Tag Archives: law enforcement

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Department of Justice: Cellphone Tracking Policy

The Department of Justice recently announced a new policy requiring federal law enforcement officials to obtain a search warrant before using cell-site simulators.

Cell-site simulators – also referred to as Stingrays – are suitcase-sized devices that are able to collect basic cellphone data by tricking phones into recognizing them as a cell tower. The device takes the subscriber numbers and sends them to the police to determine the location of a phone without needing user activity.

Several privacy groups have raised concerns over the threat to individuals’ privacy and civil liberties and lack of accountability. This new policy is designed to promote transparency, consistency, and accountability around a previously secretive practice.

Deputy Attorney General Sally Yates comments, “With the issuance of this policy, the Department of Justice reaffirms its commitment to hold itself to the highest standards as it performs its critical work to protect public safety.”

Under the new policy, a warrant is required to use the cellphone tracking technology – except for emergencies and national security threats. Additionally, the data is required to be deleted after the necessary information is collected.

The policy also prohibits the cell-site simulators from collecting the contents of the communication including emails, texts, contact lists, and images. To ensure adherence to the policy, appropriate supervision and training to employees will be provided.

The policy only applies to federal agencies within the Justice Department, leaving out state and local law enforcement. But the hope is that this policy will act as a guide for state and local law enforcement agencies to develop their own similar regulations.

This policy can be seen as a step in the right direction to protecting privacy rights under the Fourth Amendment. And, at the very least, it should call into question state law enforcement’s use of the technology without a warrant.

FBI Alert: DDoS Extortions Continue

The Internet Crime Complaint Center (IC3) recently received an increasing number of complaints from businesses reporting extortion campaigns via e-mail. In a typical complaint, the victim business receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom. Ransoms vary in price and are usually demanded in Bitcoin.

Victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.

Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, WordPress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit.

Based on information received at the IC3, the FBI suspects multiple individuals are involved in these extortion campaigns. The attacks are likely to expand to online industries and other targeted sectors, especially those susceptible to suffering financial losses if taken offline.

If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at www.IC3.gov.

Tips to protect yourself:

  • React: Take the threat seriously, and “spin up” an incident response team to deal with any such attacks or threats.
  • Defend: Review DDoS defenses to ensure they can handle attackers’ threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help.
  • Alert: Warn the organization’s data centers and ISPs about the threatened attack, which they may also be able to help mitigate.
  • Report: Tell law enforcement agencies about the threat – even if attackers do not follow through – so they can amass better intelligence to pursue the culprits.
  • Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business.

Leverage FBI Resources Before and During a Breach

FBI logoDuring ePlace Solutions’ June 2015 webinar, Special Agent Alexander E. Murray and Computer Scientist Darren Bennett of the FBI encouraged organizations to involve the Bureau both before and during a data breach.  Each field office has a link on the FBI’s website and a phone number listed – this is the recommended approach to starting a relationship with your FBI office.

 

Benefits the FBI brings before a data breach:

  • Information Sharing. The FBI sees and hears a lot of what is going on the cyber security community, and facilitates threat information sharing across organizations. You can reach out to the FBI to share threat indicators you’re seeing, and the FBI can relay back information from their internal database on other indicators to be aware of reported by other organizations.
  • InfraGard and Flash Alerts. Another information sharing avenue is through InfraGard and flash alerts. Organizations can publish and share information and request to be notified of urgent attack indicators that might be relevant. This kind of information sharing helps all organizations as common attacks and vulnerabilities can be noticed and seen trending, allowing the FBI to relay the information across all organizations.

Benefits during a breach:

  • Added Skills and Experience. Bringing in an organization such as the FBI adds to the technical expertise on hand during a critical time and potentially disastrous situation. Some organizations have technical expertise in place for incidents like data breaches, but having more skills at your disposal never hurts.
  • Proactive Approach. In the event the incident goes to trial, an organization working and cooperating with FBI assistance might have an advantage. Bringing in the FBI shows more due diligence and intention to investigate and mitigate the situation and any harm that might have occurred. It shows a proactive manner of addressing the problem rather than sticking your head in the sand.