For First Time Federal Judge Tosses Evidence Based On Stingray

A Federal judge in New York tossed evidence in a drug bust based on the use of a Stingray cell site simulator,  But the devil is in the details.  To be clear, this is not about getting a warrant to use a Stingray and catching a drug dealer.  This is about lying to or omitting key facts from a Federal judge when asking that judge to sign a warrant.

For those of you who read my blog, you know that I have written about Stingray cell site simulators several times.  Those devices Hoover up huge quantities of cell phone and text message traffic and then the agency that collected it is free to go through that data – not just to find that one bad guy, but also so go on a fishing expedition to see what else might be there.  And, they get to keep all that data for as long as they want.

So what happened in New York?

The Feds were looking for a possible drug deal that was going to move large quantities of drugs from South America.  As part of their investigation, they received a wiretap warrant to monitor traffic between two suspected drug traffickers.  Curiously, the traffic that they were going to monitor was done on Blackberrys.  Until recently, we thought that Blackberrys were secure.  Then we found out that Blackberry was secretly intercepting Blackberry traffic without the hassle of pesky warrants and handing that over to anyone who asked (law enforcement agencies only, we assume).

Then the DEA asked for a warrant to get location information for the phone.  What they told the judge was that they were going to ask the cell provider for that information.  So far, so good.

They did, in fact, get that information from the provider, but that only told them that the phone in question was in the area of Broadway and 177th Street in Manhattan.

So what did the DEA do?  They decided, on their own and absent a judge’s approval – which I can guarantee 99% would have been granted – to use a Stingray to get better location information.

Using the Stingray, they located the building and then the apartment where that phone was likely located.  The agents then knocked on the door and the suspect’s father let them in and consented to a search.

Ultimately, they found a kilo of coke and eight cell phones.  Certainly, not a massive amount of drugs, but also, just as certainly, not a personal use amount.

In the past, some courts have ruled that with any data that you give to a third party (such as Microsoft, Google or your cell phone carrier), you revoke your right to privacy because you gave that information to someone else.  In some cases, lawyers have used that third party theory to justify using a Stingray.

This judge, however, said, that Stingrays are different.  This is not data that you gave to anyone.  Since there is no third party involved (Like Google or Verizon), the third party doctrine does not apply.

The government has not said whether they will appeal the case or not.  Historically, the government has kept a pretty low profile on Stingray cases, even to the extent of dismissing charges rather than explain to a judge what a Stingray does, so it is unclear if they will open their kimono this time.

And this case is not even about drugs.  It is about following the law and not hiding from the courts and the public what, exactly, law enforcement officials are doing.

Curiously, the week after this guy was arrested, the Department of Justice changed their own rules and said, yes, we will ask for a warrant before we use a Stingray.  That decision doesn’t affect this case, however.

However this case ends and whatever happens to this drug dealer, this is another example of the changing rules on using Stingrays as judges begin to read the news and understand what they are, because, it seems, they are not getting that information from prosecutors.

Stay tuned for more details.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Update Your iPhones and Macs to Fix This HUUUGE Bug

About a year ago, Android users were fighting something called the Stagefright bug.  Buried deep in the bowels of the operating system was a series of bugs that would allow an attacker to send you a specially crafted text message and take over your Android phone.  Stagefright affected close to a billion phones in the worst case scenario, but more likely about half that number – still a HUUUGE problem.

This week it is Apple’s turn. Cisco’s security research arm, Talos, discovered what is really a similar problem to Stagefright.  All an attacker needs is your phone number – likely not hard to get.  Then they send a specially crafted iMessage or MMS message.

The attack could be exploited via Safari by getting the user to visit an infected web site.

In any case, no user interaction is required.

So what can the attack do for the hacker?

Nothing important.  Just leak your authentication credentials stored in memory to the hacker.  Forbes says this includes any credentials the target is using in the browser such as website credentials or email logins.

Due to other security mechanisms in the iPhone, the attacker can’t completely take over the phone, but this is sufficiently bad.  Apparently, on a Mac, the problem is worse because the Mac sandbox works differently.

And, this even affects WatchOS.

In addition to this bug, the researchers at Talos also found a memory corruption bug.

And a security engineer at Salesforce found a flaw in FaceTime that would allow hackers who were located on the same network as the user (i.e., they came from outside but already compromised some other PC on your network) to spy on your FaceTime conversations.  Apple says “an attacker in a privileged network position (which they don’t define) may be able to cause a call to continue transmitting audio while appearing as if the call was hung up.

In total, 43 bugs were fixed in the new version of iOS.

If you are not running iOS 9.3.3 which was released on July 18th or MAC OS El Capitan 10.11.6, released on the same day, you should update now.

Given the complexity of computers and phones these days, it is not completely surprising that serious bugs are found.  This means we need to make sure that researchers are not hampered by Washington’s lack of understanding of technology – but that is a whole ‘nother post.

Like Stagefright, this bugs affect all versions of iOS before the one that was released 4 days ago.

According to Apple, 14% of iPhones run iOS 8 or earlier.  Likely these are older phones that might not be able to run iOS 9 for some reason.  Those phones will never be patched unless the upgrade to iOS 9.  Talk about a ‘target rich environment’.  That represents close to a hundred million phones that may never be patched – like older Android phones.

How many of the more than 1 billion iPhones are running a version of iOS older than 4 days ago?  Likely a large number.  Probably several hundred million.

This just reinforces the fact that we really need to figure out, with the billions of phones and tablets out there, how to get people to upgrade to the MOST CURRENT version of the OS.  That means that old phones need to crushed and melted.  I know people don’t want to spend the money to replace phones that still function, but the alternative is to use a phone with bugs that allow attackers to, in this case, steal your passwords.  I guess you could sell your old unsupported phone on eBay and make it someone else’s problem 🙂

Information for this post came from Forbes and Quartz.

 

Facebooktwitterredditlinkedinmailby feather

Health and Human Services Issues New Guidance on Ransomware

The U.S. Department of Health and Human Services Office of Civil Rights, the government entity that manages the privacy of health care information that you share with doctors and others, has issued new guidance on ransomware.

While technically, it only applies to organizations that they regulate, in reality, almost everything they said applies equally to all businesses.

The U.S. Government says that, on average, there have been 4,000 daily ransomware attacks, a 300% INCREASE over last year. 

They say that businesses should:

(a) Conduct a risk analysis to identify threats and vulnerabilities.  In the case of HHS OCR, they are only worried about protecting health information, but in reality, every business should be conducting a risk analysis at least annually.

(b) Once you have conducted a risk analysis you need to create a plan to mitigate or remediate those risks and then execute that plan.

(c) Implement procedures to safeguard against malicious software (like ransomware).

(d) Train ALL users on detecting malicious software and what to do if they detect it or accidentally click on something.

(e) Limiting access to information to only those people with a need for it and, if possible, grant them read only access.  Ransomware can’t encrypt files that it doesn’t have write access to.

At least one ransomware attack that I am familiar with became a full blown crisis because a user had write access to a whole bunch of network shares and they ALL got encrypted.  Not a good day at that non-profit.

(f) Create and maintain and overall incident response plan that includes disaster recovery, business continuity, frequent backups and periodic full drill exercises.

There is a lot of language that ties the specifics of what they recommend to the HIPAA/HITECH regulations, which is important if you are a covered entity or business associate, but even if you have no HIPAA information, these recommendations are right on.

If you are not doing all of these things today, you should consider making it a priority.  Ransomware is messy stuff, even if you have backups of everything.  Assuming you have not implemented a full disaster recovery/business continuity solution (and if you have not you have a lot of company), recovering from your backups is a very time consuming and labor intensive process and in the mean time, you are working off of pencil and paper.

Information for this post came from the Health and Human Services web site.

Facebooktwitterredditlinkedinmailby feather

Majority of Businesses Lack Resources To Manage Cyber Threats

A recent Ponemon Institute study revealed what a lot of us have been saying for a long time.  Despite spending millions of dollars, 79 percent of the IT and IT security staff reported that their ability to identify and stop threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.

The companies participating in this study said that they were on the receiving end of at least one cyber attack per month and spent about $3 million a year to deal with them.

Other results include:

  • 59 percent said that protecting intellectual property is essential or very important to their company’s survival
  • Respondents said that they averaged 32 material cyber attacks a year.
  • 38 percent said that their security processes for monitoring the Internet and social media were not existent; another 23 percent said they were ad hoc and 18 percent said  they were inconsistently applied.
  • Over 60 percent of the security leaders – directors and above – said they did not have the tools they needed to monitor, analyze, understand and mitigate external threats.

What this report is saying is that the majority – in some cases three quarters – of the people assigned to protect company information and systems say that they do not have the ability to protect their companies.  That is a scary concept.

Certain industries are probably exceptions to this – the big banks (but not the smaller banks) and the Defense Department, for example.  This does not mean they don’t get breached.  It means that they have the budget for tools and people to try and stop them from getting breached.

While an unlimited budget is nice, it is also not necessary.  What is needed is for executive management – The C-Suite and the Board – to make protecting their companies a priority.  And then to make operational changes to the way those companies protect information.

It has been reported that when the security team went to Home Depot’s management to ask for more resources, they were told that Home Depot was in the business of selling hammers and how did spending money on cyber security help that.  My guess is if they could reconsider that decision now, they would probably give a different answer.

This risk is not going away.  It will likely get worse before it gets better.  Sorry to be the bearer of bad news.

 

Information for this post came from Security Magazine.

Facebooktwitterredditlinkedinmailby feather

In Ongoing Battle over Email, Microsoft Wins This Round

Microsoft has been fighting with the U.S. Department of Justice since 2013 when the DoJ tried to get Microsoft to get them to hand over data belonging to a user, stored exclusively in Ireland.  This case has gone back and forth in the courts since then.

The bottom line issue is whether a U.S. Court can force a U.S. based company to break foreign law because the U.S. Court says so.

In this case, the emails in question are stored in Ireland and Irish privacy law is pretty strict.  Microsoft says that they are absolutely willing to hand over the emails if the DoJ convinces an Irish court to issue a subpoena to the Microsoft Ireland subsidiary.  The DoJ, for whatever reason, doesn’t want to do that.  I suspect that they would like to create a precedent that U.S. law trumps Irish law in U.S. Courts.

Microsoft, pretending to be a friend of privacy when it suits them, is saying that they want to protect their user.  They may be more concerned about breaking Irish law and the penalties that come from that.

The EU General Data Protection Regulation, which goes into full effect in 2018, allows a country to fine a business up to 4% of their gross annual revenue for privacy violations.  That doesn’t mean that they have to or will, but they can.  For Microsoft, based on 2015 revenue of $93 billion, that means a POTENTIAL MAXIMUM fine of almost $4 billion.

A short summary of the 180+ page GDGR law is available at Deloitte’s web site, here.  Note that this appears to be a Dutch version of the site, so the notices about privacy and cookies are in Dutch, but the summary text is all in English.

Since 2013, this case has bounced around the courts.  Most recently, this month, the DoJ told the Second Circuit Court of Appeals that the Justice Department has the right to demand the emails of anyone, anywhere in the world from an email provider headquartered in the United States.

By logical extension, that means that China could demand emails of U.S. citizens from Google because their court said so.  I don’t think that U.S. courts would be thrilled about that quid pro quo.

The DoJ says that YOUR email is a business record OWNED by Microsoft, not you, hence they should be able to demand that Microsoft give them copies of their business records.  That is a pretty scary concept.  Two lower courts have ruled in favor of the DoJ.

What if those emails were letters and those letters were stored in an office in Ireland.  Would the U.S. DoJ be able to send a Marshal to Ireland, hand them the U.S. search warrant and expect to get those letters?

What if North Korea presented a search warrant to a U.S. company asking for some information on a customer.

As you can see, this gets messy quickly.

Microsoft wanted to make a ‘federal case’ over this and so they told the lower court to hold them in contempt for failing to turn over the emails.

It is important to understand here is that this is different than say the WhatsApp case in Brazil where a Brazilian court put a freeze on $6 million of Facebook’s money because WhatsApp doesn’t have the decryption keys and therefore can’t give them the messages unencrypted.  Since WhatsApp doesn’t have any offices or presence in Brazil, they went after Facebook instead (Facebook owns WhatsApp).  In this case, Microsoft could, technically, turn over those emails in readable format.

