Tag Archives: FISA Court

Friday News

FDA Begins Process to Change Patching of Medical Devices

The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly.  They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board.  They are talking about requiring medical device makers to integrate patchability into device design.  Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time.  Note that mostly, this is talk, so expect this process to take years.  In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).

Hey Alexa, Are You Hacked?  Again?

Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo.  Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo.  Glad they are the good guys.   The moral is that with convenience comes risk.  You have to decide what your acceptable level of risk is.  (Source: Threatpost).

For Drupal Users is the Third Time a Charm?

For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions.  This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks.  Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework.  If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).

Ever Wonder if Hotel Keycard Locks are Safe?

Well wonder no more.  Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference.  The attack takes about a minute and creates a master key for the entire hotel.  The bad news is that there really is nothing that you, as a guest, can do about it.  Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).

FISA Court Denies More Requests in Last Year than in Entire History

The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part.  That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency.  Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).

 

Government Forced Tech Companies To Hand Over Source Code and Private Keys

Unlike the very public fight between the FBI and Apple, the U.S. Government has made many quiet attempts to force tech companies to turn over source code and private encryption keys.

In some cases, this was done via civil cases sealed by the court, but in other cases, it was done via a secret order from a secret court that in many cases, the CEO or Board of the company can not be told about.

According to ZDNet, their source has “direct knowledge” but can’t be named as the information revealed is likely classified.

The source said that the tech companies are losing their cases in the FISA court “most of the time”.

The Justice Department did admit that they have demanded source code and private encryption keys before, so that seems to validate what the source told the media.

One very public case was that of Lavabit who decided to shut down their service and erase their disks rather than turn over the information.

The spokesman for the Justice Department declined to answer the question about whether they would demand source code and encryption keys in the future.

While I doubt the Justice Department would give that source code or keys to a rival, it is certainly possible that the code could be hacked.  After all, sensitive information in government custody has been hacked on numerous occasions.

Depending on how the encryption is implemented, revealing the keys MAY allow the government to decrypt information captured in the past.  There are ways to mitigate that, but most companies don’t use them.  Many companies, such as Google and Microsoft, among others, want to be able to decrypt your data so that they can serve up better ads for you.

The Justice Department might use that source code to create a fake honey pot web site to lure in a suspect or they might use it to look for security holes in order to obtain information.  It is unlikely that the government would tell that company if they did find any security holes.

While most of the tech companies contacted by ZDNet refused to comment, Cisco did say that they have not and will not hand over source code to any customers, especially governments.

IBM said that the company does not provide source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data (emphasis added).  IBM would not say if source code had been handed over to the government for any other reason.

Apple said in court recently that it has never revealed its iOS source code to any government.  I am not sure what that means about Os X.  That document was related to a concern that Apple had agreed to security checks from China, including turning over source code.

FISA Court orders are so secretive that only those people necessary to execute the order may be told about it and that may not include the C-Suite or the Board.

Documents leaked by Edward Snowden certainly indicate that companies seem to cooperate with the feds in placing backdoors in their code and then go “Oh, My!” when the backdoors are discovered.

Depending on your level of paranoia, you will need to make your own decisions regarding protecting yourself, but I would certainly suggest that if the vendor has the encryption key, it is likely that they would turn it over to the government if asked.  Whether they would do the same for foreign governments is less clear, but certainly of concern.

Information for this post came from ZDNet.

Senate Passes USA Freedom Act

UPDATED: 02 Jun 2015 2216 EDT

The Senate, in a 67-32 vote, passed the same bill they were unable to pass before they went on vacation, restoring some of the expired provisions of the Patriot Act. The bill now goes to President Obama who said he would sign it.

Gone is the bulk collection of phone records, replaced with a much more targeted collection and added are changes to the super secret FISA court.

UPDATE:

President Obama has already signed the bill into law, just a few hours after the Senate passed it (see CNN article).

The fight over the bill came between the House Republicans who wanted to reign in the NSA and the Senate Republicans who wanted to actually give the NSA even more power.   Mitch McConnell, who led the fight in the Senate for more NSA powers wound up being the big loser in this case.  He got nothing that he fought for, had the NSA waste needless money winding down and starting back up their data collection operations and got the same bill approved that was handed to him weeks ago.

What does the USA Freedom Act provide?

First, it provides a six month transition period where business runs as usual – just like before Section 215 expired.  Sort of.

The NSA still needs to go back to the FISA court and ask permission to start collecting data again.  This would be a slam dunk if it were not for the decision from the Second Circuit Appeals court (see here) that ruled that what the NSA was doing did not comply with what Section 215 said – which is what some people have been saying since the fact that the NSA was doing this was revealed.  The decision of the appeals court is not binding on the FISA court, but if the NSA does start up the data collection again, the plaintiffs in that decision could ask the second circuit for a stay or they could go to the guys in the black robes in DC – the Supremes – and no, I don’t mean the musical group.

Ultimately, what the USA Freedom Act requires is that the NSA must ask the FISA court for a targeted warrant which will allow them to get the data they want from the phone companies.  This is dependent on whether or not the phone companies can show, in the next six months, that they can collect, store and produce the data requested by the NSA.  Otherwise, things stay as is.

Analysis of the details of the USA Freedom Act will no doubt take days or weeks, but one provision is clear – that the NSA has to request data for a specific person, organization or device and only if they convince the FISA court that the person is associated with a foreign power or terrorist group (see here).

The bill will also allow tech companies to talk more about how much data they are turning over, require the NSA to talk more about how much data they are collecting, allow civil liberty advocates to lobby the FISA court and require major decisions of the court to be declassified.