Connect with us

Cyber Security

Legality of Security Research to be Decided in US Supreme Court Case

Avatar

Published

on

A ruling that a police officer’s personal use of a law enforcement database is “hacking” has security researchers worried for the future.

Independent security researchers, digital-rights groups, and technology companies have issued friend-of-the-court briefs in a US Supreme Court case that could determine whether violating the terms of service for software, hardware, or an online service equates to hacking under the law.

The case—Nathan Van Buren v. United States—stems from the appeal of Van Buren, a police sergeant in Cumming, Georgia, who was found guilty in May 2018 of honest services wire-fraud and a single charge of violating the Computer Fraud and Abuse Act (CFAA) for accessing state and government databases to look up a license plate in exchange for money. While Van Buren was authorized to use the Georgia Crime Information Center (GCIC) to access information, including license plates, federal prosecutors argued successfully that he exceeded that authorization by looking up information for a non-law enforcement purpose.

With the appeal accepted by the US Supreme Court, security researchers and technology companies are concerned with the potential for the case to turn independent vulnerability research into unauthorized access and, thus, a prosecutable offense. If the US Supreme Court rules that Van Buren’s actions are a violation of the CFAA, it will undermine software and cloud security, says Casey Ellis, chief technology officer and founder of crowdsourced bug bounty firm Bugcrowd.

“Unauthorized access is one of the main purposes of security research—by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win,” Ellis says, adding, “the purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions.”

The list of interested parties filing so-called Amicus briefs in the case pit the usual suspects against each other: Digital rights groups—such as the American Civil Liberties Union, the Center for Democracy and Technology, and  Electronic Frontier Foundation—against law enforcement—specifically, the Federal Law Enforcement Officers Association, and security researchers and security firms—such as Rapid7 and Bugcrowd—against organizations such as the financial group Managed Funds Association (MFA) and mobile voting firm Voatz

The MFA worried about “faithless employees” stealing client information, financial information and trade secrets, while Voatz raised its concerns that independent research—such as a recent paper authored by Massachussetts Institute of Technology (MIT) researchers that found significant security issues with its mobile voting application—is not in the cause of security. On September 3, Voatz filed its brief in response to the filing on behalf of security researchers. 

“We’re not advocating to limit anyone’s freedom – we’re saying it’s difficult to distinguish between good and bad faith attacks in the midst of a live election,” the company said in a statement sent to Dark Reading. “For everyone’s sake, it’s better to work collaboratively with the organization — bad actors disguise themselves as good actors on a regular basis. All attempts to break into or tamper with an election system during a live election need to be treated as hostile unless prior authorization was specifically granted.”

The MIT research used the Voatz app and a reverse-engineered version of the backend server, and never took place during a live election, according to a paper published at the prestigious USENIX Security Conference last month. 

“As performing a security analysis against a running election server would raise a number of unacceptable legal and ethical concerns, we instead chose to perform all of our analyses in a ‘cleanroom’ environment, connecting only to our own servers,” Michael Specter, a PhD candidate in computer science at MIT, and his co-authors stated in the paper. A later analysis funded by Voatz actually verified all the vulnerabilities plus a significant number of additional issues.

Yet, other technology companies and organizations have voiced support for security researchers and limiting the application of the Computer Fraud and Abuse Act. In their joint Amicus brief, software-developer tools maker Atlassian, browser maker Mozilla, and e-commerce platform firm Shopify all supported security researchers’ efforts.

“Effective computer security … entails creating systems that are resilient to computer hackers. That requires letting people, including members of the robust community of independent security researchers, probe and test our computer networks,” the companies stated, adding “[a]n overbroad reading of the CFAA, however, chills … critical security research. Security experts may not think it worth the risk to conduct their research without a clear definition of what it means to ‘exceed authorized access,’ especially when mere terms of service violations have been used to impose criminal penalties in the past.”

Security researchers are not the only ones at risk, says Bugcrowd’s Ellis. Anyone who uses a computer system in a way not intended by the manufacturer could find themselves the target of legal action and, perhaps, prosecution, he says.

“The law is so broadly written that it criminalizes acts that otherwise violate a website’s terms of services, from lying about your name on a Web form to the socially beneficial security testing that ethical security researchers undertake,” he says. “A broader interpretation of ‘exceeds unauthorized access’ in CFAA works directly against the goals of a safer and more resilient Internet.”

A date for oral arguments in the case has not been set.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Source: https://www.darkreading.com/risk/legality-of-security-research-to-be-decided-in-us-supreme-court-case/d/d-id/1338874?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyber Security

6 Crucial password security tips for everyone

Avatar

Published

on

[ This article was originally published here ]

This blog was written by an independent guest blogger.
These days, everyone has passwords. Lots and lots of passwords! When I think of how many user accounts with passwords that I have, I probably have dozens. A few for social media platforms like Twitter and LinkedIn, a few for my favorite media streaming services, one for Nintendo Switch and another for the PlayStation Network, a few for my utilities including electricity and my ISP, a few with Amazon and other online retailers, one with the government to file my personal income taxes, my home WiFi password, a Gmail account for all of my Google and YouTube stuff, accounts to authenticate into a couple of different web browsers, an account for my bank’s website, and there are probably at least a dozen more. And I’m a pretty typical technology user. So chances are, you have many similar…

Kim Crawley Posted by:

Kim Crawley

      

Avatar

Source: https://www.cybersecurity-insiders.com/6-crucial-password-security-tips-for-everyone/?utm_source=rss&utm_medium=rss&utm_campaign=6-crucial-password-security-tips-for-everyone

Continue Reading

Cyber Security

Deadly Ransomware Story Continues to Unfold

Avatar

Published

on

A ransomware attack with fatal consequences is attracting notice and comment from around the world.

This is a follow-up to yesterday’s story breaking the news of fatal consequences in a German ransomware attack.

Reaction is continuing to the story of what Reuters says may be the world’s first human fatality directly attributed to a cyberattack. According to the news service’s reporting, the attack, which began on Sept. 10, utilized a known vulnerability in a Citrix VPN as its point of entry. As of today, The University Clinic in Duesseldorf remained unable to admit new patients brought in by ambulance.

Because a woman died after being redirected to another hospital, German authorities are investigating possible manslaughter charges against the still-unknown attackers. “If homicide charges are combined with computer crime charges, it could be a sound idea to attempt imposing a lengthy prison sentence for the attackers, and, potentially, to get more international cooperation in the investigation,” says Ilia Kolochenko, founder and CEO of ImmuniWeb. She warns, though, that “the causation element will likely be extremely burdensome to prove within the context: defense attorneys will likely shift the entire blame on other parties spanning from hospital personnel and its IT contractors in charge of network management and security.”

Terence Jackson, CISO at Thycotic, notes: “According to a recent Check Point report, 80% of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier — and more than 20% of the attacks used vulnerabilities that are at least 7 years old.”

The pre-existing vulnerability means that “there was time to mitigate the threat in theory, but it illustrates the importance of running vulnerability scans and acting on findings at least every 30 days if not more frequently,” says Mark Kedgley, CTO of New Net Technologies. The potential disruption of those scans, he says, must be weighed against the operational requirements of 24 x 7 organizations like hospitals.

Dark Reading will continue to follow this story.

For more, read here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading:

More Insights

Source: https://www.darkreading.com/threat-intelligence/deadly-ransomware-story-continues-to-unfold/d/d-id/1338957?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Continue Reading

Cyber Security

Incident Of The Week: Equinix Is The Latest In A Long Line Of Ransomware Victims

Avatar

Published

on

[Records Exposed: Undisclosed  |  Industry: Internet  |  Type Of Attack: Ransomware]

Equinix is the latest victim in a long line of ransomware targets. The data center and colocation service provider released a short statement on September 9 that read,

“Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal systems. Our teams took immediate and decisive action to address the incident, notified law enforcement and are continuing to investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the incident has not affected our ability to support our customers. Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix. The security of the data in our systems is always a top priority and we intend to take all necessary actions, as appropriate, based on the results of our investigation.”

The threat actors are demanding $4.5 million in exchange for a decryptor and the promise that they won’t release stolen data. However, Equinix updated their statement on September 14 to reiterate that customers’ data and operations remain safe.

Related: Cyber Security Standards and Frameworks

It appears the guilty party is the young cybercriminal group known as NetWalker who first burst on the scene in August of 2019. Their success lies in their ability to automate ransomware attacks, including a countdown clock and prefab ransom note that populates at just the right time during the operation. Ransomware-as-a-Service (RaaS) poses an increasing threat across the cyber security landscape, as it allows inexperienced or less technical hackers purchase the automation software needed to execute such a hack.

With NetWalker acting as the gatekeeper, hacker groups go through a screening process before gaining access to a web portal that holds NetWalker’s ransomware, which can then be customized to fit their specific needs. NetWalker’s commission of 20% has earned the group $25 million between March 1 and July 27.

Lessons Learned:

If it seems like ransomware attacks have been in the news a lot lately, it’s because they have. In fact, a report by Coalition discovered that in the first half of 2020, 41% of cyber insurance claims were ransomware incidents. It was also reported that, while ransomware attacks are becoming slightly less frequent, their rate of success and size of target are growing. In other words, the increasingly sophisticated strategies of these threat actors poses real risks to even the most developed enterprise.

Related: How To Preemptively Track Phishing Campaigns

While ransomware attacks are specific in their execution, the vulnerabilities exploited to make them possible are the same as most other cyber threats. Specifically, 54% of cyber attacks are achieved through email (malware) and phishing schemes.

