STE WILLIAMS

Organizations fined between GB pound 6,000 and GB pound 18,000 by UK’s Information Commissioner’s Office.

The United Kingdom’s Information Commissioner’s Office (ICO) has imposed fines between £6,000 and £18,000 on 11 charities in the country for misuse of personal data of donors, BBC News reports. The ICO is looking at this as very serious breaches of the country’s Data Protection Act.

“[People] will be upset to learn the way their personal information has been analyzed and shared by charities they trusted with their details and their donations,” said Information Commissioner Elizabeth Denham.

Charities fined include The International Fund for Animal Welfare, Oxfam, Cancer Research UK, The Royal British Legion and Battersea Dogs’ and Cats’ Home.

The ICO alleges these organizations secretly collected data on donors from other sources, ranked them by their wealth, attempted to track down past donors, and shared information with other charities without permission.

“We are working with the charities concerned, the Information Commissioner, and the Fundraising Regulator to ensure that any necessary remedial action is taken,” said David Holdsworth of the Charity Commission for England and Wales.

Read full story on BBC News.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/operations/11-uk-charities-punished-for-violating-data-privacy-law-/d/d-id/1328577?_mc=RSS_DR_EDT

F-Secure is expanding further into Mac protection with the acquisition of specialist security firm Little Flocker. Financial terms of the deal, announced Thursday, were undisclosed.

Made available as F-Secure XFENCE, Little Flocker’s technology will be used to boost the appeal of F-Secure’s existing corporate and consumer macOS security products by adding behavioural blocking tech. The upgrades will help protect the growing corpus of Apple machines against modern targeted attacks.

Little Flocker’s technology protects Macs by using behavioural-based analysis to monitor apps that attempt to access confidential files and system resources. The same software is also designed to detect and block Mac ransomware.

F-Secure plans to enrich Little Flocker’s core technology with its security cloud and implement it into Protection Service for Business, which will feature a management console with integrated patch management and mobile device management. Yet further down the road, the technology will be made available to consumers as part of F-Secure SAFE, a multi-device security product. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/fsecure_buys_mac_security_specialist/

The Royal Canadian Mounted Police has ‘fessed up to a long-held suspicion that it uses Stingray-style equipment to track mobile phones.

At the same time, in an interview with public broadcaster CBC, Chief Superintendent Jeff Adam says IMSI (international mobile subscriber identity)-catchers that CBC News believes it spotted in Ottawa didn’t belong to any government agency – sparking concerns about who might have been snooping on government or commercial communications in the capital.

The RCMP says its use of IMSI-catchers is limited: it deployed the fake base stations 24 times in 2015 and 19 times in 2016, said Adam – whose remit includes technical investigation services – in the hour-long interview.

CBC News kicked off a furore when it reported evidence of IMSI-catchers in the vicinity of government buildings in Ottawa. Security minister Ralph Goodall has referred the matter to the Mounties and the Canadian Security Intelligence Service for investigation.

Adam told CBC that “It’s a security risk when it is used in proximity to government and/or any other commercial enterprises.”

Without specifying his concerns in detail, Adam warned that those deploying IMSI-catchers could be attempting more than surveillance: “There is equipment out there that is not limited in its capturing of communications between devices.”

That’s bound to get people wondering whether someone’s trying to push malware into government or commercial targets.

The RCMP has ten IMSI-catchers, operated by 24 technicians, and in his interview with CBC, Adam said the units were used only to identify devices. They can be used only if a judge is prepared to issue a warrant, after the Canadian parliament refined the laws surrounding their use.

The Globe and Mail explains that using IMSI-catchers requires either a “transmission-data recorder” warrant, which identifies all phones in a location which police filter for their target; or a “tracking-power” warrant, which limits the device use to notifying police if a target phone logs in.

The only warrantless use of the device is in emergency circumstances, such as watching for a phone belonging to a kidnap victim. The police still need to apply for a retroactive warrant. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/mounties_own_up_to_owning_imsicatchers/

Cisco’s discovered that its Mobility Express Software, shipped with Aironet 1830 Series and 1850 Series access points, has a hard-coded admin-level SSH password.

The default credentials open affected devices to remote exploitation if an attacker has “layer 3 connectivity to an affected device”.

The bug is in access points running “an 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0, regardless of whether the device is configured as a master, subordinate, or standalone access point”.

Switchzilla’s advisory adds that “this advisory is part of a collection” for the Aironet 1830/1850 series.

Also strutting the catwalk in the Aironet Spring Catalogue:

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/06/stop_us_if_youve_heard_this_cisco_aironet_has_hardcoded_passwords/

Your daily round-up of some of the other stories in the news

Facebook moves on ‘revenge porn’

Facebook has moved to tackle “revenge porn”, intimate photographs posted without consent, with tools to prevent those images being being shared once they’ve been flagged up to the social media company.

The California-based company said that it would use photo-matching technologies so that if a photograph that has already been identified as revenge porn and removed, another user wouldn’t be able to post it again: they’ll be told it violates Facebook policies and that they can’t share the picture.

Facebook’s announcement came as its attempt to challenge 381 search warrants was rejected by New York State’s Court of Appeals. Prosecutors had obtained the warrants in 2013 ordering Facebook to turn over the account details of people who were suspected of fraud. Facebook had argued that the warrants went too far by prohibiting the company from alerting their users to the warrants.

The court upheld a ruling in 2015 that it was up to the targets of the warrants to challenge them, not a third party such as Facebook.

Microsoft addresses privacy fears – again

Microsoft has launched another attempt to address concerns about the data it collects in Windows 10. Critics have been complaining since its 2015 launch that Microsoft’s telemetry collection is a privacy-sucking spying apparatus despite the allegation being refuted many, many times.

Microsoft has made many previous attempts to soothe those fears, and now “for the first time, we have published a complete list of the diagnostic data collected at the Basic level”, said Windows privacy officer Marisa Rogers and Terry Myerson, Windows chief, in a corporate blog post.

The more detailed information will be introduced in the Creators Update, which should start rolling out on April 11, and Myerson added that Microsoft has “reduced the number of events collected and reduced, by about half, the volume of data we collect at the Basic level”.

Security pros confess all about their passwords

When did you last change your passwords to Facebook, Twitter, Instagram, Snapchat etc? If you’re like just over half of the people surveyed by security company Thycotic, you probably haven’t changed them for more than a year – if at all.

The high proportion of people not changing their passwords was all the more surprising as the survey was done at the RSA conference in San Francisco – people you’d expect to be more than usually clued up about security.

The survey also found that the security professionals were disregarding their own advice about passwords, with nearly 30% of those surveyed saying they still used birthdays, pets’ names and their kids’ names for passwords.

If this has made you think again about your own passwords, here’s a reminder of how to choose a good password.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FHdUMgNxMUQ/

Online brokerage Scottrade has admitted sensitive loan applications from roughly 20,000 customers were exposed to the world by a fumble-fingered third-party supplier.

The cockup occurred when IT services biz Genpact uploaded the sensitive information to an Amazon-hosted server and didn’t lock the box down – allowing its contents to be potentially extracted by anyone passing by.

Security researcher Chris Vickery found the stash while looking around the ‘net, and downloaded the 158.9GB Microsoft SQL database before calling Scottrade to advise the finance house that it has a problem.

Large MSSQL db fully loaded. It’s as bad as I expected. Bank-related. Plaintext passwords. Big name company. I’ve reached out to them.

— Chris Vickery (@VickerySec) April 1, 2017

After Vickery alerted the biz, Scottrade started digging into the situation and found the cause – a staffer at Genpact who misconfigured the SQL server and is quite possibly updating their resume at the moment. The leaky database has now been tucked away from public view, and Scottrade has issued an apology.

“Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file,” Scottrade said in a statement.

“Genpact is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis.”

Scottrade hasn’t said exactly what information was contained in the database despite prodding from The Reg for details. Vickery said account passwords were stored in plain text, and it appears that names, addresses and social security numbers were all included.

Genpact and Scottrade both stressed that their internal servers weren’t hacked. Anyone who has asked the group for a business loan might want to get in touch and find out if their data was on the list.

It’s not the first time that Scottrade has been a little loose with customer data. In 2015, the FBI contacted them about a data breach in the previous two years that exposed 4.6 million of its customers’ bank accounts, forcing a hasty lockdown and customer alert.

Brokerage houses and financial institutions are a particular target for information slurpers, and not just for emptying bank accounts. A mailing list of investors is very useful for pump-and-dump stock scammers and such frauds have been on the rise of late. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/scottrade_vendor_exposed_20000_customer_accounts/

Recent guidelines from the Federal Reserve are aimed at stemming the tide of successful exploits.

In late 2016, just after the distributed denial-of-service attack on the DNS infrastructure, I sat in my hotel room staring at a cryptic URL error on my laptop after attempting to buy a train ticket, wondering what it meant. Was my credit card compromised? Did I have a ticket? Should I do anything to protect my identity and financial security?

Every day, millions of Americans conduct billions of digital financial transactions with the corner grocery store, online retailers, and banks. We buy things and pay for them; we pay rent, credit card, and utility bills; and we scan smartphone screens at payment readers. Online financial interactions are continuous, intertwined, and essential to everyday life. They are also under ever-more threats from cyberattack. What can be done to defend against the constant barrage of successful exploits?

Recently, the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation released guidance for most US financial institutions. The new rules for midsize and large banks are designed to intensify their focus on cyber-risk mitigation and cyberattack resilience.

In their Enhanced Cyber Risk Security Standards, they encourage self-assessment using the FFIEC Cybersecurity Assessment Tool, adhering to the NIST Cybersecurity Framework and CPMI-TOSCO Guidance on cyber resilience for financial market infrastructures plus the adoption of sound practices as outlined in the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.” These documents state that cyber infrastructure is critical, that there are vital best practices, and that each organization needs to take on a greater, focused effort toward cyber resilience.

According to the Enhanced Cyber Risk Security Standards, “The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber-risk governance; continuously monitor and manage their cyber-risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis.”

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

While these are certainly important areas to address, the details are left to the institutions. In addition, there are aspects of maintaining situational awareness across a sprawling organization that require more advanced analytics than many organization have.

There is one other area that should also be part of the new guidance, and that is how all the systems connect to each other. To take a page from Sun Microsystems’ John Gage, “The network is the firewall.” Yet the new guidance ignores the reality that the network creates the greatest risk, the greatest opportunity for resilience, and the greatest need for clear analysis. The thing that makes the online financial marketplace work so well — that you can buy and pay for anything from just about anywhere — is what makes it so vulnerable.

While it’s certainly important to focus on addressing key individual systems and their potential vulnerability to attack, the network as a whole — its interconnectedness — provides the path by which attacks occur. And the uncomfortable truth is that it’s virtually impossible to make all systems impervious to attack.

However, there is more that can be done to build resilience into networks than is currently being done by most organizations. There are three areas that need immediate attention: system vulnerabilities that are accessible across the network, issues with the configurations of network devices, and an incomplete inventory and model of the network, which limits the visibility of potential attack paths.

Accurate Picture Needed
Unfortunately, most organizations don’t have a complete and accurate picture of their entire network. And because their picture is incomplete, their approach to security controls and protections is also incomplete. They’ve been protecting an illusion.

The reality is that not only are endpoint systems at risk, but so are core network devices. And, as every network engineer knows, taking over a network device means you have access to everything connected to it. By focusing attention and effort on protecting endpoints, many organizations are failing the key test of their cybersecurity defenses: can they protect high-value assets? When you ask a company if your credit card information is secure, you don’t only want to know that it has the latest and greatest firewall protecting its network. You want to know what the company is doing to keep the hackers who get in from accessing high-value targets.

The steps created by the new guidance from the Federal Reserve are an important start. It’s critically important that organizations communicate attack scenarios, work together to coordinate responses and improved defenses within and across organization boundaries, and continue to develop more sophisticated and automated approaches to creating and maintaining an accurate picture of how everything connects together. To avoid relying on what you think your network is doing and instead committing to reality, objective and comprehensive analysis is key. From there, you can develop a strategy for addressing the gaps, maintaining network segmentation, and ensuring resilience without the illusions of the past.

The only way to maintain the flow of international finance to support everyone from individuals doing their daily activities to businesses and governments interacting across the planet is to protect the endpoints, the network, and the entire infrastructure as a complex, interconnected system. The only way to do that is with automated analysis of the system that allows engineers to identify and address access risk and vulnerabilities as they arise rather than after they’re compromised.

Related Content:

• Cybercriminals Seized Control of Brazilian Bank for 5 Hours
• Hackers Steal $31 Million From Russia’s Central Bank
• US May Charge North Korea in Bangladesh Bank Cybertheft

Dr. Mike Lloyd, CTO of RedSeal, has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Mike was CTO at RouteScience … View Full Bio

Article source: http://www.darkreading.com/endpoint/banks-must-focus-more-on-cyber-risk/a/d-id/1328566?_mc=RSS_DR_EDT

Skilled ‘Bluenoroff’ arm of infamous Lazarus hacking team behind Bangladesh Bank heist and Sony attacks actively resists investigators on its trail, Kaspersky Lab says.

KASPERSKY SECURITY ANALYST SUMMIT 2017 – St. Martin – Even after global financial messaging service provider SWIFT began the process of hardening its systems to prevent another Bangladesh Bank-type heist, the Lazarus hacking group behind the original attack managed to get past the new security barriers in other attack attempts against other banks.

“SWIFT added a layer of integrity-checking, and they [the attackers] tampered with it,” says Costin Raiu, head of the global research and analysis team at Kaspersky Lab. After SWIFT further locked down the transaction process, Lazarus came back again and tampered with memory protections, he says.

Lazarus is the aggressive hacking group believed to have engineered the 2014 epic destructive Sony Pictures Entertainment attacks, and identified by the FBI as a North Korean nation-state group. These days it has much larger aspirations as demonstrated by its $81 million cyber heist of Bangladesh Bank. According to new research revealed here this week by Kaspersky Lab, the bank heist, as well as a wave of other attack attempts on banks worldwide, is the handiwork of an arm of Lazarus with special skills and the main goal of stealing money.

Kaspersky Lab calls this subgroup Bluenoroff, a unit that works as part of the larger Lazarus organization and continues to target banks as well as casinos and even Bitcoin operators. This A-team has experienced reverse-engineering and forensics expertise, according to the researchers.

“What is scary is they move so quickly,” Raiu says. “The moment they understand you are hunting for their tools they started password-protecting all tools and locking them down with strong encryption. You cannot analyze a tool unless you know the password.”

Raiu says there must be thousands of hackers in Lazarus. “They have an incredible stream and flood of tools. Other APT groups use the same tools for years. These guys have a new tool for every target,” he says. “They are constantly improving an getting better at going after more and more targets.”

Matching Wits
Kaspersky’s investigators have matched wits with Bluenoroff. “They know how we go after them and they actively resist,” says Vitaly Kamluk, principal security researcher at Kaspersky Lab. For example, Bluenoroff masks its malicious dropper code inside an encrypted container so investigators can’t see it, but Kamluk says his team ultimately was able to get access to secret passwords.

That type of security by the group is a far cry from earlier attacks from purported North Korean nation-state attackers, who were best known for more rudimentary backdoors and processes, notes Kamluk, who stopped short of confirming that North Korea is the attacker here. “It’s definitely related to North Korea, but we can’t say with true confidence that it is.”

Kaspersky Lab several months ago found “patient zero” at Bangladesh Bank and traced the infection to a government regulatory website that dropped malware onto the victim’s machine. By keeping mum on that finding over the past few months, the researchers were able to gather their newest intel on Bluenoroff after the group made a rare slip-up and left behind traces of their activity on a victim server.

That led researchers to find communications from an IP address in North Korea after the attackers made a rare slip-up. BAE Systems in its investigation of Lazarus also has seen the same IP address out of North Korea.

Kaspersky Lab, meanwhile, found the malware from the group as far back as December 2015 on machines in financial institutions, casinos, and financial-investment software developers, in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand, and other countries.

The Kaspersky researchers were able to detect and stop Bluenoroff attacks on a bank in Vietnam as well as one in Europe, as the group was actively targeting financial institutions in the wake of the Bangladesh Bank incident.

Dries Watteyne, head of customer security intelligence at SWIFT, said in a presentation here this week that the Bangladesh Bank attack was a “watershed event” for SWIFT. “They had sophisticated knowledge of the bank application” and bypassed transaction-verification checks and deleted their fraudulent payment instructions and modified SWIFT messages, he said.

SWIFT has since implemented a new customer security program aimed at stronger fraud detection and more secure transaction processes. “We’re hardening our software and using big data in our central database to detect earlier [any] potential fraud, he said. SWIFT will release its new updated security controls this month for member banks, he said.

How Bluenoroff Hacks
Meanwhile, according to Kaspersky’s new research, Bluenoroff’s MO works like this: the attackers breach a system inside the bank via a watering hole attack using an exploit on a legitimate financial industry website, or remotely exploit a system with malware. The attackers then hop to other bank computers and install backdoors that allow them to move about freely and conduct reconnaissance on the bank, studying its network and systems architecture and locating key targets such as authentication information and domain controllers.

Once they have the lay of the land, they drop custom malware that can sneak past security software or measures in financial applications. That’s when they start processing rogue transactions and stealing money.

Bluenoroff appears to have gone dormant for now, which Kaspersky believes is a sign that they are regrouping and creating new attack tools.

Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices

Related Content:

• Sony Hackers Behind Previous Cyberattacks Tied To North Korea
• SWIFT Confirms Cyber Heist At Second Bank; Researchers Tie Malware Code to Sony Hack
• Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/matching-wits-with-a-north-korea-linked-hacking-group-/d/d-id/1328572?_mc=RSS_DR_EDT

Thanks to Rowland Yu of SophosLabs for providing the research for this article.

A recent SophosLabs statistical analysis comparing the ratio of malware to potentially unwanted applications (PUA) across Windows, Mac and Android illustrates a trend we’ve been seeing for some time: attackers are heavily focused on Android devices.

The analysis also shows the bad guys using PUAs to slip past security sensors and penetrate Android and Mac devices.

When we pull back the lens on the bigger picture, Windows continues to be the most-targeted of all operating systems, SophosLabs researcher Rowland Yu said. But the ferocity against Android is clear.

Follow the money

In an email exchange, Yu reiterated a point we’ve made in the past: the more open the system, the more susceptible it is to malware:

On the other hand, if the system has its own app store such as Mac and Android – or undergoes a system or human review – then malware writers will use PUA instead of malware.

Malware writers see PUA as a way to more easily bypass security systems and achieve the same end goal they have with other malware – making money, Yu said. 

By the numbers

A look at the raw volume of samples analyzed by SophosLabs in 2016 painted the following picture:

• Of everything targeting Windows, 6% were PUAs while 95% was straight-up malware.
• Of everything targeting Android, 75% is pure malware and 25% were PUAs.
• Of everything targeting Macs, 6% was pure malware and 94% were PUAs.

While malware is designed to do harm, PUAs fall more into the nuisance category: annoying apps that run ads and pop-ups until you finally uninstall them.

Android malware examined

In the SophosLabs 2017 malware forecast released in February, the researchers explored the specific malware designed for Android devices.

SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%). The top 10 are broken down in this pie chart:

Defensive measures

Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure, especially when it comes to the apps they choose.

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?

If you use a Mac, our recommendations typically include using a real-time anti-virus, even (or perhaps especially) if you have managed unharmed for years without one, and promptly downloading security updates as Apple releases them.

Similar advice applies to malware and PUAs targeting Windows. Apply patches immediately and be careful of attachments and links delivered via Outlook.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1qfXlyX9YxM/

Hello, travelers, and welcome – more or less, depending on where you’re coming from and whether the border guards believe you – to the US.

Have you kept up with what our border agents are going to require of you? Not exactly sure what’s entailed in this “extreme vetting” that President Donald Trump has been promising to put you through?

Neither are we, but details are beginning to emerge. The newest is that the administration is thinking about demanding your phones.

The Wall Street Journal reports that the Trump administration is considering requiring the disclosure of the following from foreigners entering the US:

• Mobile phone contacts
• Social media passwords
• Financial records
• Ideology

The emphasis is on “considering”. These are not yet requirements.

The WSJ quoted one source – reportedly a counselor to Homeland Security secretary John Kelly – who said that the rationale is to prove beyond a shadow of a doubt that foreigners are coming into the US for “legitimate” reasons:

If there is any doubt about a person’s intentions coming to the United States, they should have to overcome – really and truly prove to our satisfaction – that they are coming for legitimate reasons.

This could go well beyond the majority Muslim countries the administration has already singled out in its travel bans: the WSJ’s sources said that alterations to the visa process could affect even those coming from traditionally staunch allies, such as France and Germany.

The potential new extreme vetting measures could affect even the 38 countries that are now part of the US Visa Waiver Program. That program allows citizens of specific countries – ones with healthy economies that are generally considered to be “developed”- to travel to the US for tourism, business, or while in transit for up to 90 days without having to obtain a visa.

It’s not routine for border agents to demand phones, but it happens. Sometimes, it even happens to natural-born US citizens. In February, NASA engineer Sidd Bikkannavar was forced to hand over and unlock his (NASA-issued and NASA-owned) work phone.

