Tag Archives: CFAA

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.