Tag Archives: cybersecurity

ICE Faces Lawsuit Over Use of Warrantless Searches Via Secret Forensic Devices

The Electronic Privacy Information Center has filed a Freedom of Information Act lawsuit against the U.S. Immigration and Customs Enforcement regarding the agency’s use of forensic technology designed to hack cellphones. EPIC is attempting to clarify how ICE uses the devices to conduct warrantless electronic searches of cellphones and laptops along the U.S. border.

The digital rights group accuses ICE of failing to respond to previously filed records requests in a timely manner. EPIC is seeking all recent ICE contracts related to purchase of mobile forensics devices and technology; guidance, training materials, manuals, or other policies and procedures on ICE; and any information related to the use of mobile data forensics technology at the border.

“Over the last several years, ICE has tested various mobile forensic technologies.
Additionally, ICE has signed contracts with Cellebrite, a provider of mobile forensic technology,” EPIC writes in the complaint. Using one of Cellebrite’s devices ICE is able to electronically search travelers devices and access text messages, private emails, contact lists, and photos as well as other personal information. The company sells the Universal Forensic Extraction Devices (UFED) that unlock, decrypt, and extract phone data, including “real-time mobile data . . . call logs, contacts, calendar, SMS, MMS, media files, apps data, chats, passwords.”
Cellebrite is well known for maintaining close relationships with U.S. government agencies and police. The Israeli-based cybersecurity firm is the producer of the UFED Touch, the forensic extraction device which the FBI used to hack into the San Bernardino shooter’s iPhone in 2016. A partial list of Cellebrite’s known customers includes:
  • Centers for Disease Control and Prevention
  • Commodity Futures Trading Commission
  • DEA, Department of Energy
  • Department of State
  • Defense Threat Reduction Agency
  • DISA
  • DoD
  • DOE
  • DOJ
  • EPA
  • FBI
  • FDA
  • Federal Law Enforcement Training Center
  • Federal Prison System
  • Forest Service
  • FTC
  • IRS
  • NASA
  • NIST
  • Office of Inspector General
  • Patent and Trademark Office
  • Securities and Exchange Commision
  • U.S. Air Force
  • U.S. Army
  • U.S. Coast Guard
  • U.S. Customs and Border Protection
  • U.S. Fish and Wildlife Services
  • U.S. Immigrations and Customs Enforcement
  • USDA
  • U.S. Marshals Service
  • U.S. Navy
  • U.S. Secret Service
  • VA
  • Washington Headquarters Services

In addition, in December 2016, it was revealed that more than 20 state police departments have also signed contracts with Cellebrite. Motherboard reported:

Cellebrite has sold its wares to regional agencies in 20 states, and likely many more, according to the cache of documents acquired by Motherboard. Those items specifically include Cellebrite’s range of Universal Forensic Extraction Devices (UFED); the typically laptop-sized or handheld devices for hoovering up data from phones. Some of the agencies note in the documents that they use the technology for legal searches of devices.

One month later it was reported that a hacker had stolen 900 GB of data from Cellebrite, including customer information, databases, and technical data related to Cellebrite’s products.

EPIC is not the only organization suing ICE for failing to disclose details on practices which likely violate the civil liberties of travelers. In December 2017, two organizations filed suit against ICE for failing to release records related to the agency’s use of devices to gather biometric data from immigrants. Mijente, an advocacy group focused on “promoting Latinx and Chicanx organizing and movement building,” and the National Immigration Project of National Lawyers Guild asked a federal court to force ICE and the Department of Homeland Security to release information related to the use of handheld devices used to gather biometric data from immigrants during raids.

The organizations state that ICE is responsible for promoting technologies with little oversight which endanger civil liberties. “The coinciding surge in immigration raids under the Trump Administration raises further alarm over whether such mobile biometric devices have adequate oversight and accountability,” the press release states. “As ICE increasingly promotes the use of such technologies, the public deserves to know the impact of their use on communities, including within immigrant communities and communities of color.”

