Google, Microsoft & Yahoo Execs Back CISPA Through Trade Group

04/13/2013

A tech trade group whose guiding lights include executives from Google, Microsoft, and Yahoo sent a letter to Congress this week in support of CISPA — the Cyber Intelligence Sharing and Protection Act — proposed cybersecurity legislation that’s raised privacy concerns among groups such as the American Civil Liberties Union.

The letter, from TechNet President Rey Ramsey, is addressed to the leaders of the House Intelligence Committee — Rep. Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D -Md.) — and commends the committee for providing liability protections to companies that would share data under CISPA and for making an effort to strengthen privacy protections in the legislation.

CISPA is designed, its supporters have said, to protect against foreign cyberthreats by allowing private companies to voluntarily share data with government intelligence agencies without fear of being taken to court over privacy issues.

CNET’s Declan McCullagh has noted that under existing federal law, any person or company who helps someone “intercept any wire, oral, or electronic communication” — unless specifically authorized by law — could face criminal charges, but that CISPA would overrule those privacy protections.

Tech trade groups, and some tech companies, are backing CISPA not because they necessarily adore it, but because they view it as preferable to a competing bill that’s more regulatory.

Ramsey’s letter includes the membership roster of TechNet’s Executive Council, with names such as Yahoo’s Marissa Mayer, Google’s Eric Schmidt, and Microsoft General Counsel Brad Smith. It says CISPA “recognizes the need for effective cybersecurity legislation that encourages voluntary, bi-directional, real time sharing of actionable cyberthreat information to protect networks,” but it implies that further work may be needed.

“As the legislative process unfolds,” the letter says, “we look forward to continuing the dialogue with you and your colleagues on further privacy protections, including discussions on the role of a civilian interface for information sharing.”

Beltway blog The Hill, which reported on the letter earlier, notes that privacy advocates want to see CISPA amended so a civilian agency such as the Department of Homeland Security would receive cyberthreat data first, before passing it on to an intelligence body such as the National Security Agency.

The ACLU has written that in its current form CISPA “empowers the military, including agencies like the NSA, to collect the Internet records of Americans’ everyday Internet use” and that “It is a long-established principle that the military is not permitted to spy on Americans.”

The primary reason CISPA is so contentious is that it overrides every other state and federal law on the books, including laws dealing with e-mail privacy, when authorizing companies to share data with the federal government. Data that can be shared includes broad categories of information relating to security vulnerabilities, network uptime, intrusion attempts, and denial-of-service attacks, with no limit on including personal data.

The House Intelligence committee, however, dismisses privacy fears. A “Myth v. Fact” paper (PDF) prepared by the committee says any claim that “this legislation creates a wide-ranging government surveillance program” is a myth.

CISPA won the committee’s approval this week, without several proposed privacy amendments, including one that would have limited the sharing of private sector data to civilian agencies and would have specifically excluded the NSA and the Defense Department.

The committee’s decision advances CISPA to the House floor, with a vote expected as soon as next week. It’s a difficult vote to handicap: it could be a reprise of last year, when members approved the legislation by a vote of 248 to 168. On the other hand, if only 40 members switch their votes from yea to nay, CISPA is defeated.

Last time around, a formal veto threat by President Obama a day before the House vote helped galvanize Democratic opposition — Democrats preferred their own legislation, which had a different set of privacy problems. But the White House has not responded to an anti-CISPA petition that topped 100,000 signatures a month ago, and the president’s recent signature on a cybersecurity executive order may mean the administration’s position on legislation has shifted.

Here’s the text of Ramsey’s TechNet letter, as published by The Hill:

April 10, 2013

The Honorable Mike Rogers
The Honorable Dutch Ruppersberger
U.S. House of Representatives
Washington, D.C. 20515

Representatives Rogers and Ruppersberger:

TechNet, the bipartisan policy and political network of technology CEOs that promotes the growth of the innovation economy, commends you for your work on cybersecurity and writes to express our support of H.R. 624, the “Cyber Intelligence Sharing and Protection Act of 2013.”

This bill recognizes the need for effective cybersecurity legislation that encourages voluntary, bi-directional, real time sharing of actionable cyberthreat information to protect networks. We commend the Committee for providing liability protections to companies participating in voluntary information-sharing and applaud the Committee’s efforts to work with a wide range of stakeholders to address issues such as strengthening privacy protections. As the legislative process unfolds, we look forward to continuing the dialogue with you and your colleagues on further privacy protections, including discussions on the role of a civilian interface for information sharing. The information technology industry has provided leadership, resources, innovation, and stewardship in every aspect of cybersecurity for more than25 years, as ultimately, innovation is the most important tool in America’s cybersecurity toolbox. TechNet appreciates your continued attention to this important issue and the strong leadership that you have provided.

Sincerely,
Rey Ramsey
President & CEO
TechNet

Via CNET

Related Link: CISPA: Who’s For It And Who’s Against It

No Warrant, No Problem: How The Government Can Still Get Your Digital Data

04/12/2013

The U.S. government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI to the Internal Revenue Service, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified.

Two senators introduced legislation last month to update privacy protection for emails, but the bill remains in committee. Meantime, here’s how law enforcement can track you without a warrant now:

PHONE RECORDS: Who You Called, When You Called

Listening to your phone calls without a judge’s warrant is illegal if you’re a U.S. citizen. But police don’t need a warrant — which requires showing “probable cause” of a crime — to get just the numbers you called and when you called them, as well as incoming calls, from phone carriers. Instead, police can get courts to sign off on a subpoena, which only requires that the data they’re after is relevant to an investigation — a lesser standard of evidence.

Police can get phone records without a warrant thanks toSmith v. Maryland, a Supreme Court ruling in 1979, which found that the Constitution’s Fourth Amendment protection against unreasonable search and seizure doesn’t apply to a list of phone numbers. The New York Times reported last week that the New York’s police department “has quietly amassed a trove” of call records by routinely issuing subpoenas for them from phones that had been reported stolen. According to The Times, the records “could conceivably be used for any investigative purpose.”

LOCATION DATA: Your Phone Is a Tracker

Many cell phone carriers provide authorities with a phone’s location and may charge a fee for doing so. Cell towers track where your phone is at any moment; so can the GPS features in some smartphones. The major cell carriers, including Verizon and AT&T, responded to at least 1.3 million law enforcement requests for cell phone locations, text messages and other data in 2011. Internet service providers can also provide location data that tracks users via their computer’s IP address — a unique number assigned to each computer.

Many courts have ruled that police don’t need a warrant from a judge to get cell phone location data. They only have to show that, under the federal Electronic Communications Privacy Act (EPCA), the data contains “specific and articulable facts” related to an investigation — again, a lesser standard than probable cause.Delaware, Maryland and Oklahoma have proposed laws that would require police to obtain a warrant for location data; Gov. Jerry Brown of California, a Democrat, vetoed a similar bill last September. Last year, the Senate Judiciary Committee approved a bill championed by Sen. Patrick Leahy, a Vermont Democrat, which would have updated the ECPA but wouldn’t have changed how location data was treated. Leahy and Sen. Mike Lee, a Utah Republican, introduced a similar bill last month, which remains in committee. Rep. Zoe Lofgren, a California Democrat, introduced a separate bill in the House of Representatives last month that would require a warrant for location data as well as emails.

IP ADDRESSES: What Computers You Used

Google, Yahoo, Microsoft and other webmail providers accumulate massive amounts of data about our digital wanderings. A warrant is needed for access to some emails (see below), but not for the IP addresses of the computers used to log into your mail account or surf the Web. According to the American Civil Liberties Union, those records are kept for at least a year.

Police can thank U.S. v. Forrester, a case involving two men trying to set up a drug lab in California, for the ease of access. In the 2007 case, the government successfully argued that tracking IP addresses was no different than installing a device to track every telephone number dialed by a given phone (which is legal). Police only need a court to sign off on a subpoena certifying that the data they’re after is relevant to an investigation — the same standard as for cell phone records.

EMAILS: Messages You Sent Months Ago

There’s a double standard when it comes to email, one of the most requested types of data. A warrant is needed to get recent emails, but law enforcement can obtain older ones with only a subpoena. Google says it received16,407 requests for data — including emails sent through its Gmail service — from U.S. law enforcement in 2012. And Microsoft, with its Outlook email service, disclosed last month that it had received 11,073 requests for data last year. Other email providers, such as Yahoo, have not made similar statistics available. In January, Googlesaid that it would lobby in favor of greater protections for email.

This is another area where the ECPA comes into play. The law gives greater protection to recent messages than older ones, using a 180-day cutoff. Only a subpoena is required for emails older than that; otherwise, a warrant is necessary. This extends to authorities beyond the FBI and the police. I.R.S. documents released this week by the American Civil Liberties Union suggest that the I.R.S.’ Criminal Tax Division reads emails without obtaining a warrant. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would require a warrant for the authorities to get all emails regardless of age. The Justice Department, which had objected to such a change, said last month that it doesn’t any longer.

EMAIL DRAFTS: Drafts Are Different

Communicating through draft emails, à la David Petreaus and Paula Broadwell, seems sneaky. But drafts are actually easier for investigators to get than recently sent emails because the law treats them differently.

The ECPA distinguishes between communications — emails, texts, etc. — and stored electronic data. Draft emails fall into the latter, which get less protection under the law. Authorities need only a subpoena for them. The bills introduced by Leahy and Lee in the Senate and Lofgren in the House would change that by requiring a warrant to obtain email drafts.

TEXT MESSAGES: As With Emails, So With Texts

Investigators need only a subpoena, not a warrant, to get text messages more than 180 days old from a cell provider — the same standard as emails. Many carriers charge authorities a fee to provide texts and other information. For texts, Sprint charges $30, for example, while Verizon charges $50.

The ECPA also applies to text messages, according to Hanni Fakhoury, a lawyer with the Electronic Frontier Foundation, which is why the rules are similar to those governing emails. But the ECPA doesn’t apply when it comes to actually reading texts on someone’s phone rather than getting them from a carrier. State courts havesplit on the issue. Ohio’s Supreme Court has ruled thatpolice need a warrant to view the contents of cell phones of people who’ve been arrested, including texts. But the California Supreme Court has said no warrant is needed. The U.S. Supreme Court in 2010 declined to clear up the matter.

CLOUD DATA: Documents, Photos, and Other Stuff Stored Online

Authorities typically need only a subpoena to get data from Google Drive, Dropbox, SkyDrive, and other services that allow users to store data on their servers, or “in the cloud,” as it’s known.

The law treats cloud data the same as draft emails — authorities don’t need a warrant to get it. But files that you’ve shared with others — say, a collaboration using Google Docs — might require a warrant under the ECPA if it’s considered “communication” rather than stored data. “That’s a very hard rule to apply,” says Greg Nojeim, a senior counsel with the Center for Democracy & Technology. “It actually makes no sense for the way we communicate today.”

SOCIAL MEDIA: The New Privacy Frontier

When it comes to sites like Facebook, Twitter and LinkedIn, the social networks’ privacy policies dictate how cooperative they are in handing over users’ data. Facebook says it requires a warrant from a judge to disclose a user’s “messages, photos, videos, wall posts, and location information.” But it will supply basic information, such as a user’s email address or the IP addresses of the computers from which someone recently accessed an account, under a subpoena. Twitter reported in July that it had received 679 requests for user information from U.S. authorities during the first six months of 2012. Twitter says that “non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process.”

Courts haven’t issued a definitive ruling on social media. In September, a Manhattan Criminal Court judge upheld a prosecutor’s subpoena for information from Twitter about an Occupy Wall Street protester arrested on the Brooklyn Bridge in 2011. It was the first time a judge had allowed prosecutors to use a subpoena to get information from Twitter rather than forcing them to get a warrant; the case is ongoing.

Via ProPublica

Related Links:

NSA Whistleblower: Everyone in U.S. Under Virtual Surveillance

Intelligence Officials Evade Questions on Domestic Surveillance

CISPA Infographic

Senate Approves FISA Extension, Warrantless Wiretapping Continues

Google Says the FBI is Secretly Spying on Some of Its Customers

DOJ Asks Judge to Dismiss Suit Over Secret Surveillance Court Opinions

“Going Dark”: What’s So Wrong With the Government’s Plan to Tap Our Internet?

FBI to Monitor Online Chats in Real-Time by 2014

Microsoft, Too, Says FBI Secretly Surveilling Its Customers

FBI Documents Shine Light on Clandestine Cellphone Tracking Tool “Stringray”

DOJ Emails Show Feds Routinely Using Cell Phone Tracking Tool “Stingray”, Hiding It From Judges

FBI Sued Over Secretive Mass Surveillance Program

Facial Recognition & GPS Tracking: TrapWire Company Conducting Even More Surveillance

FBI OWS Documents: Spying, “Domestic Terrorists” & Assassination Plots

New FOIA Documents Reveal DHS Spying on Peaceful Demonstrations and Activists

DHS Built Domestic Surveillance Tech Into Predator Drones

Fusion Center Director: We Don’t Spy on All Americans, Just Anti-Government Americans

New Documents Show IRS Reads Americans’ Emails Without Warrants

CIA’s Chief Tech Officer on Big Data: We Try to Collect Everything and Hang Onto It Forever

Amazon Reportedly Building $600M Cloud for the CIA

Shodan: The “Dark Google”

 

04/08/2013

“When people don’t see stuff on Google, they think no one can find it. That’s not true.”

That’s according to John Matherly, creator of Shodan, the scariest search engine on the Internet.

Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet.

Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

It’s stunning what can be found with a simple search on Shodan. Countless traffic lights,security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.

“It’s a massive security failure,” said HD Moore, chief security officer of Rapid 7, who operates a private version of a Shodan-like database for his own research purposes.

A quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234″ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

 

Scary stuff, if it got into the wrong hands.

“You could really do some serious damage with this,” Tentler said, in an understatement.

So why are all these devices connected with few safeguards? Some things that are designed to be connected to the Internet, such as door locks that can be controlled with your iPhone, are generally believed to be hard to find. Security is an afterthought.

A bigger issue is that many of these devices shouldn’t even be online at all. Companies will often buy systems that can enable them to control, say, a heating system with a computer. How do they connect the computer to the heating system? Rather than connect them directly, many IT departments just plug them both into a Web server, inadvertently sharing them with the rest of the world.

“Of course there’s no security on these things,” said Matherly, “They don’t belong on the Internet in the first place.”

The good news is that Shodan is almost exclusively used for good.

Matherly, who completed Shodan more than three years ago as a pet project, has limited searches to just 10 results without an account, and 50 with an account. If you want to see everything Shodan has to offer, Matherly requires more information about what you’re hoping to achieve — and a payment.

Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. Bad actors may use it as a starting point, Matherly admits. But he added that cybercriminals typically have access to botnets — large collections of infected computers — that are able to achieve the same task without detection.

To date, most cyberattacks have focused on stealing money and intellectual property. Bad guys haven’t yet tried to do harm by blowing up a building or killing the traffic lights in a city.

Security professionals are hoping to avoid that scenario by spotting these unsecured, connected devices and services using Shodan, and alerting those operating them that they’re vulnerable. In the meantime, there are too many terrifying things connected to the Internet with no security to speak of just waiting to be attacked.

Via CNN Money

“Aryayek Time Traveling Machine”: Iranian Scientist Claims to Have Invented Device That Can Predict the Future

04/12/2013

An Iranian inventor claims to have created a ‘time machine’ that can predict a person’s future. He boasts that the device is relatively cheap, but says he has not built one yet because he fears that the Chinese will steal his idea.

Ali Razeghi, 27, has submitted his invention to the state-run Centre for Strategic Inventions for registration.

The device is called “The Aryayek Time Traveling Machine,” FARS news agency reported. Razeghi said he worked on his creation for the last 10 years, resulting in a desktop-computer-sized machine that can“predict five to eight years of the future life of any individual, with 98 percent accuracy.”

The man, who has 179 other inventions under his belt, eyes governmental applications for his prediction device with uses both civilian and military.

“Naturally a government that can see five years into the future would be able to prepare itself for challenges that might destabilize it,” he explained. “As such we expect to market this invention among states as well as individuals once we reach a mass-production stage.”

Razeghi also claimed to have beaten competitors working on similar devices: “The Americans are trying to make this invention by spending millions of dollars on it where I have already achieved it by a fraction of the cost.”

He added that he is concerned about industrial espionage, as other nations will be eager to learn his secrets. “The reason that we are not launching our prototype at this stage is that the Chinese will steal the idea and produce it in millions overnight,” he said.

The news has intruguied the English-language media. However, as the story went viral, the Fars news story became unavaliable as the link now shows an error page.

Predicting the future, even on relatively narrow issues, is a notoriously complex task. It usually requires creating an accurate computer model of a system that takes into account numerous factors, and often requires plenty of computational power. Predicting a future event in its entirety is virtually impossible with existing technology.

#OpIsrael: Hackers of the World Uniting Forces for Massive Cyber Attack on Israel

03/10/2013

Hackers and hacktivists from all around the world are joining forces against Israel on April 7th, 2013 to launch a massive cyber attack on Israeli cyber space with the aim to erase it from the world wide

AnonGhost contacted The Hackers Post and HackRead with details on the new OpIsrael:

”We are uniting against the enemy in a unique way; we urge hackers from all over the world regardless of their color, religion and race to stand with us, support us and attack Israeli cyber space against the Zionist’s occupation of Palestinian land,”

“The hacking teams have decided to unite against Israel as one entity and that Israel should be getting prepared to be “erased” from the internet.

Its not one Hacker, Its not one Team, But Various Hacker, Various Teams from all over the World are participating in this Operation!

Its gonna be the biggest ever operation launched against any country, Its gonna be Huge!”

Hacktivist Groups/Teams Involved in #OpIsrael:

• AnonGhost
• Mauritania Hacker Team
• Ajax Team
• MLA (Muslim Liberation Army)
• Moroccan Hackerz
• Gaza Hacker Team & Gaza Security Team
• Anonymous Syria
• ZHC
• The Hacker Army
• X-BLACKERZ INC
• Devil Zone Team
• Moroccan Hackers
• Algerian Hackers

Hacktivists Involved in #OpIsrael:

• Mauritania Attacker (AnonGhost & Mauritania HaCker Team)
• HUrr!c4nE (ajax Team)
• Hitcher (MLA – Muslim Liberation Army)
• SAW-19, X-Line, V!rus No!r (Moroccan Hackers)
• Foxy, MR@T0RJAN (Gaza Hacker Team & Gaza Security Team)
• PLiiiJl (Anonymous Syria)
• ExDeaTH, Jihad (X-BLACKERZ INC)
• DzPhoenix (Devil Zone Team)
• Ouali Bouziad (Algerian Hacker)
• Saber Dz (Algerian Hacker)
• Dr.spam (Moroccan Hacker)
• X-Line (Moroccan Hackers)
• V!rus No!r (Moroccan Hackers)
• SAW-19 (Moroccan Hackers)
• Evil Dz Haxor

The Hackers Post spoke with some hackers participating in the operation:

ZHC:

“Yup we are participating.. Israel isn’t stopping human right violations.Its to show solidarity with newly recognized Palestinian state”

Mauritania Hacker Team:

“Like I did before with Israel , Microsoft & Google Israel, their Banks and 150000 Facebook accounts. this time I’m back after a while and I united various Hackers because we are fighting for the same cause it’s Palestine and we will fight till the end no surrender!”

X-Linel:

“I participate to this Op because it’s the duty of any human who believes in Freedom and i think that Moroccan HaCkers are very known from Israel so nothing changed , it is just the hell coming back to Israel.”

Jihad from X-BLACKERZ INC:

“Let’s give them a lesson, they will never forget.”

Hitcher from MLA (Muslim Liberation Army):

“Its an attack on Israel Cyber space from Muslim hackers i always love to hack for the Cause and its chance to proof again my slef as i did in past i am always always love to hack against Israel and from my team side i will took part in it and will spread the message what we want to delivered for me team doesn’t matter cause for hack matter list of few of my big Hack against Israel.”

We have seen, Hitcher hacker has been very active in #opIsrael. He hacked, 570+ sites ,Israel’s Ministry of National Infrastructures, Jesus Holyland and other Israeli Sites in support of Palestine.

#OpIsrael was started by Anonymous at the end of 2012 after Israel started intensifying its attacks against Palestine. Within a few hours of the operation launch, close to 100 websites were defaced, and a number of government sites had suffered temporary disruptions because of distributed denial-of-service (DDOS) attacks.

TANGO DOWN – 9000+ Israeli Gov. Websites Attacked Over 44 Million Times in 4 Days

35,000 Israeli Officials’ Personal Info Leaked

Israeli Vice PM’s Social Media Accounts Hacked, Personal Info Leaked

List of Pro-Zionist Websites Hacked by Anonymous

The operation became such a success that Israeli government decided to launch its own Cyber Combat Training Program in order to educate its youth to secure its cyber space.