Category Archives: Legal

EARN-IT Act – Only Outlaws Will Have Strong Encryption

O P I N I O N

Full disclosure:  it will be obvious which side of the conversation I am on pretty quickly.

The FBI has been trying to ban end to end encryption – any encryption that they can’t break at will – for decades now.  They charged Phil Zimmerman with crimes and almost convicted back in the 90s.  The battle is still going on.

For years the FBI has been using the flag of national security to try and ban encryption, but it hasn’t worked.  Part of the Patriot Act which was implemented after 9-11 required telephone providers to provide metadata of all phone calls to the NSA so that they could search for terrorists.  After a while it was required that the phone companies themselves store the data.  Currently that provision has expired.  In part because it was revealed that the government spent $100 million on the program and it only generated two leads;  one of which didn’t pan out.  The other of which they already knew about.

So now the FBI and their friends are trying a different tactic.  If terrorism didn’t work, how about waving the banner of kiddie porn.  After all, EVERYONE is against kiddie porn.  Of course, I am not aware of anyone who is pro terrorism.

On the foundation of kiddie porn was built a bill, sponsored by Senator Lindsay Graham (R-SC) and supported by a few other Senators who want to appear to be strong against kiddie porn (it looks good on campaign posters, of course).

The bill, called EARN-IT, basically says that online service providers will lose protections that they currently have against being sued for content that their customers create (yes, really) if they do not implement some security standards that have not been defined.  And won’t be until years after the bill would become law.  That’s right the bill would impose requirements that won’t be defined for years after this bill would become law.

The plan is that the bill would create a commission that would make recommendations to the Attorney General and some others and the AG could accept those recommendations or change them any way he wants.  Of course, AB Barr is strongly against encryption, so we understand what will happen here.  Then, if service providers don’t implement these undefined rules, they will lose their immunity from being sued for content that they didn’t create.

BUT WE HAVE TO PROTECT THE KIDS.

Of course we don’t know if this bill will pass – given today’s politics it is a crap shoot.

But people need to understand the goal of the bill.  It is to ban any communications that the government can’t read.  TO PROTECT THE KIDS.

Surely you want to protect the kids.  Oh you don’t?  You probably shouldn’t be in office.  There is no way any politician could possibly win that battle because the public doesn’t have the patience to understand a deeply technical conversation.

Large companies like Google and Facebook **MIGHT** possibly be willing to fight the government and they have deep enough pockets to do that, but almost no one else does.  As a result, everyone else will have to create a back door so the feds can read everything that you do online.

But think about this for a minute.

Crooks don’t generally follow the law.  That’s why we call them criminals.  So they will use software that comes from some other country that doesn’t have a backdoor.  Of course that will stop the feds from reading the communications of the people that they are trying to stop.  BUT IT IS ABOUT THE KIDS.  EVERYONE WANTS TO PROTECT THE KIDS.

Of course, as soon as you put a backdoor in the communications, China will demand that providers give them the keys.  So will Russia and a whole bunch of other unsavory characters.

Does anyone really think that Facebook (or whoever) is going to stand up to China and say OK, if you want our encryption keys, we won’t do business in your country.  Fat chance.  They will say that they had to because the follow the laws in the countries that they are in and since a quarter of the world’s population is in China, guess who will get the encryption keys.  I seem to recall something in the news that people are unhappy that Zoom encryption keys wound up in China last week.  Well if this law passes, those keys will be in China and a bunch of other places forever.

Signal, the encrypted messaging app that is used by tens of millions of people including politicians, said that they will stop doing business in the United States if this bill becomes law.  They can’t afford the risk.  Everyone else is in it to make a buck so if they have to compromise everyone’s privacy and it gets some people killed in unsavory parts of the world, then it is okay.  They didn’t have a choice.

Of course the bad guys in countries like Russia and China and 50 others will use software without encryption backdoors, so we won’t be able to read their stuff anyway.

Note:  AG Barr doesn’t like calling backdoors BACKDOORS.  That term is so unsavory.  He prefers a much more sanitized term – lawful access.  Because if it is lawful, then it is okay.  BECAUSE IT IS ABOUT THE KIDS.

Of course, the people who are into kiddie porn will just use other encryption methods that don’t have backdoors, but the stupid ones will not and they might get caught.  Then the feds can say look how wonderful we are.  Of course the pros won’t get caught.

And even if they don’t catch anyone significant, they will make U.S. software companies less competitive in the world marketplace.  After all, will companies in other countries want to secure their sensitive information with encryption that the U.S. can read.  Entire countries have already banned ZOOM for just that reason.  The good news is that this will create an opportunity for companies in other countries to take business and jobs away from the U.S.  That is a sub-objective, right?

On the other hand, other countries like this idea, so some of them could follow in the U.S.’s footsteps.

Probably the most infuriating part of the bill to me (my opinion of course) is that the Congress is abdicating its responsibility by creating this commission instead of specifying the standards.  THAT WAY WHEN THE COMMISSION BANS ENCRYPTION THEY CAN SAY “IT WASN’T ME;  IT WAS THEM”.  Plausible deniability.

If this is such a good idea, define the rules now.  Debate them.  And put them into the law.

Of course if they did that, they couldn’t hide behind that smokescreen.

The bill as it is written now even has some poison pill provisions in it.  If the commission doesn’t approve some rules within a specified time period, the online service providers lose their immunity automatically and if that happens, there is nothing that they can do to get it back because there are no approved rules to follow to “earn” their protections back.

Don’t get me wrong.  I am not a fan of kiddie porn, but the reality here is that this has nothing at all to do with protecting the children and everything about getting back at the Silicon Valley companies that the current administration does not like.

For more information on the bill, check out Bruce Schneier’s column, Bitcoin magazine, The Register and the EFF.

Facebooktwitterredditlinkedinmailby feather

White House Envisions US Leading Global 5G Development

The White House last month released a document called the National Strategy to Secure 5G.

This SIX PAGE document is a little light on details, but like your 10 year old who is assigned homework, the Secure 5G and Beyond Act requires the President to turn in his homework and he did.

So what would the White House like to do?  Four items:

  • Facilitating the domestic roll-out of 5G
  • Assessing the security risks and core principles for infrastructure
  • Managing those economic and security risks
  • Promoting responsible global development and deployment of the 5G infrastructure

These goals, of course, are wonderful.  But how do you actually do it?

Ernst & Young is estimating that China will spend $223 billion just in capital for 5G between 2019 and 2025.

By comparison, Verizon’s total capital expenditure for everything – not just 5G – is estimated to be around $17 billion this year.

The problem is that a lot of that is to buy so-called spectrum, which is likely free in China.  Verizon spent $3.4 billion to buy spectrum last year.  AT&T spent $2.4 billion.  That comes out of the total budget.

The FCC has a plan called Fast 5G which is supposed to help the carriers by allowing them to buy more spectrum.

Beyond that, we are back to the 10 year old’s homework.

The paper says: To that end, the government will work with the private sector to “identify, develop and apply core security principles — best practices in cybersecurity, supply chain risk management, and public safety — to United States 5G infrastructure.”

For the third bullet (managing risk), it says that the White House will develop or identify supply chain risk management standards and practices and will try to stop U.S. businesses from selling technology or the companies themselves to “foreign adversaries” (AKA China).  On a very superficial basis, it reduces risk by forcing China to steal our tech rather than to sell it to them, but so far, that strategy has only been mildly effective.  It also forces China to spend their money with our allies instead of with us or, worst case for them, to have to develop it themselves.

To cover the last bullet, the White House plans to work with other countries to lead the development of 5G technologies.  Two likely candidates might have been Nokia and Motorola, but both of them sold off their cellular business.  I’m not sure who is really left.

Bottom line, the White House complied with the law to produce a document, but really does not have a plan.  In fact, given our current desire to isolate ourselves, it is not clear what friends we really have in this game.

Plus, we need to figure out where we (translate U.S. cellular carriers) come up with hundreds of billions of dollars that will be needed to play catch up.  If China is going to spend $200 billion and is ahead of us, we might need to spend $400 billion.  Or more.   The new law did not come with bags of cash.  Source: CSO Online

Of course the temporary total contraction of the U.S. economy during 2020 doesn’t help much.  The only good news in that is that the pandemic is affecting China in a similar way, possibly worse, but we don’t really know.

Then there is the issue of public support.  In England 5G cell towers were set ablaze after reports of 5G being linked to the Coronavirus.  In China, if you complain they just shoot you.

Finally, there is the problem of “backhaul” which means getting the signal from the cell tower on the light pole on your block back to the Internet.  This is not a simple problem and the amount of bandwidth needed is staggering.

Bottom line, the White House turned in their homework paper, but that won’t really help very much.  This is not a simple problem and the world’s current economic woes are not helping.  Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

Facebooktwitterredditlinkedinmailby feather

Magically, Carriers Can Stop Spam Robo Calls

For years U.S. telephone carriers have said that they can’t stop spam callers.  Truth is that they make a lot of money from either sending or receiving these calls, so they had zero incentive to figure out a way to stop it.

The problem would decrease a lot if you could believe the information that caller ID was providing you because you could (a) tell if you knew the person who was calling you and (b) you could not answer calls if you didn’t recognize the number.

How many times have you received a call that shows with the area code and exchange (the first 6 digits of a phone number) that looks like it came from your neighborhood.

Caller ID was created decades ago and has zero security in it.    Add to that the fact that adding security costs money to the carriers with no added revenue and you can see why they haven’t done anything about it.

But Congress passed the TRACED Act late last year and this gives the FCC more power to go after phone spammers, it extends the statute of limitations for DoJ to go after spammers and it requires carriers to add security to Caller ID at no cost to subscribers.  It also allows the FCC to fine carriers for first offenses, something the FCC cannot do in most cases.

Magically, when the carriers figured out that they might get fined or even prosecuted, it only took them a couple of months to design at least a partial solution.  This is one of those cases where we don’t want perfect to get in the way of good.

Since most calls are now digital, the current plan, called SHAKEN/STIR, requires Caller ID info to be digitally signed at the source and digitally checked at the destination.

I noticed a couple of months ago that Verizon is now flagging calls as potential spam and is giving me the option to mark any call that I receive as potential spam.  Interesting what happens when the money equation changes.

The FCC *JUST* released rules that require carriers to implement SHAKEN/STIR on the digital portion of their network (such as cell phones) by June 30th of next year.  There is a one year delay for small carriers that may not be able to financially get it done by that date.

Then carriers have to deal with the old analog phone calls.

So while this is far from perfect, the big spammers are all digital because they need to make thousands of calls a hour in order to be profitable crooks.  This new regulation should significantly help this problem.

As long as the FCC keeps the pressure up on the carriers, things should improve over the next couple of years.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Regulators Update Cyber Security Regs for Electric Utilities

Very few of my readers run electric utilities – those are the ones that these regulations apply to directly.

Then there are folks who are suppliers to utilities.  And suppliers to those suppliers.  The new regs require that utilities have a decent vendor cyber risk management program.  That increases the pool of interested parties a bit.

Then there are those folks who use electricity and would appreciate it if their lights stay on.  Except for those who run their own wind or solar farms, that is the rest of us.

And of course, last, but not least, there are other regulators who are going to watch and say “hey, that sounds like a good regulation;  I think I will adopt it for people who do business in my industry or my state”.

So what is in the new regs?

The regulator is NERC – The North American Electric Reliability Corporation.  NERC is a quasi-governmental agency that sets forth standards for the electric utilities to follow.  They call the rules Critical Infrastructure Protection (CIP).

Note that I am only going to touch on the tip of the regulatory iceberg here, but I will give you a link to all of the CIP regs at the end in case you want to steal some of their ideas.

CIP 005-6 Electronic Security Perimeter

Note all the leading zeros in the rule number.  Room for up to a thousand rules.  Plus the sub-rules.  That’s pretty scary.

This rule adds detailed requirements for firewalls, DMZs and network segmentation.  Probably a good idea for everyone.   This includes a requirement to be able to know how many active vendor remote sessions you have (as opposed to employees) and have a way to disable them.  Again, probably a good idea for everyone.

CIP 010-3 Configuration Change Management and Vulnerability Assessments

Again, change control and vulnerability assessments should be things that everyone is doing anyway.  One thing this requires is that you be able to validate that every piece of software in your supply chain.  Can you do that?  Do you even know what software is in your supply chain.  Think of this as software bill of materials (BOM) on steroids.  Once you do know what software is in your supply chain then that helps with vulnerability assessments.  But how do you “validate” each piece of software?  They suggest with crypto checksums for everything.  Ask Equifax.  It is not as easy as it sounds.

CIP 013-1 Supply chain risk management

This may well be the most complex part.  Most companies have a lot of suppliers.  Big companies have thousands.  Small companies have hundreds.  The number of vendors is amazing.  They require a written program and remember, those vendors have vendors.  And the whole process has to be signed off on by an executive who’s head is on the proverbial chopping block.

Check these CIPs out and see if any of them make sense to you.  Then adopt them.

All of NERC’s CIP standards can be found here.

And, just in case you are thinking this is just some private regulator with no clout.  Last year they fined an unnamed regulator (which everyone knows is Duke Energy) $10 million for violating the rules.

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Fintech Provider Gets Hacked?

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks.  Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others.  Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks.  Banks are regulated.  For the most part, fintechs are not regulated.

Okay, so why am I talking about this?  Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup.  They have 10,000 employees and 9,000 customers  in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago.  Today they said it was ransomware.

So what does all this mean?

Well, a couple of things.  People are using more fintech technology.  Mobile apps.  Data aggregators.  Many other things.

These apps and web sites have your financial data.

Maybe they have decent security.  Maybe not.  For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked.  I know;  I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on.  Many ransomware variants steal data in addition to encrypting it.  Was this one of those?  We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up.  Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this.  These data centers are off line in addition to being powered off.  As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important.  For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised?  Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss.  Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs.  You could be arguing for a while.  Worst case, you might have to sue them.  You might not win in court.  It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked.  They don’t have the money or the insurance to make their clients whole.  They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart.  Understand the risk.  Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather