Security News This Week: Facebooking at Work Can No Longer Be Charged as ‘Hacking’
This week, a hacker stole 5 million accounts from a kid’s electronic manufacturer VTech, which had left at least 190GB of kids’ photos and chats with their parents vulnerable. Anonymous leaked private login details of officials of the UN climate talks in Paris in retaliation for the arrest of protesters. The Electronic Frontier Foundation filed an FTC complaint accusing Google of secretly collecting and storing schoolchildren’s data. A hacker leaked a United Arab Emirates bank’s customer data after it failed to pay a $3 million bitcoin ransom. Signal, a free and easy-to-use encryption app, launched on desktops as an open-beta version. Oh, and Adobe announced that creators should build with HTML5 rather than Flash, although it will continue to support the security-addled software, primarily by issuing patches as needed.
But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!
If you’ve ever checked Facebook at work in spite of your employer’s computer use restrictions, you can breath a sigh of relief. The Second Circuit Court of Appeals ruled that an employee is not criminally liable under the Computer Fraud and Abuse Act for violating his employer’s computer use restrictions. In this case the employee was a New York City police officer who broke NYPD policy by accessing a police database to look up information about people without a valid law enforcement purpose. Additionally, he was charged with conspiracy to kidnap for writing about cannibalism on fetish websites, but the appeals court ruled that he could not be held criminally liable for this thoughtcrime, since no kidnapping had ever been planned or taken place.
Most people never hear about the major cyberattacks that could cause damage to the US’ energy grid, banks, chemical tanks, and oil and gas suppliers. This is because of a provision in the 2002 Homeland Security Act, which keeps evidence US companies submit to the government from public disclosure. Some discretion makes sense, since it’s prudent to fix flaws before publicizing them, for example, or to avoid tipping off attackers to how close they got to damaging critical infrastructure, or providing them with a road map to power utilities. However, the law prohibits federal regulators from mentioning real threats or past breaches even when writing reports to push for better safety regulations, which sounds like it would be helpful if we want to keep our critical infrastructure secure.
Following the lead of the Department of Justice, the IRS has said that it will seek a search warrant before using the controversial stingray surveillance technology “except in exigent or exceptional circumstances.” In a letter to Senator Ron Wyden, IRS director John Koskinen said that the IRS had only used its stingray to track 37 phones as part of 11 grand jury investigations. The IRS stingray was also used to assist with four other non-IRS investigations. The Guardian previously revealed that the IRS made two purchases from surveillance device manufacturer Harris Corporation in 2009 and 2012, but Koskinen said the IRS obtained a single stingray in October 2011 and began the process of procuring an additional one in July 2015.
In compliance with the USA Freedom Act, the NSA finally stopped forcing telecommunications companies to hand over phone metadata in bulk on November 29th. The executive branch must ask a FISA court to order telecoms to turn over specific records as needed. However, it’s worth noting that the NSA has found ways to shift electronic surveillance programs it has halted to functional equivalents overseas, and that it still has broad mass surveillance power through Executive Order 12333, and The FISA Amendments Act, including Section 702.
In 2004, the FBI served then-ISP owner Nicholas Merrill a National Security Letter accompanied by a gag order, asking him to turn over a client’s electronic metadata. Merrill went to court to fight the request, which was eventually retracted, but the gag order remained in effect for over a decade, so Merrill was unable to disclose what the FBI was seeking, until now. Without a search warrant or any judicial oversight, the FBI wanted Merrill to give them the individual’s complete web history, the IP address of anyone they’d ever corresponded with, records of all online purchases, and a radius log, which included cell site location, essentially turning a mobile phone into a tracking device. To make matters worse, it appears that the FBI would retain the information indefinitely, even if they find that the subject isn’t a terror threat. The FBI would also share the data across the intelligence community, government agencies, and even foreign governments.
Court Rules It Was Unconstitutional for a Sheriff to Pressure Banks to Stop Processing Payments for Sex Workers
The 7th Circuit Court of Appeals in Chicago ruled that a Cook County sheriff violated the First Amendment rights of an online classified ad site when he pressured Visa and MasterCard to prohibit payments because he disliked the content of adult sex ads. The ruling has broader implications for individuals or organizations that government officials dislike, but who have not been convicted of breaking any laws. For example, in late 2010, Senate Homeland Security Committee chairman Joe Lieberman mounted an extra-judicial pressure campaign to coerce companies to terminate web hosting and payment processing services to WikiLeaks.
Pakistan Kicks Out Blackberry After the Company Refuses to Give the Government Unfettered Access to Customer Data
Although Blackberry has stated its willingness to comply with US government data requests, apparently it draws the line somewhere. When the Pakistani government requested wholesale access to customer data, Blackberry refused, and will now be ceasing operation in the country altogether. Meanwhile, Pakistan has proposed an electronic crimes bill that a legal expert called the worst cyber-crime law in the world.
For the first time in court, UK cyber surveillance agency GCHQ has admitted that it does computer network exploitation (also known as hacking) both in the UK and abroad. GCHQ made this admission as part of a four-day hearing at the Investigatory Powers Tribunal in London. Privacy International and seven international ISPs took GCHQ to court over persistent, illegal hacking that ignores privacy safeguards.