The use of these devices is not surprising; since the beginning of the Trump administration, warrantless searches have increased as the border becomes an increasingly militarized surveillance checkpoint. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border would negatively impact the rights of Americans. Based on the reported attempts at secrecy displayed by ICE and other agencies, it’s unknown how long the American public may have to keep waiting to find out what the federal government has been implementing.

Reps. Amash, Massie Blast Congressional Spending Bill for ‘Unconstitutional’ Surveillance Measures

The last-minute addition of the Cybersecurity Act of 2015 to a massive Congressional spending bill has drawn criticism from Representatives who call the provisions unconstitutional, and say that they are an excuse for the U.S. government to expand warrantless domestic cyber surveillance.

In a statement to Truth In Media on Thursday, Rep. Justin Amash (R-Mich.) said he does not support the bill, and he sees it as possibly the “worst anti-privacy vote” since the Patriot Act in 2001.

[pull_quote_center]A vote for the omnibus is a vote to support unconstitutional surveillance on all Americans. It’s probably the worst anti-privacy vote in Congress since the Patriot Act.[/pull_quote_center]

Rep. Thomas Massie (R-Ky.) released a statement on his Facebook page on Wednesday, claiming that he learned of the addition of the “completely unrelated legislation to expand warrantless domestic cyber surveillance” on Tuesday night.

[pull_quote_center]We learned last night that in addition to unsustainable spending, the giant omnibus includes completely unrelated legislation to expand warrantless domestic cyber surveillance and to repeal country of origin labeling for meat sold in the U.S. I will be voting no on Thursday.[/pull_quote_center]

The Cybersecurity Act of 2015 brings together provisions from other bills that have been passed in either the House or the Senate in 2015, such as the Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Information Sharing Act (CISA), which both give the U.S. government access to Internet traffic information from technology and manufacturing companies.

[RELATED: Surveillance Bill Masked As ‘Cybersecurity’ Close to Completion]

As previously reported, while “sharing of intelligence is supposed to be voluntary,” critics of the bill say the provisions “will only increase the indiscriminate monitoring of legal activity by giving companies immunity from lawsuits for sharing information with the government.”

Amash told Truth in Media he believes the surveillance provisions were “quietly slipped” into the massive spending bill in an attempt to “avoid full scrutiny.”

[pull_quote_center]These provisions were quietly slipped into the omnibus to avoid full scrutiny. We take an oath to defend the Constitution, and our Fourth Amendment privacy protections are as important as anything.[/pull_quote_center]

Senate Approves CISA Surveillance Bill Masked as ‘Cyber-Security’

UPDATE: The U.S. Senate has officially approved the Cybersecurity Information Sharing Act (CISA) with a vote of 74 to 21. The Senate voted against four amendments aimed at adding consumer protections, including amendments from Sen. Dean Heller, Sen. Ron Wyden, Sen. Pat Leahy, and Sen. Al Franken.

CISA now heads to a conference committee to align the Senate bill with the House of Representatives version. If approved by the committee the bill would go to President Obama to be signed into law.

Last Thursday, with a vote of 83 to 14, the U.S. Senate approved a set of amendments related to CISA which is designed to allow private companies to easily share threat intelligence with government agencies. Critics of the bill say the provisions will only increase the indiscriminate monitoring of legal activity.

Before the vote, Senator Rand Paul introduced an amendment which would require companies to adhere to their own terms of service with customers. However, this amendment failed after only receiving 32 votes. Senator Paul’s presidential campaign website says that the bill “would transform websites into government spies.”

[RELATED: Activists To Bombard Congress With Faxes To Fight Cybersecurity Bill]

Following the vote, Senator Ron Wyden, a long-time opponent of CISA, told the Daily Dot, “We think that information sharing can be useful. But … information sharing without robust privacy protections—millions of Americans are going to say that’s a surveillance bill.”

As Truth In Media recently reported, the supposedly “voluntary” aspects of the bill are not voluntary at all and amount to surveillance of private customer information.

“Number one, it’s not voluntary for their customers, millions and millions of customers,” Wyden explained. “And number two, to get the liability protection, the companies have got to say that they didn’t find anything personal and unrelated in a knowing fashion. And that’s going to be a pretty easy bar because they don’t have to do much to look!”

[RELATED: BROZE: Privacy Advocates Prepare For Battle Over Cybersecurity Bill]

Attempting to pass surveillance measures veiled as “cybersecurity” bills is nothing new. In fact, CISA is seen as the “cousin” of another controversial cybersecurity bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which was defeated by mass opposition in 2012.

Privacy advocates and digital rights groups have been equally vocal in their opposition to CISA. Just days before the vote the Washington Post reported Apple and Dropbox said they did not support the bill. The two companies join Yelp, Reddit, Twitter and the Wikimedia Foundation in their fight against the surveillance bill.

Senator Wyden says the opposition from tech companies has the sponsors of the bill concerned. “I don’t know how many times they kept coming back to the fact that the technology companies really weren’t acting in the interests of the country,” Wyden said. “You saw some of their comments—’There’s no reason for them to be opposed.’ [That] was because they know that these companies are experts in both cyber and privacy. They’re ones that are really knowledgeable about it, and they were opposed to the bill.”

While the bill still has several hurdles to pass before it could become law, privacy advocates and lovers of liberty should keep an eye on the measure as it progresses. It’s time for the free people of the United States, and the world at large, to decide whether or not privacy means anything in 2015.

BROZE: Privacy Advocates Prepare For Battle Over Cybersecurity Bill

The Cybersecurity Information Sharing Act (CISA), which is designed to allow private companies to easily share threat intelligence with government agencies, is facing resistance from privacy advocates who fear that the provisions will only increase the indiscriminate monitoring of legal activity.

CISA is seen as the “cousin” of another controversial cybersecurity bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which was defeated by mass opposition in 2012.

In early August the White House gave the CISA a boost through an official endorsement. The Hill reported:
“Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it,” said White House spokesman Eric Schultz in a statement.
“The endorsement will increase pressure on Senate leaders to reach an agreement to limit floor debate and come to a final vote on the bill — which would increase the data shared on hackers between companies and the government — before the month-long break”.

The National Journal also released new information related to CISA. On August 26, the Journal reported on 22 proposed amendments to CISA. When the bill is eventually debated the Senators will have to work their way through each amendment.

According to the Journal, the amendments deal with liability protections, more narrow definitions of cyber threats, qualifications for removing personal identity information, cyber crime penalties, and the voluntary nature of information sharing.

It is exactly this alleged “voluntary” information sharing that has come under fire. Recently Wired reported on the possibility that the programs are not exactly as voluntary as supporters of CISA would have you believe.

Wired mentions a previous “information sharing” program for defense contractors which was falsely advertised as “voluntary”. Wired wrote:

“However, key parts of documents obtained and released to the Electronic Privacy Information Center pursuant to the Freedom of Information Act reveal a different story.

In order to receive information as part of the program, entities were required to sign contracts as program ‘participants.’ This would not have been so bad, except that a precondition for being a participant was the requirement that the entity file reports with the government on a regular basis. In fact, the Defense Industrial Base Pilot Cybersecurity Plan definitively showed that participants were required to agree to transfer information about their private network traffic to the government.”

Although at least one of the amendments to be debated deals with establishing narrower definitions of terms like “voluntary”, at this point there is nothing in the bill which would prevent Department of Homeland Security from taking a similar route while calling the program a voluntary interaction.

The DHS also has its own issues with CISA. In late July, the agency sent a letter to Sen. Al Franken, the ranking member of the Senate Subcommittee on Privacy, Technology, and Law, discussing a number of problems with the bill.

The DHS said that if the bill does not mandate the removal of personal information the agency will be forced to “contribute to the compromise of personally identifiable information by spreading it further.” The letter also stated that the bills vague language and broad definitions could lead to “receiv[ing] large amounts of information with dubious value.”

The bill has also been opposed by a number of leading security experts, and privacy organizations such as the Electronic Frontier Foundation. The EFF opposes CISA in its current form because it does not require companies to remove unrelated personal information prior to sharing it with the government.