But, if Microsoft chose to comply with this warrant, their business model would shrivel up and die.

What foreign company would do business with an American company if they knew that the U.S. government could demand that that U.S. business turn over the foreign company’s records, stored in that foreign country, totally bypassing the legal system in that country.

Currently, companies like Google and Microsoft deal with that by setting up subsidiaries in different countries and have users be customers of that local country subsidiary.

While I don’t even pretend to be a lawyer, even on the Internet, the concept here is called extraterritoriality, meaning that a government declares that their law applies in another country.  While a country can do that, absent the other country agreeing to that statement, the likelihood of the other country enforcing that law is very low.

Microsoft says that if the U.S. wants to go after data stored in foreign countries, that is fine.  What they need to do is pass a law that says that they claim that right and then negotiate treaties with each other country that they want to enforce it.  There are many examples of this today, but it is a complicated process.

For one thing, each other country will likely demand reciprocal rights and those countries will likely demand that those laws can only be enforced if they provide similar rights that the citizen in question has in their country.

In the Microsoft case, that means that, if there was a treaty in place, and if U.S. provided the same protections as Irish law, then Ireland would honor the U.S. law.

Great Britain is trying this same gig with the proposed Snooper’s Charter bill currently in their parliament and while Britain might pass such a law, the likelihood of it being enforced in at least some other countries is basically zero.

For those of you who read this tome hoping I would tell you how it turned out – the appeals court ruled in Microsoft’s favor.

Whether the DoJ chooses to appeal this to the Supreme Court or wait until after the November elections and hope that Trump gets elected and stacks the court the way they would like, is unclear.  If Clinton gets elected it is unlikely that the DoJ would get the judge that they want.  In fact, whoever gets elected will likely control the slant of the court for decades to come and that is probably the most important issue related to the U.S. Presidential elections, bar none.

 

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Paying Ransomware – Yes or No

IT World Canada ran an article the other day regarding the payment of ransom at the University of Calgary.  The piece is almost an editorial as the writer beat the University up for paying the ransom.

Here is the story that the article laid out. In June the University was infected with a “significant malware incident”.  Not clear what that means as the University is being pretty tight lipped about it. In any case, in an interview, Linda Dalgetty, VP of Finance at the University, said that the University chose to pay the ransom.  She said that paying the ransom was instrumental in helping the school recover after the attack.

The writer beat up the school because they were encouraging criminals to release ransomware into the wild and the University should be held to a higher standard than commercial business.  To be clear, they are encouraging the bad guys.

If I were going to beat the University up for something, it would be to ask how come their disaster recovery and business continuity plans weren’t up to handling this.  How come their backups were insufficient to the task of dealing with this.

And, oh, yeah, they said their cyber insurance didn’t cover extortion.  What, their insurance agent never heard of ransomware?

The University said that cost, in terms of lost staff time was the primary reason that they paid off the extortionists.

I am sure that somewhere in the U.S. or Canada, several times a day, the same decision is made.  Whether to pay the extortion or not, unfortunately, is typically a business decision and very rarely, a moral decision.

What is unclear is whether, for example, if the writer who was NOT employed by the school, found out that he was not going to get a paycheck for a month or two because the University stuck to its guns and did not pay the ransom, he would still want the school to not pay.  Sony didn’t have working financial systems for almost three months after their attack, so that scenario is not far fetched.  If instead, it had to rebuild its financial systems, hire a number of temporary employees to rekey data into the system (assuming paper records even exist) and then check the integrity of the result.

Would he be okay if he was a researcher who lost 2 or 3 years of research as a result of this attack.

It is easy to second guess the decisions that management makes.  In fact, it is pretty much a national pastime in most countries, but those decisions are hard.

This is, yet again, another call to make sure that your incident response, disaster recovery and business continuity plans are written down, approved, implemented and tested on a regular basis.

THAT is the best way to handle ransomware.

For some organizations, if they had that kind of attack, they would spin up new virtual instances of the affected systems, roll back the data to a few minutes before the attack and move on.

Unfortunately, those organizations are few and far between.

For many organizations, that attack is an “ah, shucks!” moment as they realize that the backups that they need don’t exist or were not working at the time of the attack.

Information for this post came from ITWorld Canada.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed