Category Archives: Awareness

Is too much consumer protection a bad thing? facebook thinks so

The Australian Competition and Consumer Commission (ACCC), the American Federal Trade Commission’s Bureau of Consumer Protection equivalent in Australia, has recently released the final report of their Digital Platforms Inquiry, which “looks specifically at the impact of digital platforms on: consumers, businesses using platforms to advertise to and reach customers, and news media businesses that also use the platforms to disseminate their content.” As a result of this, the ACCC has recommended 23 changes to the current standard for consumer protection. One recommendation that did not sit well with Facebook was the 16th, which would require users to consent anytime their personal information is collected, used, or shared.

Facebook, which is often the center of attention when it comes to violations of their users’ privacy rights, has recently stated that the ACCC’s approach at this issue is a “backwards” approach to this issue, and that as a result, Australia would fall behind the rest of the world. While their intentions to make users aware of what data is being collected about them, is this really the best method to do so?

This issue raises the question of ‘is there such thing as too much protection?’ Are the privacy benefits of requiring alerts from this entities worth the loss of convenience and usability, or should users take the loss for better privacy?

Links:

ACCC Digital Platforms Inquiry

“Facebook boss hits out at ‘backwards’ ACCC privacy policies”

Header Image

By Patrick Swanson-Green, October 21, 2019

FBI uses NSA surveillance data to conduct investigations

Earlier this week, a FISA court ruling from October 2018 was declassified. In it, there are details about the FBI using information gathered by the NSA’s mass surveillance tools to conduct investigations on U.S. citizens without warrants.

At this point, it is common knowledge that the NSA practices mass surveillance on American citizens. This is attributed to whistleblower Edward Snowden, who leaked documents to the press about tools and techniques that the NSA uses to conduct “bulk data collection.” However, until now, little has been shown to demonstrate how other agencies, like the FBI and the CIA, may use that information to do the same.

 

 

Searching through this data is known as “backdoor searching,” and the declassified document states that the FBI conducted over three million of these searches on “U.S. persons.” The main issue is that these searches were not legally justified. According to the FISA court ruling, the FBI did not base their backdoor searching on potential criminal investigation; or any other genuine justification. This further validates the claim that these agencies are attempting to create a kind of “permanent record” on the American citizens.

After  9/11, policy within the FBI has been altered in such a way that obtaining a warrant to investigate a U.S. citizen is unnecessary so long as the person of interest is suspected of being a “potential national security threat.” This stipulation has been used vaguely and can have a broad range of application.

While maintaining security through secrecy is a noble goal for the NSA, the information that they gather must be used justly and fairly if their practices are to be accepted by the American people.

– Jared Albert

the supreme court determining how bad a hack has to be to sue

In December of 2018 and January of 2019, the high court had conferences regarding two cases that were looking for the same decision of the Supreme Court, a response to the question how bad does a hack have to be for a victim to sue?

FCA US LLC, et al., Petitioners v. Brian Flynn, et al.

The first case in question is FCA US LLC, et al., Petitioners v. Brian Flynn, et al. The petition was filed September 26, 2018, however this case came about July 21, 2015 after a Wired article by Andy Greenberg including a video of their demonstration of the Jeep Cherokees vulnerability was published. The author is shown going down a highway driving normally in the Jeep Cherokee, then hackers that Wired hired decide to turn the AC on, display a picture on the dashboards digital screen, turn on music and turn it up extremely loud, but most notably kill the cars engine entirely. An 18-wheeler barrels past, honking at the dangerously slow vehicle which only made Greenberg all the more uneasy about the situation. There was nothing the driver could do to change it, despite any fiddling with the dials to try and rectify the situation, and this panic is clear to see as he begs for the hackers to turn the engine back on while they laugh in the safety an entirely different location. They were able to do this through a function in the Jeep called Uconnect, a computer in the dashboard display (called the headunit) that has internet connection. This was a huge issue for Chrysler to deal with, despite them sending out USBs to fix the mistake to 1.4 million owners of the vehicles, people still were very weary and pointed the finger at the cars being “excessively vulnerable” then seeking compensation for the risk. There was no evidence of the vulnerability being exploited maliciously, and that is a big stake Chrysler held in their petition.

Zappos.com, Inc. v. Stevens.

