FBI served up when it was running Playpen, this time around, the video wasn’t sexually explicit.

Agents them uploaded the file to Kil’s Dropbox account per his instruction and messaged him — at a voice over IP (VoIP) phone number that obscured the subscriber’s identity—to let him know.

(Source: Criminal Complaint)

Kil fell for it. After he opened the video, the NIT siphoned his IP address. The FBI set up a surveillance camera at the associated residence (Hernandez lives at the address with his girlfriend and her grandmother). They believe that Hernandez was the only one at home during the times that Tor was activated.

According prosecutor Tiffany J. Preston, Hernandez faces a mandatory minimum sentence of 15 years’ imprisonment, and a maximum of 30 years’ imprisonment if convicted on all counts, though maximum sentences are rarely carried out.

In his boastful posts, Kil admitted to lying. He couldn’t resist explaining how he got to Victim 1 in the first place, though, and it sounds plausible, given what we know about how sextortionists work.

Namely, and please do bear in mind that this is testimony from an admitted liar, he describes randomly targeting Victim 1 and doing research on her online posts, trying to find nude or sexually explicit images she may have shared. He admits to coming up short: the girl must have been listening to good advice about not sharing explicit images online.

But what she did share was videos of her dance routines. Somebody would film her, Kil says, and then she’d view and delete them.

At least, she thought she was deleting them, but in fact, they were still being stored in iCloud. Kil describes cracking her iCloud password and stealing the videos, which he then excerpted and doctored to make it appear that she was nude.

Sextortionists have in the past cracked victims’ accounts by sending them phishing emails that lead to sites where their login credentials are harvested. It was the modus operandi in the spate of celebrity photo thefts known as Celebgate, in fact. In June 2016, one of the Celebgate hackers pleaded guilty to phishing iCloud and Google logins as a means of getting his hands on his victims’ nude photos and videos.

This is why we believe in using multifactor authentication (MFA), also known as two-factor authentication, (2FA), whenever possible. Even if crooks crack your password, 2FA presents another big hurdle they have to leap before they can get into your accounts and steal your stuff. To read more about the hows and whys of 2FA, check out our Power of Two post.

Of course, teaching children not to share explicit material is crucial. So is encouraging them to report sextortionist or other cyberthreats, regardless of whether they’ve shared explicit material or not, as soon as possible.

The faster police know about these people , the faster their keyboards can be yanked out of their hands, and the lesser the damage they can inflict.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hxADR0NwhE4/

News in brief: Venezuelan protest hacking; Hutchins released on bail; Facebook steps up moderation

Your daily round-up of some of the other stories in the news

Venezuelan websites hacked

Opponents of Venezuelan president Nicolás Maduro have hacked some 40 state websites, apparently in support of a group of armed men who attacked a military base in Valencia on Sunday.

The group, calling itself the Binary Guardians, defaced sites including those of the Venezuelan navy, the government and the national electoral council. On the latter, the hackers posted a flyer supporting the attack on the military base and also a video clip from the Charlie Chaplin movie The Great Dictator, in which Chaplin gives a speech against authoritarianism.

A man claiming to be from the group told Reuters that although he wasn’t associated with Operation David, the assault on the military base, he is a Venezuelan national who supports it.

The group said in an email: “Our intention is to give hope to people that no matter how strong the enemy seems, there is strength in unity.”

Hutchins released from Vegas jail on bail

Marcus Hutchins, the security researcher arrested in Las Vegas last week and charged with creating and helping to spread the Kronos banking trojan, was released from prison on Monday after posting bail.

Hutchins, also known by his Twitter handle of @MalwareTechBlog, was reported to be on his way to Milwaukee, where the indictment was filed, to face the charges.

Hutchins, who became reluctantly famous after neutralising the WannaCry ransomware outbreak in May, had been due to face arraignment in Wisconsin on Tuesday, but that has been pushed to next Monday, August 14, Reuters reported.

Hutchins, 23, from Devon in the UK, was arrested at Las Vegas airport on his way home after the Def Con conference. He’s not allowed to leave the US or go online, and he’s subject to 24-hour GPS monitoring.

Facebook steps up moderation efforts to avoid fines

Facebook is stepping up its content moderation efforts, adding 500 “content control” staff in Germany to monitor and delete hate speech and other postings after German lawmakers last month passed a law that could see social media companies fined up to €50m if they don’t remove offending posts within seven days.

Facebook said that the centre, which will be operated by a third party, Competence Call Center, will open in Essen and be operational by the autumn. The Essen facility is the second in the country: Facebook already has a centre in Berlin, operated by Arvato, which will eventually have 700 workers.

Catch up with all of today’s stories on Naked Security


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7gh0XFSEcw8/

SAP cleans up more than a dozen troubling CRM security blunders

Critical issues in SAP’s CRM application – patched on Tuesday – open the door to corporate espionage, security researchers warn.

SAP resolved a total of 19 software flaws yesterday. Among the most critical bugs is an SQL injection in SAP CRM WebClient User Interface (SAP Security Note 2450979). The issue, identified by researchers at enterprise app security specialists ERPScan, allows a remote attacker to send a special request and steal sensitive customer data including customer datasets, pricing, sales, and prospective bids.

“We recommend that SAP Customers patch vulnerabilities affecting SAP CRM as soon as possible, because this application stores and processes the lifeblood of any business – customer data,” Alexander Polyakov, founder and CTO of ERPScan told El Reg.

ERPScan’s review of SAP’s August patch batch can be found here. The majority of patches released by SAP this month are rated medium. The most common vulnerability type is cross site scripting (XSS).

SAP’s summary is here. In response to queries from El Reg, SAP confirmed ERPScan’s discovery without commenting on its potential seriousness. A spokesperson said:

SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. All vulnerabilities in question have been fixed, and security patches are available for download on the SAP Support Portal. We strongly advise our customers to secure their SAP landscape by applying the available security patches immediately.

August’s Patch Tuesday also brought updates from Microsoft and Adobe, as previously reported. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/sap_crm_vuln/

It’s August 2017 and your Android gear can be pwned by, oh look, just patch the things

Android users should be expecting a security update to land for the mobile operating system in short order, as Google has issued fixes for 99 CVE-listed programming cockups.

This month’s update has been released for the Pixel and Nexus lines and kicked out to other manufacturers and carriers, which will post their own updates in time, hopefully. Check for system software updates via Settings, and install them if and when they’re ready – you may have fallen out of support.

“Partners were notified of the issues described in the bulletin at least a month ago. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin,” Google said.

“This bulletin also includes links to patches outside of AOSP.”

Google says it has had no reports of any active attacks on the holes patched.

Twenty-six of the flaws are within the Android media framework, and Google says they are the top security risks. They include 10 remote code execution bugs rated as “critical” risks, and six denial of service flaws. The remote code execution bugs can be triggered by loading a specially crafted media file.

Six of the CVEs concern vulnerabilities in Qualcomm components that could be exploited by malicious applications to gain control of the device: five of the holes could allow elevation of privilege, and the sixth permits information disclosure.

Another patched flaw (CVE-2017-0740) addresses a remote code execution bug in Broadcom’s wireless networking driver. “A remote attacker” can use “a specially crafted file to execute arbitrary code within the context of an unprivileged process,” the advisory reads.

Nine of the fixes are for specific drivers for Google hardware. They include elevation of privilege vulnerabilities (CVE-2017-0744) in the sound driver and information disclosure bugs in the system-on-chip, audio, radio, and networking drivers.

The Android kernel itself was the subject of five CVE-listed flaws, all of which could allow for elevation of privilege by malicious apps, allowing them to commandeer handhelds and other gadgets.

The update comes on the heels of Microsoft and Adobe’s monthly security updates to patch flaws in Flash Player, Windows, Internet Explorer, Edge, and Office. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/android_gear_needs_updating/

US border cops must get warrants to search phones, devices – EFF

The controversial topic of electronic device searches at the US border, and whether customs agents should be required to get warrants before sucking data off them, is heading to the Fifth Circuit Court of Appeals.

For several years the legal issues surrounding what border agents are entitled to do with your electronic devices has been under scrutiny, but a sudden uptick in cases in 2017 where people had their devices taken away has spun a spotlight on the issue.

In a legal filing this week, the Electronic Frontier Foundation (EFF) argues that customs officers should be required to get warrants before searching people’s mobile phones (and iPads, laptops etc) in the same way they are typically required to do in the rest of the country.

“Our cell phones and laptops provide access to an unprecedented amount of detailed, private information, often going back many months or years, from emails to our coworkers to photos of our loved ones and lists of our closest contacts,” notes EFF attorney Sophia Cope. “This is light years beyond the minimal information generally contained in other kinds of personal items we might carry in our suitcases.”

She argues that it is “time for courts and the government to acknowledge that examining the contents of a digital device is highly intrusive, and Fourth Amendment protections should be strong, even at the border.”

And there is some evidence that the US government is doing exactly that. Proposed legislation put forward in April in Congress – the Protecting Data at the Border Act – would require a warrant signed by a judge for border agents to go through digital devices and would introduce a four-hour time limit for detaining Americans at the border.

No cloud, you hear?

That legislation has not progressed very far, but it did spark a letter from the Acting Commissioner of the US Customs and Border Protection Agency, Kevin McAleenan, who assured Congress that border searches do not extend to data stored on remote servers.

However that approach is under question in the very case going forward at the Fifth Circuit – that of Maria Isabel Molina-Isidoro.

Molina-Isidoro had her mobile phone seized and manually searched at the Texas border, and the data that the customs agent found then resulted in her being prosecuted for attempting to smuggle methamphetamine into the country.

But, the EFF notes, the information used to prosecute her was not held on the device itself. It was instead contained in two apps – Uber and WhatsApp – whose data was held in the cloud.

“There is no indication that border agents put her phone in airplane mode or otherwise disconnected it from the Internet when they accessed these apps,” the filing notes.

This is obviously an area of law that has been massively complicated by modern technology.

It is widely acknowledged internationally that different laws apply at a country’s borders – for pretty obvious reasons. So while people may be very unhappy about border agents going through their luggage, everyone pretty much agrees that it is a necessary right.

Electronic devices are very different from suitcases however – they contain enormous amounts of personal data that a government agent would simply never be able to discern from a physical suitcase.

Fourth Amendment

The Supreme Court has already recognized the difference and decided that the police are required to obtain a warrant to search the contents of the phone of someone who has been arrested – because of the Fourth Amendment about unreasonable searches. Although the issue of location data is still up in the air. The EFF wants that same rule applied to phones (and laptops) at the border.

But again, the border comes with different rules. The idea of only searching a device with the internet turned off may sound like a compromise. But it would end up being procedurally very specific and create the obvious problem that people would simply pass all their files onto cloud services and then download them once inside the country.

Of course, the counter-argument is that if border agents have reason to suspect someone was up to no good, they could apply for a warrant to connect the phone to the internet and then look at the resulting data.

The US government – which brought the case against Molina-Isidoro – is almost certain to aggressively defend its right to look at people’s possessions at the border, leaving the Fifth Circuit in a difficult position to try to answer yet another complicated legal issue deriving from our love of extremely powerful smartphones.

Whatever it decides, it will almost certainly be appealed to the Supreme Court. Whether the Supreme Court would take the case on or choose to bat it back down until another case and another Appeals Court takes a different approach, as it has with other similar cases – only time with tell.

But the Fifth Circuit’s decision could well set the scene for a critical question of digital privacy and the government’s rights to dig into it. For US citizens of course. Everyone else is screwed. We have written a handy guide to data security at the US border. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/warrants_required_for_phone_searches_appeal/