For Americans who value privacy and liberty, CISA is a looming threat. As is the case with most legislation passed under the guise of protecting the people, it will, in fact, only further erode the peoples freedom and empower the State. We should also take a moment to recognize that this growing Surveillance State could not happen without a compliant partner, the corporations that provide our personal data to the government.

Keep an eye on the CISA saga throughout the coming months. An endorsement from the White House is a sure sign that President Obama wants the “cybersecurity” measure to be a part of his legacy before he leaves office.

What are your thoughts on CISA? Is it necessary to protect your data from hackers? Or is this another government ploy to spy on your activity?

‘Cyber Information Sharing’ Bills Give Government New Surveillance Powers

Washington, April 24, 2015 – On April 22nd, the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act were both passed by the U.S. House of Representatives. Both bills will be combined and now head to the Senate for approval.

Described as “cybersecurity information sharing” bills that would make it easier for the government to defend against cyber attacks and allow companies to more easily share intelligence with government agencies, critics say the bills are more accurately described as “surveillance” bills. The American Civil Liberties Union says the Protecting Cyber Networks Act  (H.R. 1560) and the National Cybersecurity Protection Advancement Act (H.R. 1731, the “Homeland Bill”) will both work to further erode privacy and expand the ability of the government to monitor communications.

“The bills further facilitate companies’ sharing even more of our personal information with the NSA and some even allow companies to ‘hack back’ against potentially innocent users.” – Electronic Frontier Foundation

Specifically, the bills would create a new cybersecurity spy agency, and remove existing privacy protections. By adding the phrase “notwithstanding any law,” companies will be able to share information among themselves, and with the government. The information does not have to be directly related to an ongoing cybersecurity investigation. The language in the bill will also protect the companies who share information from being sued.

The bills do include provisions which require a company to review and redact any information that is personal or not related to a cyber threat. However, the ACLU says companies can still include information that it believes is plausibly “directly” related to the threat, and can do so with impunity.

Once the information is shared with the government it can easily, and legally, be shared with an abundance of intelligence agencies. The information will automatically be shared with the military, including the NSA and the Office of the Director of National Intelligence. From there the information can be shared with federal, state, and local law enforcement. Once again the information can  be used for reasons that go beyond alleged cybercrimes.

The ACLU stands with the Open Technology Institute, the Center for Democracy and Technology, and the Electronic Frontier Foundation in opposition to these bills. The organizations joined 55 rights groups in an open letter voicing strong opposition to the bills.

“What we shouldn’t be doing, however, is passing a bill that gives even more personal information on innocent individuals to the NSA and allowing that information to be mined for purposes unrelated to protecting against hackers.” – American Civil Liberties Union

The Center for Democracy and Technology says they acknowledge realistic threats posed by hackers but warned, “The cybersecurity information sharing bills… go well beyond authorizing necessary conduct and in fact, authorize dangerous conduct harmful to both security and privacy. We urge members to oppose both bills.”

What are your thoughts? Is there any way to protect Americans’ privacy?

Report Exposes CIA’s Attempts to Hack Apple Devices

A report released on Tuesday by The Intercept asserted that researchers within the Central Intelligence Agency (CIA) have been engaged in a “multi-year, sustained effort” to sabotage the security of Apple’s iPhones and iPads, using a variety of methods including creating dummy software targeted towards developers and attempting to crack Apple’s encryption keys. The Intercept based its report on documents provided by NSA whistleblower Edward Snowden.

According to The Intercept, the researchers discussed ways to exploit security flaws of the devices at a secret annual meeting called the Trusted Computing Base Jamboree. It is claimed that the researchers created a modified version of Xcode, Apple’s development software that is used to create apps. The modified version of Xcode would let the CIA, NSA and other agencies to access apps created by developers using the modified software:

“The researchers boasted that they had discovered a way to manipulate Xcode so that it could serve as a conduit for infecting and extracting private data from devices on which users had installed apps that were built with the poisoned Xcode. In other words, by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people.”

The Intercept reported that the researchers had also made efforts to utilize keylogging software, which would record every stroke typed by a user affected by the software.

The documents provided by Snowden do not specify that the CIA’s efforts to break into Apple devices have been successful. The CIA and NSA have not yet responded to The Intercept’s report.

“Spies gonna spy,” Steven Bellovin, a former U.S. Federal Trade Commission chief technologist who is now a professor at Columbia University, told The Intercept. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”

According to The Intercept, government agencies have desired the continuous ability to “bypass security tools built into wireless devices.” Apple’s CEO, Tim Cook, made a pledge last year to protect the privacy of Apple users, especially from all government agencies. On Apple’s website, Cook wrote that “I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.”

Apple declined to respond to the report from The Intercept, and instead referred the publication to the company’s previous privacy statements.

DHS Urges Lenovo to Remove Israeli Software, Fearing Cyberattacks

by Jason Ditz, February 22, 2015

The Department of Homeland Security (DHS) has advised Chinese laptop maker Lenovo Group to stop installing the Superfish adware on its computers, saying it makes those computers vulnerable to cyberattacks.

Superfish, developed by Israel-based Komodia, has been installed on all computers by Lenovo, the world’s largest PC maker, since 2010. The software introduces vulnerabilities in the way it collects data to serve up ads, and security experts warn it could easily be co-opted to steal user data outright.

Lenovo has denied that Superfish monitors user behavior or records any data, though it is clear that the vulnerabilities it introduces, including a self-signed certificate, could be used to do so.

Lenovo has offered a removal tool on its website as well as instructions to manually remove Superfish from a computer, which users are urged to do. Superfish is Windows exclusive, so consumers who have bought Lenovo laptops but are not running Windows on them are not impacted.

Report: Obamacare Website Sharing Users’ Information with Third-Party Tech Firms

On Tuesday, a report was released that shed light on the vulnerability of HealthCare.gov users’ information to third-party tech firms.

Following an investigation, the Associated Press revealed that the HealthCare.gov website is “quietly sending consumers’ personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing.”

This personal data may include the user’s Internet address, age, ZIP code, income, and information on whether the user smokes, or is pregnant.

According to the Associated Press, while the Obama administration claims the website’s connections to data firms “were intended to help improve the consumer experience,” there were connections to “dozens of third-party tech firms,” and seven of the companies were “also collecting highly specific information.”

In a letter to the Obama administration, Republican Senators Orrin Hatch of Utah, and Charles Grassley of Iowa voiced their concerns:

“This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security.”

The Associated Press reported that although third-party sites embedded on HealthCare.gov can’t see a user’s “name, birth date or Social Security number,” they can correlate the fact that the computer accessed the government website with the user’s other Internet activities.

While Cybersecurity was one of the topics Obama discussed during his State of the Union address on Tuesday night, the emphasis was on keeping private information from falling into the hands of foreign nations, rather than keeping users’ private information from being shared by the U.S. government

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” said Obama. “We are making sure our government integrates intelligence to combat cyber-threats, just as we have done to combat terrorism.”

NSA Justifies Blaming North Korea for Sony Hack by Revealing US First Hacked North Korea

Recently leaked documents from the National Security Agency (NSA) reveal that the United States hacked North Korea’s computer system in 2010, in order to monitor the activity of the country’s hackers. This knowledge is being used to justify the Federal Bureau of Investigation’s (FBI) claim that North Korea is behind the massive hack on Sony Pictures, which occurred in November 2014.

Following the revelation of the Sony hack, the FBI released a statement, saying North Korea was responsible:

“The FBI has concluded the Government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector.”

Some Cybersecurity experts in the United States were skeptical of North Korea’s ability to carry out such a massive hack, and instead labeled it an inside job.

Kurt Stammberger, the senior vice president of the Cybersecurity firm Norse, told CBS News that his firm believes the Sony hack was so devastating, it could have only been accomplished by someone on the inside. “Sony was not just hacked, this is a company that was essentially nuked from the inside,” Stammberger said.

Although many questioned how the agency had obtained such concrete evidence of North Korea’s involvement, the FBI stuck by its claim, giving the explanation that the “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed.”

On Sunday, the New York Times released a leaked document from the NSA, which revealed that the US had hacked into North Korea’s computer system in 2010.

According to the New York Times, the US hacked into North Korea’s system to “place malware that could track the internal workings of many of the computers and networks used by the North’s hackers,” and the “evidence gathered by the ‘early warning radar’ of software” was used to justify the claim that North Korean leader Kim Jong-un had ordered the attack.

Seeking retaliation for the Sony hack, Obama announced a round of sanctions against North Korea on January 2, which will target three companies and ten North Korean officials.

The Independent noted that when President Obama addressed the cyber attack in December, and placed the blame on North Korea, it was the “first time the US had ever explicitly accused a foreign government of launching a cyber-attack on American interests.”

Obama says Sony made a ‘mistake’ after canceling film release

President Obama, in his final press release for 2014, has said the cancellation of the film “The Interview” by Sony Pictures was a “mistake,” and the company should have talked to him before moving forward with their plans.

The president said he was sympathetic towards Sony, and all the employees who were threatened after the recent cyber attacks against the company, and understands their desire for safety.  However, he then went on to say, according to ABC News, “I think they made a mistake,” with concern to the companies decision to cancel the release of the comedy movie.

Afterwards, the president stated, according to RT, “I wish they would’ve spoken with me first. I would have told them: do not get into a pattern in which you’re intimidated by these kinds of criminal attacks.

The Sony hacks and cancellation of the film though, were also said to be an example of how the U.S. needs to pass a cybersecurity bill by Congress.

“In this interconnected digital world, there are going to be opportunities for hackers to engage in cyber-assaults both in the private sector and in the public sector… We need more rules about how the internet should operate,” the president said according to Boing Boing.

Representative Mike Rogers (R-Michigan) and Sen. Dianne Feinstein (D-California) echoed the president’s for more regulation over the internet.

“This is only the latest example of the need for serious legislation to improve the sharing of information between the private sector and the government to help companies strengthen cybersecurity,” said Sen. Feinstein.  “We must pass an information sharing bill as quickly as possible next .”

The New CISPA: Cybersecurity bill passes through Senate Committee

The Cyber Information Security Act (CISA) has passed through the Senate Select Committee on Tuesday by a vote of 12-3, pushing the bill one step further to reaching the Senate floor.

CISA is the latest reincarnation of internet-security based bills to be voted on by the government.  Last year, a similar bill called the Cyber Information Sharing and Protection Act (CISPA) passed the House, but was met with controversy over what opponents of the bill called a lack of privacy protections.

“The Cybersecurity Information Sharing Act (CISA),” reports Julian Hattem from the Hill, “makes it possible for companies and government agencies to share information about possible hackers and security weaknesses with each other, which advocates say is critical to make sure that blind spots aren’t left untended for long.”

Senate Intelligence Chairwoman Dianne Feinstein (D-CA), one of the people responsible for the creation of CISA, argues the bill would allow businesses and government agencies to more easily exchange information with regards to cyber-attacks.

Feinstein said, according to VPN Creative, “Every week, we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks…this bill is an important step toward curbing these dangerous cyberattacks.”

Opponents to this bill and similar bills have used the Edward Snowden leaks as evidence of the government and NSA abusing cybersecurity flaws in the name of national security.

Senators Ron Wyden (D-OR) and Mark Udall (D-CO) both voted against the bill, saying in a joint-statement, they agree cyber-attacks are a serious threat to American infrastructure, but they have also seen “how the federal government has exploited loopholes to collect Americans’ private information in the name of security.”

The Center for Democracy and Technology also found faults with the bill, saying on the groups website, the bill fails to recognize and address “recently-disclosed cybersecurity-related conduct of the National Security Agency (NSA), some of which undermines cybersecurity.”  The CDF also says the bill would allow law enforcement agencies to wiretap individuals in the name of cybersecurity.

The bill will be heard next by the whole Senate and will be voted on in the coming months.