Quick Tips:  

Ransomware attacks rely in part on lax cyber protocols. In order to best safeguard your enterprise from this growing threat, consider the following:

  1. Back up data smartly – One of the ways cyber criminals convince corporations to pay ransoms is by holding their data hostage by encrypting it. While most enterprises back up their data, it is often located in the same compromised infrastructure the original data. Consider backing up data to external drives or a second cloud service provider.
  2. Choose a reputable security suite – Standard antivirus software and basic firewalls may be sufficient for the layperson, but enterprises should invest in a security suite that uses smart tools and sophisticated algorithms to spot and, if possible, remove ransomware. The tool must be able to run in the background 24/7.
  3. Install Software Updates – Cyber criminals look for the path of least resistance. Such a path is usually found in outdated software that hasn’t downloaded the most up-to-date patches, bug fixes, and other newly designed features. Remember to keep all apps, plug-ins, and third-party software up to date as well.

Read More: Incident Of The Week

Source: https://www.cshub.com/attacks/articles/incident-of-the-week-equinix-is-the-latest-in-a-long-line-of-ransomware-victims

Continue Reading
Blockchain6 hours ago

Ethereum: Is the HODLing in yet?

Nano Technology7 hours ago

Physicists make electrical nanolasers even smaller

Nano Technology7 hours ago

Nano-microscope gives first direct observation of the magnetic properties of 2D materials: Discovery means new class of materials and technologies

Nano Technology7 hours ago

Who stole the light? Self-induced ultrafast demagnetization limits the amount of light diffracted from magnetic samples at soft x-ray energies

Blockchain8 hours ago

Brace for it – Bitcoin Futures may be nearing a tipping point

Blockchain9 hours ago

Tron, Synthetix, VeChain Price Analysis: 19 September

Blockchain10 hours ago

Here’s why Bitcoin’s ‘distracting’ volatility actually helps

Blockchain11 hours ago

Stellar Lumens, NEM, Maker Price Analysis: 19 September

AR/VR12 hours ago

Someone Remade ‘Among Us’ in VR and It’s Strangely More Fun Than the Original

AR/VR12 hours ago

Virtual Tours: The Key to a Successful School Marketing Plan

Crowdfunding14 hours ago

Spanish Financial Giant BBVA’s US Division Recognized as one of the Best Corporate Digital Banks in North America

Gaming16 hours ago

Evening Reading – September 18, 2020

AI16 hours ago

7 Awe Inspiring AI Techs That Transformed The Digital World

Entrepreneur17 hours ago

100X.VC Unveils Its Class 02 Investments

Payments17 hours ago

Here’s how Nasdaq-listed MicroStrategy went about buying $175m in Bitcoin

Esports17 hours ago

Lenovo Legion Sponsors G2 Esports as Hardware Partner

CNBC17 hours ago

Supreme Court Justice Ruth Bader Ginsburg dies at age 87

Energy19 hours ago

Shanghai Electric Showcases Smart Energy Solution at China International Industrial Expo on World’s Clean Up Day

Entrepreneur19 hours ago

Preventive Healthcare Market Dilating in India

Cannabis19 hours ago

5 weed products Tommy Chong can’t live without

Gaming19 hours ago

Shacknews Twitch Highlights: Rocket League, Fight Crab, and Quest 64

Entrepreneur20 hours ago

More gets 275 Crore INR From Amazon, Samara Capital

Big Data20 hours ago

TikTok filed a complaint against Trump administration to block U.S. ban: Bloomberg News

Blockchain21 hours ago

Seoul Police Summons Bithumb Chairman For Interrogation

Cyber Security22 hours ago

6 Crucial password security tips for everyone

CNBC22 hours ago

‘Thank you, RBG’: Leaders react with sadness, shock to Ruth Bader Ginsburg’s death

Gaming22 hours ago

Shack Chat: What’s your reaction to the September PlayStation 5 Showcase?

Cleantech22 hours ago

Ford Mustang Mach-E Easily Goes 300+ Miles In Norway

Gaming23 hours ago

Apple and Sony Events – The TouchArcade Show #462

Esports23 hours ago

Here’s the schedule for the 2020 League of Legends World Championship

Gaming23 hours ago

Weekend PC Download Deals for Sept. 18: Steam Pirate Sale

Gaming23 hours ago

Shacknews Dump – September 18, 2020

Crowdfunding23 hours ago

India-Based Insurtech ACKO Secures $60 Million Through Latest Funding Round Led By Munich Re Ventures

Crowdfunding23 hours ago

Google Temporarily Removes Paytm Mobile App from Play Store Due to Supposedly Being in Violation For Gambling

Gaming23 hours ago

TouchArcade Game of the Week: ‘Songbringer’

CNBC23 hours ago

In Photos: Crowd gathers in front of the Supreme Court to mourn Justice Ruth Bader Ginsburg

CoinTelegraph24 hours ago

Pinned below $11K, Bitcoin price plays second fiddle to Uniswap (UNI)

CNBC1 day ago

Trump nominee to replace Ruth Bader Ginsburg on Supreme Court will get Senate vote, McConnell says

Cleantech1 day ago

Indian Government May Put EV Chargers At 69,000 Gas Pumps

Blockchain1 day ago

The Last Time This On-Chain Metric Was This Low, Bitcoin Surged 150%

Trending