Category Archives: Law Enforcement

Russian cyber criminal targets elite Chicago law firms

Posted on April 15, 2016 | Leave a comment
russian-cyber-criminal-targets-elite-chicago-law-firms

Photo by ThinkStock

A Russian cyber criminal has targeted nearly 50 elite law firms, including four in Chicago, to collect confidential client information for financial gain.

The mastermind, a broker named “Oleras” living in Ukraine, has been attempting since January to hire hackers to break into the firms’ computer systems so he can trade on insider information, according to a Feb. 3 alert from Flashpoint, a New York threat intelligence firm.

Kirkland & Ellis, Sidley Austin, McDermott Will & Emery and Jenner & Block all were listed on a spreadsheet of potential marks. It named 46 of the country’s largest law firms, plus two members of the UK’s Magic Circle.

A spokeswoman for Flashpoint said the firm had notified law enforcement and declined to comment further.

The FBI was investigating as of March 4, when it published its own industry alert detailing the threat. The agency’s press office did not return a message seeking comment.

Kirkland was aware of the threat, and no client data was accessed, the firm’s chief information officer, Dan Nottke, said in an email. The firm subscribes to several security information-sharing services, including ones operated by the FBI and the Financial Services Information Sharing and Analysis Center, the cybersecurity information clearinghouse for the financial services industry.

Spokesmen for McDermott and Jenner declined to comment. Messages to Sidley seeking comment were not returned.

Law firms have largely trailed their clients in confronting the possibility of hackers accessing their networks for illegal profit. Though they hold vast repositories of confidential information, many firms are slow to adopt up-to-date defenses against malware and spyware, said Jay Kozie, principal at Keno Kozie Associates, a Chicago-based law firm technology consultancy.

“I’ve always been surprised, frankly, that the law firms have not been more aggressively targeted in the past,” he said. “If you’ve got confidential information about a merger or a patent, it’s going to be very valuable.”

In this latest scheme, Oleras posted on a cyber criminal forum a plan to infiltrate the law firms’ networks, then use keywords to locate drafts of merger agreements, letters of intent, confidentiality agreements and share purchase agreements. The list of targeted law firms also included names, email address and social media accounts for specific employees at the firms.

“Overall, Oleras wanted to know in advance which companies were going to be merged with the help of the stolen law firm documents and subsequently leverage this information to execute algorithmic insider trading activities,” the Flashpoint alert says, with the money then laundered through front companies in Belize and Cypriot bank accounts.

The broker hoped to recruit a black-hat hacker to handle the job’s technical aspects for $100,000, plus another 45,000 rubles (about $564). He offered to split the proceeds of any insider trading 50-50 after the first $1 million.

On Feb. 22, another Flashpoint alert noted that Oleras had singled out eight lawyers from top firms, including one from Kirkland’s management committee, for a sophisticated phishing attack. The phishing email appeared to originate from an assistant at trade journal Business Worldwide and asked to profile the lawyer for excellence in M&A.

Targeted Firms
A Russian cyber criminal has targeted 48 law firms, including four in Chicago.

Firm
Akin Gump Strauss Hauer & Feld
Allen & Overy
Baker & Hostetler
Baker Botts
Cadwalader Wickersham & Taft
Cleary Gottlieb Steen & Hamilton
Covington & Burling
Cravath Swaine & Moore
Davis Polk & Wardwell
Debevoise & Plimpton
Dechert
DLA Piper
Ellenoff Grossman & Schole
Freshfields Bruckhaus Deringer
Fried Frank Harris Shriver & Jacobson
Gibson Dunn & Crutcher
Goodwin Procter
Hogan Lovells
Hughes Hubbard & Reed
Jenner & Block
Jones Day
Kaye Scholer
Kirkland & Ellis
Kramer Levin Naftalis & Frankel
Latham & Watkins
McDermott Will & Emery
Milbank Tweed Hadley & McCloy
Morgan Lewis & Bockius
Morrison & Foerster
Nixon Peabody
Paul Hastings
Paul Weiss Rifkind Wharton & Garrison
Pillsbury Winthrop Shaw Pittman
Proskauer Rose
Ropes & Gray
Schulte Roth & Zabel
Seward & Kissel
Shearman & Sterling
Sidley Austin
Simpson Thacher & Bartlett
Skadden Arps Slate Meagher & Flom
Sullivan & Cromwell
Vinson & Elkins
Wachtell Lipton Rosen & Katz
Weil Gotshal & Manges
White & Case
Wilkie Farr & Gallagher

Source: Flashpoint Feb. 3 email alert

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Law Enforcement

Tagged , ,

Microsoft sues U.S. government over data requests

Posted on April 15, 2016 | Leave a comment

Microsoft

An important case to pay attention to:

SAN FRANCISCO (Reuters) – Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington.

The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents.

The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft’s First Amendment right to free speech.

The Department of Justice is reviewing the filing, spokeswoman Emily Pierce said.

Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people’s computers, which Microsoft says has provided a new opening for the government to access electronic data.

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

SURVEILLANCE BATTLE

The lawsuit represents the newest front in the battle between technology companies and the U.S. government over how much private businesses should assist government surveillance.

By filing the suit, Microsoft is taking a more prominent role in that battle, dominated by Apple Inc (AAPL.O) in recent months due to the government’s efforts to get the company to write software to unlock an iPhone used by one of the shooters in a December massacre in San Bernardino, California.

Apple, backed by big technology companies including Microsoft, had complained that cooperating would turn businesses into arms of the state.

“Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” Microsoft’s Chief Legal Officer Brad Smith said in a phone interview after the suit was filed.

One security expert questioned Microsoft’s motivation and timing. Its lawsuit was “one hundred percent motivated by business interests” and timed to capitalize on new interest in customer privacy issues spurred in part by Apple’s dispute, said D.J. Rosenthal, a former White House cyber security official in the Obama administration.

As Microsoft’s Windows and other legacy software products are losing some traction in an increasingly mobile and Internet-centric computing environment, the company’s cloud-based business is taking on more importance. Chief Executive Satya Nadella’s describes Microsoft’s efforts as “mobile first, cloud first.”

Its customers have been asking the company about government surveillance, Smith said, suggesting that the issue could hurt Microsoft’s ability to win or keep cloud customers.

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

Increasingly, U.S. companies are under pressure to prove they are helping protect consumer privacy. The campaign gained momentum in the wake of revelations by former government contractor Edward Snowden in 2013 that the government routinely conducted extensive phone and Internet surveillance to a much greater degree than believed.

Late last year, after Reuters reported that Microsoft had not alerted customers, including leaders of China’s Tibetan and Uigher minorities, that their email was compromised by hackers operating from China, Microsoft said publicly it would adopt a policy of telling email customers when it believed their email had been hacked by a government.

The company’s lawsuit on Thursday comes a day after a U.S. congressional panel voted unanimously to advance a package of reforms to the ECPA.

Last-minute changes to the legislation removed an obligation for the government to notify a targeted user whose communications are being sought. Instead, the bill would require disclosure of a warrant only to a service provider, which retains the right to voluntarily notify users, unless a court grants a gag order.

It is unclear if the bill will advance through the Senate and become law this year.

Separately, Microsoft is fighting a U.S. government warrant to turn over data held in a server in Ireland, which the government argues is lawful under another part of the ECPA. Microsoft argues the government needs to go through a procedure outlined in a legal-assistance treaty between the U.S. and Ireland.

Twitter Inc (TWTR.N) is fighting a separate battle in federal court in Northern California over public disclosure of government requests for information on users.

The case is Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington, No. 2:16-cv-00537.

Leave a comment

Posted in Big Data, Cyber Security, eDiscovery, Forensic, Law Enforcement, Public Cloud, Security

Tagged , ,

The end of the iPhone encryption case and the questions we must ask

Posted on March 29, 2016 | Leave a comment

Apple_FBI

It is official. The FBI has accessed the San Bernardino iPhone, and they didn’t need Apple’s help. To quote the court document, found at:

https://assets.documentcloud.org/documents/2778264/Apple-Status-Report.pdf

“Applicant United States of America, by and through its counsel of record, the United States Attorney for the Central District of California, hereby files this status report called for by the Court’s order issued on March 21, 2016. (CR 199.) The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016. Accordingly, the government hereby requests that
the Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016 be vacated. ”

More questions than I can put down here come to mind, but here are a few:

Was the FBI genuine when it filed initially, claiming they had no way to access the San Bernardino iPhone without Apple’s help?

If they were not genuine, and that seems to be the prevailing view in the technical field, was this behaviour becoming, or acceptable, from law enforcement? The simplified timeline of this case was that the FBI sought their court order, Apple said they would fight it, public opinion turned on the FBI, it appeared the legal argument may not stand up to challenge, the FBI sought a stay in the case while they tested a new way to get into the phone themselves, they then came out with the above statement claiming they have accessed the phone and requested the order be vacated. At face value the fact that the stay was sought when it was seems very convenient.

Since the net result of this exercise has been nothing and worked out as if the FBI never went to court at all, Apple did not render assistance, the FBI got into the phone anyway, no legal precedent was set, was this a good use of taxpayer funds?

Will the FBI tell Apple how they got into the phone? If they won’t on national security grounds, is it acceptable that Apple customers are vulnerable to attacks that can happen in the wild due to some intangible threat that cannot be measured?

Did the FBI find anything of value?

What do dormant cyber pathogens look like?

http://arstechnica.com/tech-policy/2016/03/what-is-a-lying-dormant-cyber-pathogen-san-bernardino-da-wont-say/

It’s important we ask these questions, because if we don’t we run the risk of setting our own precedent, normalising dishonesty, vexatious use of the court system, wasting of taxpayer funds, leaving of the general public unsafe, and the utterance of wild claims, all in the name of national security.

National security should not be doing this to us.

Leave a comment

Posted in Cyber Security, Encryption, Forensic, Hacking, Law Enforcement

Tagged , ,

Mobile Forensics Firm to Help FBI Hack Shooter’s iPhone

Posted on March 28, 2016 | Leave a comment

Terrorist

Israel-based mobile forensics firm Cellebrite is believed to be the mysterious “outside party” that might be able to help the FBI hack the iPhone belonging to the San Bernardino shooter.

Israeli newspaper Yedioth Ahronoth broke the news, which appears to be confirmed by a $15,000 contract signed by the FBI with Cellebrite on March 21, the day when the agency announced that it may have found a way to crack Islamic Terrorist Syed Rizwan Farook’s iPhone without Apple’s help.

The FBI convinced a judge in mid-February to order Apple to create special software that would allow the law enforcement agency to brute-force the PIN on Farook’s iPhone 5C without the risk of destroying the data stored on it.

Apple, backed by several other technology giants, has been preparing to fight the order, which it believes would set a dangerous precedent.

Just as the US government and Apple were about to face each other in court, the FBI announced on Monday that it may no longer need Apple’s help in cracking the phone. Federal prosecutors later cancelled the hearing set for Tuesday, stating that the FBI will be aided by an unidentified “outside party.”

That “outside party” appears to be Cellebrite, which has been working with the FBI since 2013. The company’s website shows that it has assisted law enforcement investigations in several countries over the past period.

“Cellebrite mobile forensics solutions give access to and unlock the intelligence of mobile data sources to extend investigative capabilities, accelerate investigations, unify investigative teams and produce solid evidence,” the company writes on its official site.

Experts have suggested several methods that could be used to gain access to the data on the San Bernardino shooter’s iPhone, including ones involving acid and lasers, but they didn’t appear to be very practical.

After the FBI announced that it might have found a practical alternative, iOS forensics expert Jonathan Zdziarski published a blog post describing some of the likely methods that might be used to accomplish the task.

The expert believes the technique that will be used has likely already been developed, as the FBI says it only needs two weeks to test the proposed method.

Zdziarski believes the company that will aid the FBI will either use a software exploit or a hardware technique known as NAND mirroring.

“This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip,” the researcher explained. “It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”

“My gut still tells me this is likely a NAND hardware technique. A software exploit doesn’t scale well. I know this because my older forensics tools used them, and it required slightly different bundles for every hardware and firmware combination. Some also work against certain versions, but not against others,” he noted.

Zdziarski believes that if the technique already exists, it has likely been sold privately for well over $1 million.

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Encryption, Hacking, Law Enforcement

Tagged , ,

Cyber fraud stops Kiss from rocking and rolling all night long

Posted on March 25, 2016 | Leave a comment
kiss_941780

Kiss was due to head the Moonstone festival.

The organizers of a huge music festival featuring more than 50 acts and slated to start April 30 was totally derailed by a cyberattack forcing the promoters to reschedule the event for later this summer.

The Orlando Music Festival Moonstone organizers have given out few details regarding exactly what happened, but in a press release the they said the postponement was due to a cyber incident.

“The date change is based on the company suffering from a major cyber fraud crime. An ongoing investigation in now in process — by local law enforcement and the FBI — of cyber fraud involving a major Tampa, Florida bank and other local businesses,” the organizers said on the festival’s Facebook page late last week.

Attempts by SCMagazine to reach the festival’s promoter via email and social media went unanswered. The show’s social media pages have not been updated since the decision was made to hold off on the show. An inquiry to the FBI office in Tampa, Fla., has also not yet been returned.

“Because of this situation, we know our attention to the inaugural Moonstone might suffer and we want to ensure an amazing experience for everyone who attends the festival in September,” said MOONSTONE Founder Paul Lovett, in a press release.

The show was to run from April 30 to May 1 at the Central Florida Fairgrounds & Exposition Park, but now will be held Sept. 25-26. The show was to be headlined by the likes of Kiss, Def Leppard and Queensryche, but the organizers said the postponed version will likely have a different line up.

Leave a comment

Posted in Data Breach, Hacking, Law Enforcement, Security

Tagged

Warning to HR Directors of Phishing Scam Seeking Employee W-2’s

Posted on March 21, 2016 | Leave a comment

W2

Peyton SmithWritten by:  Peyton Smith
Shareholder, Litigation Section, Labor & Employment Practice Group at Munsch Hardt Kopf & Harr PC

I was contacted this week by the Director of Human Resources for a technology client with a request for immediate assistance tied to a data breach that has unfortunately, becoming alarmingly too frequent during the first three months of 2016.   She had received an email from the President of her company at the end of her workday, noting that their senior leadership was working on salary, bonus and budget forecasting for their company and requesting that she send to him the W-2’s for key company personnel via PDF.  The email was written in his typical conversational style and was signed in the manner in which he signed all his internal emails.  Further, his reply email listed a return email address to his direct email account.  Before she sent the information or replied, she confirmed the email and signature block and verified with a Vice-President that she could forward the requested information.  Upon review of the email and messaging, the Vice-President authorized the production of the requested information and employee W-2’s. Feeling well protected, the HR Director sent the email and W-2’s requested.

The email was unfortunately a scam with a hacker who had copied the President’s email signature block, matched his communication and signature style, word-for-word, including creating a “ghost” over his correct email address to cloak the email address to appear to be for the intended recipient.  My client was fortunate since they caught the data breach quickly but the information was now in the hands of someone outside the company who clearly had less than honorable ideas with what to do with the information they had gathered. Furthermore, hundreds of employees now had their W-2 information, including their name, address, social security numbers and other confidential information, taken by a skilled hacker.

In addressing this issue with my client in recent days, we learned that this current phishing scam is incredibly popular right now.  The FBI and local law enforcement advised us that there have been more than 700 reported similar cases of hackers fraudulently securing employee W-2 information in the month of March 2016 alone. The hackers appear to be targeting companies with less than 3,000 employees and the email requesting W-2 and similar employee information is nearly always directed to the human resources contact at the targeted company. The IRS has recently released an alert warning employers of this scam and to alert them to be increasingly vigilant in protecting company and employee information.  (See  the following link as to the latest alert: https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s)   “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

If you have not yet done so, employers are strongly encouraged to implement a proactive plan to decrease the risk of unauthorized disclosure of such information.  Each state has different requirements for employee protection and penalties which might be levied against employers for failing to implement appropriate safeguards for protecting employee confidential information, as well as the notice requirements in the event a data breach occurs.  In the event that a data breach occurs and confidential employee information has been accessed by unauthorized parties, employers should immediately address the issue with more aggressive internal safeguards, contact legal counsel regarding how best to strategically address internal and external legal ramifications of the breach, notify law enforcement (local and the FBI’s Cyber Crimes Division), and inform the IRS of the fraudulent access to employee social security numbers.  Simultaneously, employers have a duty to promptly inform employees of the breach and what increased protections have been put in place to decrease the risk of future data breaches.

In light of these concerns and the increased risk of hacking personal information, employers are also encouraged to review current insurance policies and to consider whether to purchase cyber insurance coverage. Additional security software for utilization by the human resources and accounting department might be a wise and worthy investment to consider as a deterrent to hacking vulnerability.  With the increased efforts of hackers seeking W-2 and other personal employee information, prudent employers will partner with their legal counsel to address such concerns prior to being a hacking victim.  When considering best practices in protecting employee information, employers should follow the adage  “the best defense is a good offense”.

Peyton N. Smith is a Shareholder in the Labor & Employment and Business Litigation practice groups at Munsch Hardt Kopf & Harr, P.C. and is based in the firm’s Austin office.

Leave a comment

Posted in Cyber Security, Data Breach, Hacks, Law Enforcement, Security

Tagged , ,

7 Tips From The FBI To Prepare Your Firm For A Cyber Attack

Posted on March 15, 2016 | Leave a comment

“In the past, the FBI wanted to operate in the shadows, but today’s Bureau is very different” said Jay F. Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office. In an effort to make the FBI more approachable, Kramer recently provided an overview of the cybersecurity activities of the FBI at an event before hundreds of attorneys.

How does the FBI operate?

The Bureau investigates violations of federal law and significant threats to national security, making it uniquely situated to deal with today’s cybersecurity issues. In addition to being a law enforcement agency, the FBI is also a member of the US intelligence community. FBI’s mission is primarily domestic with 56 field offices across the United States, but it also has offices in 87 countries and shares intelligence and threats coming from overseas by distilling it down and packaging it at the lowest level classification possible to push it out to victims. These overseas relationships enable the Bureau to quickly respond to cyber threats by gaining access to servers, logs and data to help unravel some of these complicated cyber matters from around the world. “When it comes to cybersecurity, you’re never very far from an FBI office and from an actual person that can speak to you about issues that you’re having” Kramer said.

Here are some of the cybersecurity issues that the FBI is seeing:

    • Hacktivists use computers, beyond lawful means, to make political statements. These statements are typically about business practices they disapprove of. For example, “Anonymous”, a well-known hacktivist group, can shut down websites and social media accounts of targeted firms and individuals.
    • The US and businesses are systematically attacked by hackers sponsored by foreign governments for terrorism or to gain a competitive advantage.
    • Criminal enterprises use cyber to perpetuate old schemes, such as extortion. In the old days, organized crime would threaten the business owner directly, “Hey, listen, you’re either going to pay me or something’s going to happen here. There’s going to be a fire, brick going through your window. You’re going to be hurt personally”. With the advent of encryption technology, criminals can now gain a compromising foothold to lock down your systems. “The bad guy holds the private key to unlock it” said Kramer. Nowadays, the business owner gets an email that says “If you don’t give me 100 bitcoin, I’m going to delete your data.” The FBI doesn’t take a position on whether to pay the money or not, although it’s unlikely that the business will be able to defeat the encryption. So, the choice is to either pay or rely on back up data.
  • There are fraudsters who want to steal your personally identifiable information (PII) to empty out your bank account. More and more however, data has a value all of its own. Bad actors will infiltrate databases of client data with email addresses, home addresses, and phone numbers of your clients, and use that data to fuel billion dollar criminal enterprises such as spam campaigns, such as pop-up ads for bogus Viagra or heart medication or stock manipulation, such as pump and dump campaigns. There’s a whole underground economy of promoters and bad actors, who work in tandem and who need PII as the fuel for those fraudulent campaigns.
  • Industrial espionage for competitive advantage such as stealing product information that requires years of research. “You’d be horrified if you saw how much data is leaving the US every day from scientific firms, research firms, industrial firms, government contractors” said Kramer.

In summary, Kramer provided 7 tips to prepare your firm for a cyber-attack:

  1. Understand what your network looks like, even after all the mergers, acquisitions, and consolidations. Create a map of your networks and prepare a list of devices on the network and users on the network.
  2. Back up your data routinely and store it offsite.
  3. Know where your most important data is being held. Think about where it should be held and the protocols to gain access to that information.
  4. Develop policies for cybersecurity. What policies govern the use of data and networks by employees? Train your employees on use polices. Define where your logs and data are being held. List applications running on the network, including applications developed in house.
  5. Be aware that bad actors could be already be in your system right now and have been for a long time. Make sure your IT departments are aware of updates and are patching vulnerabilities in your systems.
  6. Develop a response plan in the event of an attack. Have a plan to work with your attorneys, PR firm, your Board of Directors. Have a team of forensic experts and outside firms available.
  7. And finally, establish a relationship with your local FBI office today, before there’s a cyber-attack

Joanna Belbey , Contributor

 

Leave a comment

Posted in Cyber Security, Forensic, Hacking, Law Enforcement, Security

Tagged ,

Obama’s Call for Encryption ‘Compromise’ Is Hypocritical

Posted on March 14, 2016 | Leave a comment
1457817377711230

Image: screengrab

During his keynote speech at South By Southwest, President Barack Obama addressed the ongoing debate over encryption. Although he declined to discuss the specifics of the San Bernardino case, in which Apple is currently fighting a court order to hack its own device, the president spoke in more general terms about privacy and security. Obama joined several other political figures in calling for the tech industry to enable expanded law enforcement access to encrypted data.

Obama also advocated for the use of encryption by the government, saying that the technology is crucial to preventing terrorism and protecting the financial and air traffic control systems. But the president argued argued that ordinary citizens also need to expect some intrusion into their phones in order to ensure a safe society. Obama compared the weakening of encryption to going through security at the airport—an intrusive process, but a necessary sacrifice for citizens to make. (Obama’s own devices are, of course, secured with strong encryption.) In his speech, Obama said:

So we’ve got two values, both of which are important. And the question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there’s no key. There’s no door at all. Then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available to even do simple things like tax enforcement? Because if, in fact, you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket. So there has to be some concession to the need to be able get into that information somehow.

Obama said the tech community should “balance these respective risks,” suggesting that the industry had not been proactive enough in compromising on encryption and that, if it failed to compromise, it risks being cut out of the conversation entirely by Congress. “I’m confident that this is something we can solve, but we’re going to need the tech community, software designers, people who care deeply about this stuff, to help us solve it,” Obama said. He added:

Because what will happen is, if everybody goes to their respective corners, and the tech community says, ‘You know what, either we have strong perfect encryption, or else it’s Big Brother and Orwellian world,’ what you’ll find is that after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that have not been thought through. And then you really will have dangers to our civil liberties, because the people who understand this best and who care most about privacy and civil liberties have disengaged, or have taken a position that is not sustainable for the general public as a whole over time.

In Obama’s telling, the tech industry is painted as a spoiled child who runs back to his corner and disengages with the debate, snatching up his toys and taking them back to his mansion when he realizes he doesn’t like the way the game is being played. It’s a compelling image, and one that the industry, which is widely perceived as elitist and uninclusive, will have a tough time combatting.

But the industry has compromised on this issue, collaborating with law enforcement to provide access to data for criminal prosecutions. In the San Bernardino case, Apple has provided access to iCloud backups of the shooter’s phone and offered suggestions on how to create additional backups before it was revealed that the shooter’s iCloud password had been reset at the behest of the FBI.

Tech companies also routinely provide unencrypted metadata to law enforcement, which can provide a detailed portrait of a suspect’s life: where he’s been, where he is currently, who he communicates with, how regularly he communicates with others and how long the conversations last.

The government also wields a powerful investigative tool in CALEA (the Communications Assistance for Law Enforcement Act). CALEA compels service providers like AT&T and Verizon to build backdoors into their systems to allow for real-time monitoring of suspects by law enforcement.

Yet another instance of compromise is Apple’s encryption of iCloud. As security expert Jonathan Zdziarski pointed out in post on his blog, iCloud offers an example of the type of “warrant-friendly” encryption that Obama called for in his SXSW keynote.

“I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important,” Obama said. His suggestion for solving the encryption debate mirrors the solution Apple has already developed for securing iCloud data: that data is encrypted, but Apple maintains access so that it can comply with warrants.

But, Zdziarski notes, the 2014 hack of celebrities’ iCloud accounts illustrates the dangers of “compromise” encryption.

“The iCloud’s design for ‘warrant friendliness’ is precisely why the security of the system was also weak enough to allow hackers to break into these women’s accounts and steal all of their most private information,” Zdziarski wrote. “The data stored in iCloud is stored in a weaker way that allows Apple to service law enforcement requests, and as direct result of this, hackers not only could get into the same data, but did. And they did it using a pirated copy of a law enforcement tool—Elcomsoft Phone Breaker.”

Obama mentioned this particular concern in his speech. “Now, what folks who are on the encryption side will argue, is any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That’s just the nature of these systems,” he said. “That is a technical question. I am not a software engineer. It is, I think, technically true, but I think it can be overstated.”

Obama is right—it’s technically true that any key can end up being used on every device.

The president isn’t the only politician to call for compromise on encryption and he certainly won’t be the last, but what the FBI is asking for in the San Bernardino case (and beyond it) isn’t compromise—it’s total compliance. Compromise suggests that tech companies and law enforcement agencies will meet in the middle, each conceding some of their demands in order to find common ground. The industry has made an effort to do so by providing metadata, real-time surveillance, and data backups to law enforcement.

But Obama’s comments suggest that none of this information is enough—encryption needs to be completely backdoored in order for there to be “compromise.” If the government refuses to acknowledge the concessions that have been made and continues to demand universal access to encrypted data while clinging onto strong encryption for itself, there is no compromise at all. It’s just the government getting exactly what it wants, snatching up all its toys and heading back to its mansion.

Leave a comment

Posted in Cyber Security, Encryption, Hacking, Law Enforcement, Security, Technology, Uncategorized

Tagged , , , ,

This is What the Public Really Thinks About FBI vs. Apple

Posted on March 2, 2016 | 1 comment

Apple_FBI

DOJ v. Data Encryption – Public Perception and Communications Lessons

The heated dispute between Apple and the U.S. Department of Justice (DOJ) over the iPhone used by Syed Rizwan Farook before the San Bernardino, California, mass shooting has captured attention across America and the world. While this debate now focuses on one company’s decision, the implications go well beyond the mobile sector and even the whole technology industry. Companies and other organizations of all kinds responsible for managing personal data are concerned and need to be prepared to deal with the controversy’s impact.




To help deepen understanding about this complex issue, Burson-Marsteller, with their sister research firm Penn Schoen Berland, conducted a national opinion survey from February 23-24, 2016. The survey polled 500 General Population respondents (including 230 iPhone users) and 100 National Elites (individuals earning more than $100,000 per year who have college degrees and follow the news), and the results reveal critical communications issues around the fundamental conflict between privacy on the one hand and national security and safety on the other. Here are the key takeaways:

  • Overall awareness is high. Eighty-two percent of the General Population and 88 percent of National Elites have heard about the dispute. The news has gone viral, with people tweeting and posting on Facebook about it and commenting extensively online about news articles.
  •  The FBI should have access to one phone, not all phones. Respondents say the government should not be given a tool that potentially gives it access to all iPhones. Sixty-three percent of the General Population and 57 percent of National Elites say Apple should only provide the FBI with the data from the phone in question, and the tools to do it should never leave Apple’s premises. It is clear the public wants this decided on a case-by-case basis, and respondents do not trust law enforcement and national security agencies to self-police and protect privacy.
  •  The public expects companies to push back if there is the potential to violate privacy. Respondents say they want companies to protect the privacy of their data fully, even when the government is requesting data in the name of law enforcement or national security. A majority (64 percent of the General Population and 59 percent of Elites) says a company’s top obligation is to protect its customers’ data rather than cooperating with law enforcement or national security interests. However, most (69 percent of the General Population and 63 percent of Elites) see the need to compromise on privacy when terrorist threats are involved.
  • How the issue is framed determines public opinion. If the issue is framed as the FBI asking for access to this one phone, 63 percent of the General Population and 57 percent of Elites agree with the FBI position. If the issue is framed as potentially giving the FBI and other government agencies access to all iPhones, Apple’s position prevails overwhelmingly; 83 percent of the General Population and 78 percent of Elites agree Apple should either only grant access to the particular iPhone or refuse the request entirely.
  • Current laws are outdated. This situation reflects a much broader debate about privacy and security that will need to be resolved. About half (46 percent of the General Population and 52 percent of Elites) say current laws are outdated and need to be revised to reflect the changing role of technology in today’s society.

Regardless of the outcome of this current dispute, there is no question it is raising alarms about the state of data privacy. In the aftermath, companies will have to pay increasing attention to the expectations of their customers and consumers. The survey showed people are overwhelmingly concerned with the security and privacy of their digital data, with 90 percent of the General Population and 96 percent of National Elites saying they are very or somewhat concerned about the security and privacy of their personal information online or on their personal electronic devices. The Apple/DOJ dispute appears to be a turning point for all organizations trying to balance the demands of data privacy with national security and law enforcement considerations. The pressures on them are only going to grow.

 

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Forensic, Law Enforcement, Security, Technology

Tagged , , ,

DHS Establishes Information Sharing Capability and Process Required under CISA; Issues Multi-Agency Information Sharing Guidance

Posted on February 23, 2016 | Leave a comment

The Department of Homeland Security (“DHS”) has posted four documents on the US Computer Emergency Readiness Team (US-CERT) website to satisfy several requirements set forth in the  Cybersecurity Information Sharing Act of 2015 (“CISA”).  Details on the four documents are provided below.

By way of background, CISA was passed into law on December 18, 2015 and provides authorization for, among other things, the sharing of cyber threat indicators and defensive measures by and between the federal government, private entities, and state, local, and tribal governments.  The law also provides liability protections for non-Federal entities that share or receive cyber threat indicators or defensive measures, provided that these activities are conducted “in accordance with” the Act.  This requires, among other things, that (1) the information shared meets the definitions of cyber threat indicator or defensive measure, as applicable; (2) that the sharing be “for a cybersecurity purpose”; and (3) that the sharing entity comply with the requirement to screen information prior to sharing it for personal information that is not directly related to a cybersecurity threat and remove it.

In addition, when sharing with the federal government via electronic means, liability protections generally attach only if the information is submitted through the capability and process required to be established by DHS under the act.  CISA directs that this be “through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems.”



In keeping with these requirements, the three ways DHS has established for entities to electronically submit cyber threat indicators to the federal government are as follows:

  1. Via DHS’ Automated Indicator Sharing (“AIS”) program, which allows entities to share information with the federal government in real time by connecting through a specialized client to an AIS server operated by DHS’s National Cybersecurity and Communications Integration Center (NCCIC).  Information shared in this manner must conform to the Structured Threat Information eXchange (STIX) and be transmitted via the Trusted Automated eXchange of Indicator Information (TAXII), which are the format and exchange mechanisms, respectively, selected by DHS for real time threat sharing.  Among other features of AIS, DHS notes that it:
    • Performs a series of automated analyses and technical mitigations to ensure that personally identifiable information that is not directly related to a cybersecurity threat is removed before any information is shared (with human review where necessary); and
    • Anonymizes the identity of the submitter of the information, unless the submitter has consented to sharing its identity.
  2. Via email.  When using this method, entities must email “ncciccustomerservice@hq.dhs.gov” and ensure that the shared information conforms to specified formatting requirements.
  3. Via a webform established by DHS for this purpose.

DHS discusses these methods for sharing cyber threat indicators and defensive measures with the federal government in one of the four documents it posted: Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government.  This document, issued by the Secretary of Homeland Security and the Attorney General in consultation with the heads of appropriate federal agencies, “describes the processes for receiving, handling, and disseminating information that is shared pursuant to CISA,” as required under Section 105(a)(1) of CISA.

The other three documents that DHS posted to its website generally satisfy specific directives in CISA to provide additional detail around certain processes, as follows:

  1. Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015: This document responds to Congress’s directive in Section 105(a)(4) of CISA and provides guidance on (1) types of information that would qualify as a cyber threat indicator that would be unlikely to include information that is not directly connected to a cybersecurity threat that is also personal information or personally identifiable information, and (2) types of information protected by otherwise applicable privacy laws and that are unlikely to be directly related to a cybersecurity threat.
  2. Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015:  Section 105(b)(1) of CISA directs the Attorney General and Secretary of Homeland Security to “jointly develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this title.”  The interim guidelines created in response to this directive direct federal entities to “follow procedures designed to limit the effect on privacy and civil liberties of federal activities under CISA.”  Specifically, the interim guidelines define CISA-specific implementations of the Fair Information Practice Principles (FIPPs) set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace, namely: transparency, individual participation, purpose specification, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.
  3. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015: In response to a directive in Section 103 of CISA, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of appropriate federal entities, issued these procedures, which “facilitate and promote” the sharing of threat information by the federal government with non-federal entities, such as private entities and state and local governments.  Such sharing falls into the following categories:
    • Timely sharing of classified cyber threat indicators and defensive measures in the possession of the Federal Government with representatives of relevant federal entities and nonfederal entities that have appropriate security clearances;
    • Timely sharing with relevant federal entities and non-federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government that may be declassified and shared at an unclassified level;
    • Timely sharing with relevant federal entities and non-federal entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators and defensive measures in the possession of the Federal Government;
    • Timely sharing with federal entities and non-federal entities, if appropriate, of information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
    • Periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analyses of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in Section 3 of the Small Business Act (15 U.S.C. 632)).

The procedures note that the required information sharing is currently implemented through a series of existing programs, of which the procedures provide an overview.  The procedures also provide an overview of the roles and responsibilities of federal entities, non-federal entities, and Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) in the information sharing context.

Leave a comment

Posted in Cyber Security, Law Enforcement, Network, Security, Technology

Tagged , ,