You might wonder how that could be constitutional, given that US courts are divided on whether police can demand passcodes without violating Fourth Amendment protection against unreasonable search and seizure.

But those are questions for the courts, and there are no courts in airports. Border crossings operate under different rules than the rest of the country. In the US, it’s commonly said that borders are a “Constitution-free zone”.

That’s not strictly true, as the ACLU notes. But search rules certainly are different than outside of these ports of entry. From the ACLU:

At border crossings (also called “ports of entry”), federal authorities do not need a warrant or even suspicion of wrongdoing to justify conducting what courts have called a routine search, such as searching luggage or a vehicle.

…or your phone.

According to the WSJ, the new extreme vetting rules could potentially force visitors to hand over their phones so that agents can check their contacts. Alternatively, visitors might be required to hand over passwords for online accounts so agents can scrutinize both public and private interactions.

Demanding social media account passcodes has already survived court blocks on Trump’s travel bans. Last month, Reuters reported that US secretary of state Rex Tillerson sent a flurry of diplomatic cables to American diplomatic missions, putting out edicts and then dialing them back as the courts ruled against the bans.

But he didn’t dial back a “mandatory social media check” for any visa applicants who’ve ever visited territory controlled by the Islamic State (IS).

A senior official reportedly said that the administration wants to “figure out who you are communicating with”.

In February, Kelly told a House Homeland Security Committee hearing that the administration would like to prohibit entry to those who decline to unlock their online lives:

We want to say, for instance, ‘What sites do you visit? And give us your passwords,’ so that we can see what they do on the internet. If they don’t want to give us that information then they don’t come.

As far as ideology goes, the administration is reportedly analyzing asking questions such as whether visitors support honor killings and whether they regard the “sanctity of human life”.

The current state of travel affairs

When it comes to travel right now, it’s hard enough for US citizens to keep track of what’s been proposed, what’s in the works, and what’s been blocked by the courts. It’s undoubtedly even tougher if you’re outside the US.

So here’s a summary:

• Trump’s first travel ban on majority Muslim countries covered Iran, Libya, Somalia, Sudan, Syria, Yemen and Iraq. It banned travel into the US from those countries for 90 days and was just one of a set of wide-ranging immigration controls that also suspended refugee arrivals.
• A New York court temporarily blocked the travel ban. A federal appeals court upheld the ruling in early February.
• A revised travel ban dropped Iraq from the list.
• The second travel ban was blocked by a federal court in Hawaii last month.
• On Friday, attorneys general from 16 states and the District of Columbia filed a brief in the 4th US Circuit Court of Appeals, urging the judges to reject the administration’s request to let its travel ban take effect while it considers its appeal.
• The 4th Circuit Court of Appeals in Richmond, Va., announced last month that it will hear arguments on an aspect of Trump’s revised travel ban on May 8 and could rule this week on whether to uphold the Justice Department’s request for a stay.
• The travel ban issue could reach the Supreme Court by mid May. Trump’s order might not fare well given the makeup of the current court. But if Trump’s Supreme Court nominee, Neil Gorsuch, gets voted in this week, his order presumably stands a much better chance.

Returning to the potential extreme vetting measures: in the past, we’ve asked readers for suggestions on what to do to ensure that their privacy, the privacy of their contacts, and their sensitive business information, is secure when traveling to the US.

Wired recently published a guide to getting past customs with your digital privacy intact, and it’s well worth a read.

One thing to note is there’s no silver bullet. For example, if you set up two-factor authentication on your phone so that your online accounts require a temporary passcode that’s texted to you, then remove your Sim card (perhaps mailing it to your destination) so that you can’t get at the SMS messages, you might plead inability to unlock with the CBP.

But just how well will that go over with the agents? As Wired notes, it could easily spike their suspicions and lead to lengthy detention and intense grilling.

Refusing to hand over passwords might seem like a sound option, but the Customers and Border Patrol threatens seizure and detention to those who don’t comply.

It should come as no surprise that in the wake of the revelations, there are those who say that all of this is moot as far as they’re concerned, given how little appeal there is in traveling to the States in these times:

@JoyAnnReid Hate to say it, but it’s this kind of thing that is going to lead so many of us non-Americans to avoid US travel for work/family

— Will Greaves (@WillWJGreaves) April 4, 2017

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YWgbGR90W8k/