Archive

Archive for the ‘privacy and security’ Category

What Went Wrong with the FISA Court

March 26, 2015 Comments off

What Went Wrong with the FISA Court
Source: Brennan Center for Justice, New York University School of Law

The Foreign Intelligence Surveillance (FISA) Court is no longer serving its constitutional function of providing a check on the executive branch’s ability to obtain Americans’ private communications. Dramatic shifts in technology and law have changed the role of the FISA Court since its creation in 1978 — from reviewing government applications to collect communications in specific cases, to issuing blanket approvals of sweeping data collection programs affecting millions of Americans.

Under today’s foreign intelligence surveillance system, the government’s ability to collect information about ordinary Americans’ lives has increased exponentially while judicial oversight has been reduced to near-nothingness. This report concludes that the role of today’s FISA Court no longer comports with constitutional requirements, including the strictures of Article III and the Fourth Amendment. The report lays out several steps Congress should take to help restore the FISA Court’s legitimacy.

CRS — Cybersecurity and Information Sharing: Legal Challenges and Solutions (March 16, 2015)

March 26, 2015 Comments off

Cybersecurity and Information Sharing: Legal Challenges and Solutions (PDF)
Source: Congressional Research Service (via Federation of American Scientists)

Over the course of the last year, a host of cyberattacks has been perpetrated on a number of high profile American companies. The high profile cyberattacks of 2014 and early 2015 appear to be indicative of a broader trend: the frequency and ferocity of cyberattacks are increasing, posing grave threats to the national interests of the United States. While considerable debate exists with regard to the best strategies for protecting America’s various cyber-systems and promoting cybersecurity, one point of general agreement amongst cyber-analysts is the perceived need for enhanced and timely exchange of cyber-threat intelligence both within the private sector and between the private sector and the government. Nonetheless, there are many reasons why entities may opt to not participate in a cyber-information sharing scheme, including the potential liability that could result from sharing internal cyber-threat information with other private companies or the government. More broadly, the legal issues surrounding cybersecurity information sharing— whether it be with regard to sharing between two private companies or the dissemination of cyber-intelligence within the federal government—are complex and have few certain resolutions. In this vein, this report examines the various legal issues that arise with respect to the sharing of cybersecurity intelligence, with a special focus on two distinct concepts: (1) sharing of cyberinformation within the government’s possession and (2) sharing of cyber-information within the possession of the private sector.

Cyber Attacks and Public Embarrassment: A Survey of Some Notable Hacks

March 24, 2015 Comments off

Cyber Attacks and Public Embarrassment: A Survey of Some Notable Hacks
Source: arXiv.org

We hear it all too often in the media: an organization is attacked, its data, often containing personally identifying information, is made public, and a hacking group emerges to claim credit. In this excerpt, we discuss how such groups operate and describe the details of a few major cyber-attacks of this sort in the wider context of how they occurred. We feel that understanding how such groups have operated in the past will give organizations ideas of how to defend against them in the future.

DHS OIG Finds Notorious Felon Allowed to Use TSA PreCheck® Lanes

March 20, 2015 Comments off

DHS OIG Finds Notorious Felon Allowed to Use TSA PreCheck® Lanes (PDF)
Source: U.S. Department of Homeland Security, Office of Inspector General

A recent report by the DHS Inspector General determined that a convicted felon who had been involved in numerous felonious criminal activities and was also a former member of a domestic terrorist group was permitted to travel with expedited screening through Transportation Security Administration (TSA) PreCheck®. The report, OIG-15-45 “Allegation of Granting Expedited Screening Through TSA PreCheck® Improperly,” stemmed from a whistleblower disclosure which alleged that a notorious felon was improperly cleared for TSA PreCheck® screening and was allowed to use the PreCheck® lanes.

After an extensive investigation of the allegation and assessment of the TSA PreCheck® initiative, we determined that TSA provided a TSA PreCheck® indicator and barcode on the traveler’s boarding pass. After checking the traveler’s boarding pass and identification, an alert Transportation Security Officer (TSO) at the airport recognized the felon and alerted his supervisor. However, the supervisor directed the TSO to take no action and allow the traveler to continue through the TSA PreCheck® lane.

We determined that this traveler had not applied for TSA PreCheck® through the TSA PreCheck® Application Program, but that TSA granted TSA PreCheck® screening to this passenger through the risk assessment rules in the Secure Flight program.

+ Full Report (Redacted) (PDF)

NSA — Guidance for Defending Against Destructive Malware

March 18, 2015 Comments off

Guidance for Defending Against Destructive Malware
Source: National Security Agency (via US-CERT)

The Information Assurance Directorate of the National Security Agency (NSA) has released a report on Defensive Best Practices for Destructive Malware. This report details several steps network defenders can take to detect, contain, and minimize destructive malware infections.

Insecurity in the Internet of Things

March 17, 2015 Comments off

Insecurity in the Internet of Things (PDF)
Source: Symantec

The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.

To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.

All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.

Americans’ Privacy Strategies Post-Snowden

March 16, 2015 Comments off

Americans’ Privacy Strategies Post-Snowden
Source: Pew Research Center

It has been nearly two years since the first disclosures of government surveillance programs by former National Security Agency contractor Edward Snowden and Americans are still coming to terms with how they feel about the programs and how to live in light of them. The documents leaked by Snowden revealed an array of activities in dozens of intelligence programs that collected data from large American technology companies, as well as the bulk collection of phone “metadata” from telecommunications companies that officials say are important to protecting national security. The metadata includes information about who phone users call, when they call, and for how long. The documents further detail the collection of Web traffic around the globe, and efforts to break the security of mobile phones and Web infrastructure.

A new survey by the Pew Research Center asked American adults what they think of the programs, the way they are run and monitored, and whether they have altered their communication habits and online activities since learning about the details of the surveillance. The notable findings in this survey fall into two broad categories: 1) the ways people have personally responded in light of their awareness of the government surveillance programs and 2) their views about the way the programs are run and the people who should be targeted by government surveillance.

Follow

Get every new post delivered to your Inbox.

Join 1,021 other followers