The second case is Zappos.com, Inc. v. Stevens. from an online retail service Zappos.com when they experienced a malicious breach of their database in January 2012. This database contained sensitive information of their clients that included names, account numbers, contact information (ie email addressed and billing addresses), and possibly their credit card information from more than 24 million of Zappos customers. Again, the company found nothing signifying the use of the information in tactics such as impersonation, but the clients claim they experienced otherwise, saying they used the information to hack into their other accounts.

The Conclusion of the Petitions

Each cases petition ended up being denied in the end, the case regarding Chrysler was denied at the first conference on January 4, 2019, however the Zappos petition consideration was dragged out across two conferences, finally being denied on March 27, 2019.

The Questions

There are several central questions that these cases both bring up, the first being what exactly is the relationship between obtaining and utilizing information from hacks? Neither company found evidence of the vulnerabilities being used in a way that compromised any users’ safety or confidentiality, but could we then judge these cases on the premise of the fact that there was a vulnerability in the first place? The issue with that is that nothing in cyber security is 100% safe from being breached, so anything that is put out will have vulnerabilities that can be exposed, but is it a problem unless the vulnerability is found out and used maliciously? Then we have to wonder about the victims, is it just to have the court decide if a victim has suffered enough to do something about their losses? It just becomes a never ending cycle of ethical and practical questions regarding these topics and what should be put in place to rectify the gray area, or if anything could get rid of gray areas. This emphasizes the difficulty that comes with cyber security as a whole, the subjectivity and uncertainty of so many things that comes with it. The word “concrete” comes up often with the official case documents, but there is very little regarding cyber security that can be wholly defined as concrete, especially as something intangible that you cannot exactly put numbers on damages the way you can a car crash or a fire regarding the monetary standpoint.

What I Think

My main thoughts are first how lucky it is that these cases did not end up going to the Supreme Court, on behalf of big companies and my personal ethical beliefs. The companies are fortunate because the court could have easily swayed far more in favor of the masses that are being put at risk in so many ways because of security vulnerabilities, when the lines are more defined of damages they will likely end up having to throw millions of dollars at settlements. But the companies are the ones who would be losing the least out of most of these situations as they always do, so I’m much more on the side of the masses as someone who would have my information stolen from a database which may be protected by old white men who are using computers that are over half my age (I am 19, for reference). Users should not have to fear their private information being access by those without clearance, especially with some of the questions that are in background checks and such regarding extremely personal matters. I am fully aware that this is not a perfect world and that asking for privacy online is like putting a flyer of information on a wall and begging nobody to look at it, but it’s still really terrible that that’s how things are… Sometimes. But the thing is that I cannot even fathom any pity for companies with the amount of money and power they have. I feel the people who owned Jeep Cherokees were very justified in their concern and request for compensation because they are wondering “what if” situations, but there is nothing that cannot be hacked so I understand why the request is unreasonable on a security standpoint so it is very hard. Overall, I just feel that something run by the government (the Supreme Court) cannot be the one defining how much damage is enough. The word “enough” alone feels like a default invalidation of the victims of the situations in question, and with cyberspace being a forever changing beast that, realistically, cannot be quantified is a catch 22 of sorts. There is no one solution we can come to for it so for now I think it is best to deal with things on a case-to-case basis.

Sources

All information and quotes came from the following sources.

Written by Faith Cronister on September 29, 2019

Coalfire Penetration Test of County Courthouse Lands Two Employees in Jail

Coalfire Labs, a company that provides cyber risk management and compliance services for public and private companies, was contracted by The Iowa State Judicial System to perform security penetration testing of the Dallas Iowa Judicial Branch. Coalfire employees Justin Wynn and Gary Demercurio were tasked with the physical assessment and were subsequently arrested. Both were arrested following the alarm going off after attempting to enter the court to conduct their assigned evaluation.

Let’s start from the beginning

The Iowa State Judicial System contracted Coalfire Labs to perform penetration security tests on the Dallas County Court System. The master agreement that got the assessment started was signed on January 14, 2015. This document defines all the terms and conditions that both parties would abide by. It did not, however, mention anything that pertained to the actual assessment. The agreement only addressed the main legal and monetary items. The agreement was silent on the exact security penetration techniques to be used. Between May and July 2019, the rest of the documents start to come into fruition. May 28, 2019, the service order was signed by the IT Director of the Iowa Court System, Mark Headlee. This document defined the key deliverables, the engagement scope, and the pricing. It was listed in the scope that there would be physical attacks against the courthouse (unauthorized entries) and that they can happen at any time during the day or night. July 30, 2019, the rules of engagement are sent to Andrew Shirley (Information Security Officer for Iowa Judicial Branch). Here the rules of how Coalfire was to engage are outlined, the locations, testing dates, and how information was to be handled internally within Coalfire. The document addresses concerns with client information, as well as any relevant information concerning the network, the locations, wireless networks, any applications, and any cloud infrastructure. August 9, 2019, the Social Engineering Authorization document was signed by John Hoover (Infrastructure Manager), Andrew Shirley (Information Security Officer), and Mark Headlee (IT Director). This document outlined what physical social engineering methods could and could not be used to access facilities.

The Event that led to the arrest

Both Justin Wynn and Gary Demercurio were arrested when they were discovered attempting to conduct their assigned physical assessment at 12:30 am at the Dallas County Courthouse. Two days prior they successfully made entry into the Polk County Courthouse. As they began to enter into the Dallas Courthouse, they set off the alarm system prompting a police response. They were arrested with their preliminary hearing set for September 23, 2019.

Iowa’s Senate steps in

Iowa’s Senate Government Oversight Committee is investigating these so-called break-ins. This investigation is going to look into how this physical assessment would have improved the Judicial Branch’s ability to perform its services. Senator Tony Bisignano(D) said that he is concerned with the fact that the state took this upon themselves to do this. “We need to know as quickly as possible what truly happened, what the contract says, how many contracts are out there and who was going to be liable in case of a mishap, an injury, an altercation.”  He says that this is going to be a burglary case, not a contract case. The Judicial Branch Administrators, after releasing the contract, stated: “They did not intend, or anticipate, those efforts to include the forced entry into a building.” Bisignano agrees that testing security is something important. He thinks that it “could have been accomplished in a less covert way other than a CIA-type action.”

What is the question here?

I see the big question that this case will address is, do state governments have the power to have private companies perform assessments of any kind on county/town systems? The answer to this question will decide whether Justin and Gary of Coalfire go free or if they go to jail.

My Thoughts on the matter

I think that the administration should have anticipated this. The rules of engagement clearly state that they would attempt to make a physical entry at three locations, and they could do this at any time of the day. The two Coalfire employees that were arrested had no nefarious or criminal intent. Criminal intent (Mens Rea) has to be proven to convict a person of a criminal act. Justin Wynn and Gary Demercurio were conducting a contracted work assignment, not a criminal act. Also, I don’t agree with Senator Tony Bisignano’s statement of this could have been accomplished less covertly, which is laughable. Most criminals try to be as covert as possible to avoid detection and arrest. His comments hold no actual reasoning or legal basis and are seemingly only political grandstanding.   Penetration testing done correctly many times has to be done covertly. Covert testing pushes the existing defenses that are in place to their limits. They are essential to detect deficiencies and blind spots and are without any extraordinary countermeasures being put in place that ordinarily would not be present.  My take on the question as to state governments having the power to contract companies to perform assessments of any kind on the county/town systems; I believe that they do. Most courts hold protected state and federal documents, including arrest and conviction records. The storage, dissemination, and maintenance of these documents are regulated by state and federal law giving the state the authority to inspect and or test that these laws are being followed. The only caveat I have is with how this assessment took place is someone should have been informed at the courthouses. If just one or two people were notified to establish a point of contact at each courthouse, it would have changed the way that this case is being discussed.

Evan Mikulski

Sources

All Quotes and information have been derived from

https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/19/iowa-state-senator-calls-oversight-committee-investigate-courthouse-break-ins-crime-polk-dallas/2374576001/

https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/11/men-arrested-burglary-dallas-county-iowa-courthouse-hired-judicial-branch-test-security-ia-crime/2292295001/

https://www.iowacourts.gov/announcements/state-court-administration-statement/

https://www.iowacourts.gov/static/media/cms/Social_Engr_D58D70423AAF3.pdf

https://www.iowacourts.gov/static/media/cms/Rules_of_Engag_E9D807B3D13D3.pdf

https://www.iowacourts.gov/static/media/cms/Requirements_and_Assumptions_F765B6EBC7379.pdf

https://www.iowacourts.gov/static/media/cms/Service_Order__Redacted_581A59C144331.pdf

https://www.iowacourts.gov/static/media/cms/Master_Agreement__Redacted_8645A99317B38.pdf

Fired Chicago Schools Employee Causes Data Breach

Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.

She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.

This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.

Written by: Craig Gebo

Source: https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach