January 27, 2014 5:39 PM
Posted by: Sharon Fisher
, federal government
, homeland security
In the tv show the West Wing, there’s an episode in the first season called “Take Out the Trash Day,” where Josh explains to Donna that in White House parlance, “take out the trash day” refers to the practice of releasing potentially embarrassing news stories at a time when people aren’t likely to see them.
On December 31, the Federal Judicial Court took out an epic piece of trash.
As you may recall, the Department of Homeland Security (DHS) announced in August, 2009, a policy regarding searches of computers at the border. As you may also recall, U.S. Customs and Border Protection has jurisdiction to enforce laws within 100 miles of the border. And while 100 miles of the border doesn’t sound like much, you may also recall that, according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. All together, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary.
All caught up now?
In 2010, the National Association of Criminal Defense Lawyers (NACDL), the American Civil Liberties Union (ACLU), the National Press Photographers Association (NPPA), and the New York Civil Liberties Union (NYCLU) filed a lawsuit against this policy, saying it amounted to unreasonable search and seizure, particularly in the case of attorneys who might have information under attorney-client privilege or journalists who might have off-the-record information.
On December 31, Judge Edward R. Korman of the Federal District Court for the Eastern District of New York dismissed the lawsuit, saying, essentially, that it just doesn’t happen all that much (“10 in a million,” according to him, 6,500 between 2008 and 2010 according to the ACLU), the government needs to be able to search laptops to protect the country, and what are people doing taking such secure information out of the country anyway?
“While it is true that laptops may make overseas work more convenient,” Korman wrote in the decision, “the precautions plaintiffs may choose to take to ‘mitigate’ the alleged harm associated with the remote possibility of a border search are simply among the many inconveniences associated with international travel.” He also noted, “[I]t would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas.”
As it happens, in March, the Ninth Circuit Court reached a somewhat different verdict on a similar case, United States vs. Cotterman, finding that government agents must have reasonable suspicion before engaging in a forensic search, which is a more detailed kind of electronic search — but which, as the Electronic Frontier Foundation pointed out, isn’t defined in the decision. In addition, that decision applies only to the Ninth Circuit.
Korman’s dismissal of the case means that in areas other than the Ninth Circuit, and for cases anywhere that are just a cursory search rather than a forensic search (for which probable cause is required), border agents are still authorized to conduct warrantless searches of electronic devices that store data. That’s not just laptops, but also other devices such as smartphones and electronic cameras. (States covered by the Ninth Circuit include California, Washington, Oregon, Idaho, Montana, Nevada, Arizona, Alaska and Hawaii, according to the New York Times.)
In June, in response to a Freedom of Information Act request filed by the ACLU, the DHS released its December 2011 Civil Rights/Civil Liberties Impact Assessment, which is what explained why the agency felt it needed the right to search people’s electronic devices without a warrant. According to that report, revealing the suspicion could be a matter of national security. In addition, the report continued, it would mean that agents couldn’t act on “hunches,” an opinion that the ACLU criticized. “As the Supreme Court explained in Terry v. Ohio, if law enforcement agents are allowed to intrude upon people’s rights ‘based on nothing more substantial than inarticulate hunches,’ then ‘the protections of the Fourth Amendment would evaporate, and the people would be “secure in their persons, houses, papers and effects,” only in the discretion of the [government],’” the ACLU wrote.
Politifact, in examining the case, pointed out that border searches have been legal for hundreds of years, and that the only difference now is that we’re talking about electronic devices that could have a great deal of data on them.
The ACLU and NPPA are considering whether to appeal Judge Korman’s decision — which could go as far as the Supreme Court.
While one can say, okay, fine, I’ll just encrypt my laptop, keep in mind that case law regarding encryption and whether a person can be compelled to produce the password is far from clear, with a total of half a dozen or so cases that are split pretty evenly. That decision, too, is expected to eventually reach the Supreme Court.
January 24, 2014 6:35 PM
Posted by: Sharon Fisher
Earlier this month, a couple of guys released a free app for the iPhone that they billed as “Snapchat for business.” The app, Confide, is intended to send messages secretly, doesn’t allow people to read over your shoulder or let you take a screenshot, and deletes the messages after they’re read. Moreover, the company uses end-to-end encryption, meaning it can’t read the messages, either, and the messages are never stored on the company’s servers. (Here’s a very detailed description of how it works and looks.)
So what’s wrong with that?
Plenty, and it’s not just the “Eek, people could use it for infidelity!” that the Huffington Post and the Daily Mail were handwringing about.
One use case, writes Business Insider, is the recent incident with Gov. Chris Christie in N.J., who’s accused of having his staff shut down part of a bridge as political payback, and where the staff had email messages incriminating them in this. “Now, if Christie’s aide had used Confide, this wouldn’t be happening,” Jay Yarow writes brightly.
And he thinks this is a good thing?
We’ve certainly seen many examples of government officials erasing messages, using personal email addresses, and otherwise trying to evade proper oversight by the people. If government officials could send email without fear that the messages could be retrieved later, what do we think could happen?
It’s not just in government that this app should scare us. It’s with corporations as well. Numerous legal cases, such as Apple-Samsung, have hinged on incriminating email messages. Moreover, there’s all sorts of regulatory, audit, and accountability issues that could be evaded with this app, writes Bloomberg Business Week.
“Companies face heavy regulatory pressure to preserve—not destroy—business e-mails, financial records, and other documents,” writes Sarah Frier, noting that Barclays was recently fined $3.75 million for failing to retain electronic documents. “If employees are discussing critical information or creating financial records, those probably need to be retained, says Scott Whitney, vice president of product management at social media compliance consultancy Actiance,” she adds.
What do the Confide developers say about the notion of it being used for nefarious purposes? “As for the possibility that professionals could use Confide to skirt legal duties (such as by-laws that require them to preserve corporate communications),” developer Jon Brod handwaved to GigaOm, “the app is simply a platform and that it would be up to individuals to comply with their obligations.”
January 1, 2014 1:01 AM
Posted by: Sharon Fisher
, memory stick
, thumb drives
Okay, here’s a new way to use memory sticks to spread malware — though to be fair, at least this method doesn’t rely on people being stupid enough to pick up strange thumb drives and stick them in their computers.
In a story that has “Law and Order — ripped from the headlines!” all over it, according to the BBC some bad guys in Germany figured out how to cut holes in an ATM, reach in with a thumb drive running a program, and plug it into the ATM’s USB port, upload the program, remove the thumb drive, plug the hole back up, and then use the program uploaded from the thumb drive, with a 12-digit PIN, to tell the ATM to empty its cash drawer. To show the care with which the bad guys wrote the program, it let them pick the biggest bills first, and it required a code from one of the other bad guys, to ensure that none of the bad guys went rogue and started going freelance. When the machine was empty, it would go back to its usual interface, reported the International Business Times.
Presumably the bad guys show up at night, when there aren’t employees around to hear the sound of dozens of bills going whfft-whfft-whfft out the ATM at once.
Because of the knowledge required to cut into the ATM at the right place, write the program, and plug in the thumb drive (ATMs have USB ports? Who knew? What for?), it’s thought to be an inside job, because they displayed “profound knowledge of the target ATMs.” You think?
Presumably the little program shuts down the ATM’s camera as well, because these bad guys haven’t been caught yet. In fact, we’re not really sure this is exactly how the thing works; the unnamed European bank where this is happening asked for help when ATMs’ cash drawers kept turning up empty, and this is conjecture from investigators. They did discover the little program is called hack.bat, which apparently was a Clue. The program has been found on four ATMs thus far.
Researchers — who asked to remain anonymous — revealed the system in a talk at the Chaos Computing Conference in Hamburg, Germany. (They may be anonymous, but they’re readily visible in the recording, and one of them is female, so it shouldn’t be that hard to figure out who they are.)
We’ve written before about the importance of securing USB ports to keep people from, deliberately or not, using them to download data or infect systems with malware, but using them to zombiefy an ATM is a new one. One presumes that ATM manufacturers will quickly be coming up with ways to secure the USB port. If nothing else, they could spend 75 cents and plug something into them so they’re less accessible. Setting up security cameras that aren’t controlled by the ATM is probably on the list as well.
Interestingly, the ATMs in question run Windows XP — yes, the same one that’s supposed to stop being supported as of April 8. It’s previously been said that the unsupported Windows XP could end up harboring all sorts of viruses after that date, which some people chalked up to Fear, Uncertainty and Doubt sowed by Microsoft to get people to migrate. But the notion of viruses targeting ATMs and teaching them to spew out money is an interesting one.
Naturally, the story is charming hackers of all stripes who are busily exchanging war stories about the insecurity of ATMs — models of which are readily available on eBay for convenient home research.
This raises the question of what other things these days have USB ports in in them, or run Windows XP, that could be exploited. Video poker machines? Candy and cigarette machines? Medical equipment?
Incidentally, security researcher Barnaby Jack, scheduled to give a talk earlier this year on hacking implanted medical equipment — who mysteriously died of unrevealed causes days before his presentation, though Reuters said law enforcement had ruled out foul play — presented at Black Hat in 2010 on exactly how to break into an ATM, including how he used social engineering to gain valuable information about the ATM.
December 29, 2013 11:49 PM
Posted by: Sharon Fisher
, disaster recovery
Typically this blog focuses on the intricacies of preserving data, including backups and disaster recovery. However, this time we’re going to talk about destroying it — or, in other words, blowing *&(*&(& up.
The topic has been alluded to before, most recently in the context of the guy who threw a disk drive away and then was trying to figure out a way to find it in the landfill so he could retrieve the up to $7.5 million in Bitcoin from it. It was noted at the time that he could have had a problem with simply throwing away a disk drive in the first place, as the data was still accessible and could have been used for nefarious purposes had it been found, regardless of how much Bitcoin might be on it, and that people getting rid of PCs in the near future might want to be particularly careful because people might be cruising dumps for similar largesse.
This also being the end of the year, typically the end of the budget year when companies buy new equipment, and people get new electronic gadgets for Christmas — particularly for organizations with BYOD policies — means it’s a good time to discuss the proper method of disposing of the old stuff.
A survey last year from Fiberlink, conducted by Harris Interactive, showed the extent of the problem in connection with replaced BYOD devices. “Only 16% had the data professionally wiped from the old device and only 5% had the device securely destroyed,” the report noted. “The majority of respondents, 58%, said they kept the old device, although it remained inactive; 13% turned it over to their service provider; 11% said they donated the device, simply gave it away or threw it in the trash; and 9% did something else with their previous device.”
While there are a number of entertaining ways to destroy disk drives — melting them in acid, setting them on fire with thermite, taking them out to the desert and shooting them (popular here in Idaho) — a number of these methods are apparently not only dangerous but won’t necessarily destroy data on the drives. (Note, for example, that though Adam Lanza reportedly destroyed the hard drives on his computer before his Newton, Conn., shooting rampage, the final report includes information from his computer.)
So how do you get rid of the darn thing?
- Cornell University recommends that disks that will be reused be rewritten three times, following DoD standards, and that disks that are too decrepit to follow this procedure should be physically destroyed by methods such as drilling, hammering, or crushing. “Destroying the logic section of the drive without damaging the platters is insufficient and not recommended,” it cautions.
- In a very thorough 2010 article, Andrew Kelleher, president of Security Engineered Machinery (SEM), a direct supplier of high-security information destruction equipment, recommends a “belt and suspenders” system using at least two methods, such as degaussing the drive with a strong magnet and then shredding it. He also has a lot of contempt for some of the more fanciful methods of disk destruction. “Many so-called methods of destruction border on the insane and unsafe, not to mention the unreliable,” he writes. “Yes, some might be feasible if you have one or two hard drives to dispose of, but even those could pose huge liability risks when done for an employer. If you have time to waste, gloves on your hands, and safety goggles on your eyes, some of these methods might even work. But businesses that have to deal with liability, workplace safety, and the disposal of multiple hard drives should have a problem with these methods, not to mention they are just crazy dangerous! Besides, even if carried out as recommended, most of these measures are far less than 100% effective.”
- Remember to destroy SD cards, SIM cards, and other accoutrements, notes Dark Reading’s Kelly Jackson Higgins.
- Specifically for old ZIP disks, take them apart and run them through the shredder.
Fun as it might be, though, this really isn’t a situation for testing out the new Christmas Glock 9mm. Sorry. Christmas thermite, on the other hand…
December 23, 2013 12:31 AM
Posted by: Sharon Fisher
Joking aside — yes, admittedly places like Washington, D.C. don’t tend to have snowplows, salt, or people who grew up driving in snow — it’s not a bad idea to have snow on your disaster preparation list just like you would any other sort of emergency, even if you live in an area that doesn’t typically get snow.
In fact, it’s probably even more important to have a snow plan ready if you live in an area that doesn’t typically get snow. If you typically get snow, then the municipality and employees know how to deal with it and drivers have had a bag of kitty litter in the trunk since October.
The federal government has actually been leading the way on offering employees a telework option on snow days, ever since it was shut down for five days in 2010 due to snow. In some ways, it’s actually kind of a bummer for the employee because instead of having the snow day off, they have to work, because they can now work at home. But for the organization or agency, it’s an improvement.
“The federal government, in fact, was one of the early pioneers of telework, with the first push coming during the bird flu pandemic scare in the early 2000s, and the biggest push after the massive 2009-2010 snow storms, dubbed Snowmageddon, that shuttered the federal government for days and led to the Telework Enhancement Act of 2010,” writes the Washington Post earlier this month, the day after the entire federal government shut down due to snow. According to the Office of Personnel Management, the new program now saves the government up to $30 million per day, the Post reports.
The OPM announces early in the morning whether the federal government will be shut down or open later due to bad weather, and gives a time that teleworking employees must be either working or taking time off.
Though the telework program was originally set up for bad weather, employees are now taking advantage of it all the time in some agencies. Up to one-third of the U.S. Department of Agriculture teleworks at any one time, the Post writes.
What do you need to do for your employees to be able to telework during snow days or other inclement weather? Employees will need a computer at home — do they need to provide it, or will the company provide it? They’re also need an Internet connection — again, decide ahead of time who’ll pay for this perk — and whatever sort of security you deem appropriate for a remote worker, such as a virtual private network.
The most important thing is to test the setup ahead of time. 7:45 am on a snowy morning isn’t the time to find out whether the telework setup works — if only because the IT people might be stuck at home, too.
December 9, 2013 11:33 PM
Posted by: Sharon Fisher
, digital dark ages
The New York Times published on Friday what we’ve always suspected — that there are agencies in the U.S. federal government that still use floppy disks.
“Every day, The Federal Register, the daily journal of the United States government, publishes on its website and in a thick booklet around 100 executive orders, proclamations, proposed rule changes and other government notices that federal agencies are mandated to submit for public inspection,” writes Jada Smith. “It turns out, however, that the Federal Register employees who take in the information for publication from across the government still receive some of it on the 3.5-inch plastic storage squares that have become all but obsolete in the United States.”
Smith didn’t know which agencies were involved. Thank goodness it’s at least 3 1/2-inch disks, and not 5 1/4-inch (which, incidentally, were designed to be the size of a cocktail napkin because they were invented in a bar), or, Lord preserve us, 8-inch disks.
Surprisingly, Smith mentioned, the Federal Register is not allowed to accept the data on flash drives or SD cards — only floppy disks or CD-ROM. People can also send the information via a secure email system, but it is expensive and not all agencies have upgraded to it, she writes.
Sony quit making 3 1/2-inch floppy disks in 2010, though even then, people were still using them. “The emergence of alternatives such as the CD-RW, which has a storage capacity almost 500 times that of a floppy, and the internet, which enabled swift transfer of floppy-sized files, were effectively its death knell,” wrote the BBC in 2003, when Dell stopped including 3 1/2-inch drives in its equipment. In an era where people store entire movie collections on personal drives and even laptops now come with at least a terabyte, the notion of a disk that could hold maybe one three-minute song is increasingly quaint.
A BBC News piece at the time printed 40 uses people still had for floppy disks – out of more than 1,000 replies. While a number of them were no longer related to their original purpose, ranging from coasters to tiling floors and roofs, a number of responses reported that they were still necessary for the increasingly arcane equipment they were using.
At this point, the biggest problem with 3 1/2-inch disks is likely not the floppy disks themselves but finding working drives on which to read them and machines that still have drivers for the disk drives. In other words, there may be tons of existing data trapped on floppy disks because we no longer have the drives on which to read them — the problem of the “digital dark ages” that we may be facing as an increasing number of historical records end up stored in formats that are often unreadable in ten years or less.
While people are using this as another way to bludgeon the federal government over its lack of IT sophistication, after the healthcare.gov debacle, chances are that commercial companies — up to one-third of which were still running Windows XP as of earlier this year — probably still have a few machines that use floppy disks as well.
November 30, 2013 9:56 AM
Posted by: Sharon Fisher
, terabyte hard disk
, western digital
A little over two years ago, Samsung and Western Digital each announced 9.5 cm 1 TB hard disk drives, which caused me to say at the time “I want a terabyte on my laptop.”
Now’s the time. I just bought a new laptop (a Lenovo T530 Thinkpad) that has a 1 TB hard drive on it. And it’s not even alone, or the first; Googling for laptops for sale with a terabyte bring up dozens, many of them cheaper than mine.
The funny thing is, now that 1-TB laptops are available, people were trying to talk me out of it.
- I should get one with a big solid state disk instead, because that way it would boot up faster.
- I should just use thumb drives or the cloud instead, because that way my data would be more protected rather than being as vulnerable as the laptop.
- I now have a big (2 TB) Network Attached Storage (NAS) drive, and since I work at home most of the time, why not just use that?
And there’s some truth to all those opinions. I could have gotten my new laptop with a 256 gb solid state drive. And yes, it would probably have been faster. But I worry about the downsides of solid-state drives where, basically, the disk gets tired if it’s written on too much. I’m a writer, I’m writing and deleting and rewriting all the time. I didn’t want to have to worry about the lifetime of my drive.
Using the cloud is fine except what if I don’t have Internet access? No storage. And stories like Nirvanix make me worry about depending on any one company for cloud storage. As it is, I have accounts on all of them. It’s part of what’s kept me away from a Chromebook. I live in Idaho, I’m not in a city all the time, and I don’t always have access to the Internet.
Using the NAS is fine, as long as I’m home, but what if I’m not home? Do I always need access to all my data, every minute? Probably not, but you never know; it’s not unusual for me to refer to something a couple of years ago. Like now, for example.
Maybe I don’t really need that much space, but disk space tends to be the second most important gating factor on my laptop use, after memory. (Chrome doesn’t like it when you have 25 tabs open. Who knew.) Yes, according to Parkinson’s Law, data expands to fill the space available, and no doubt I’ll be complaining before long that I’m running out of space on the terabyte drive, too.
Mostly though, I admit it – I just think it would be cool to know I have a terabyte laptop. It’s not just the size queen aspect. As I’ve mentioned before, I came of age when the first PC I bought cost as much for its 10 MB hard drive as it did for the entire computer. The fact that I can not only have a terabyte of my own, but can carry it around with me, is right up there with jetpacks in terms of things I want in the future.
For me, the future is now. I get it next week.
Except in my research, I see there’s now laptops with 1.5 TB hard disks. Hmmm…….
November 29, 2013 12:17 AM
Posted by: Sharon Fisher
, data storage
However bad a day you might have had lately, it can’t compare with that of James Howells.
Howells is the guy from Wales who realized that the hard disk he threw away actually contained a cryptographic key giving him access to Bitcoin – the Internet’s open payment network — worth up to $7.5 million, so now he’s trying to find a way to root through the dump in hopes of finding it.
“Sitting beneath about four feet of garbage in an area of a Welsh landfill the size of a football field sits a fortune — in the form of a computer hard drive that James Howells threw out this summer while cleaning up his workspace,” writes USA Today. “On it: the cryptographic “private key” he needs to access 7,500 Bitcoins. And since the digital currency hit a major milestone yesterday, with a single coin now worth more than $1,000 on the most popular exchange, that tossed hard drive is worth more than $7.5 million.”
So there’s a couple of nuances to that. First of all, the Bitcoin may not *actually* be worth $7.5 mllion. Howells bought the Bitcoin in 2009. Even when he threw the disk drive away earlier this summer, they were worth about $800,000.
“Although Bitcoins have recently become part of the zeitgeist – with Virgin saying it will accept the currency for its Virgin Galactic flights, and central bankers considering its position in finance seriously – Howells generated his in early 2009, when the currency was only known in tech circles,” writes the Guardian. “At that time, a few months after its launch, it was comparatively easy to “mine” the digital currency, effectively creating money by computing: Howells ran a program on his laptop for a week to generate his stash. Nowadays, doing the same would require enormously expensive computing power.”
But just because an individual Bitcoin is worth $1,000 doesn’t mean that he actually may have been able to sell the total for $7.5 million. It’s complicated.
Second of all, Howells could actually have found himself out a lot more than $7.5 million, depending on what else might have been on that disk drive. Throwing away a disk drive with readable data on it? Really?
Periodically, someone discovers that discarded hard disks still have readable data on them. In 2006, a guy bought some hard disks on eBay and discovered all sorts of interesting account information from Idaho Power, a public utility in southwestern Idaho. It turned out that Idaho Power had contracted with a company to destroy 230 hard disks, and the company just put them up on eBay instead. And security experts such as Simson Garfinkel, now Associate Professor at the Naval Postgraduate School in Monterey, Calif., periodically go out and buy hard disks off eBay and Craigslist just to see what sort of interesting stuff people are throwing away.
In 2010, CBS News did a similar report noting that laser printers and photocopiers, too, had hard disks in them that contained data and that people were buying up old printers and finding interesting data on them.
In fact, for the next few months, it might actually be even more of a good idea to be diligent about properly destroying a hard drive. After the news of Howells’ windfall, there may be a sudden surge of interest in discarded hard drives, in case someone else forgot about their Bitcoin trove.
If Howells had destroyed his hard disk properly, he’d still be out the $7.5 million – but at least he wouldn’t be trying to find a way to root through garbage looking for it. (And perhaps he’s better now about doing backups?)
There is one consolation, though – Howells doesn’t have to worry about someone else finding it first. USA Today reports that the city council has said other searchers will be turned away.
November 24, 2013 12:19 PM
Posted by: Sharon Fisher
, memory stick
, thumb drives
Sigh. We tell you and tell you and tell you, but do you listen? “Don’t pick up strange USB sticks from the street and plug them into your computer”? How many times have we told you that?
Now you’ve gone and infected the International Space Station (ISS).
Eugene Kaspersky, the eponymous founder of the Kaspersky Lab security software company, let drop this little bombshell recently while speaking to the National Press Club in Australia. He said he was told this by “Russian space guys.”
“The space guys from time-to-time are coming with USBs, which are infected. I’m not kidding. I was talking to Russian space guys and they said, ‘yeah, from time-to-time there are viruses on the space station,’” Kaspersky reportedly said.
There’s two things to note about this story:
- While some publications pinned the blame on Russian astronauts specifically, it isn’t actually clear which astronauts did this, and whether they did it on purpose or on accident, as my daughter used to say. Kaspersky’s “Russian space guys” apparently didn’t reveal that detail. Either way, the ISS doesn’t control its USB ports and scan USBs before plugging them into multimillion-dollar things in orbit? Srsly? Didn’t they watch “Independence Day?”
- It isn’t clear exactly what sort of malware has infected the ISS. At various points in time, as least as far back as 2008, it has previously been infected with malware – intended to steal online game passwords. (This is what the astronauts do in their spare time? Play Spacecraft Simulator?) i09 reported receiving email from Kaspersky Lab claiming this incident is actually what he had been referring to, not some nefarious plan to crash the ISS into Manhattan or something.
Oh, and the laptops in question were reportedly running not just Windows, but Windows XP. Oy. Reportedly, the ISS switched to Linux in May, partly to avoid the malware problem. Incidentally, at least in the past, the laptops on the ISS didn’t have virus scanning software. Perhaps they do now? Please?
What is clear is that, despite some reports, the ISS has not been infected with Stuxnet, the virus intended to disable Iranian nuclear facilities. In the same speech, Kaspersky had mentioned that Russian nuclear facilities had been infected with Stuxnet, and non-technical reporters, hearing the words “Stuxnet” and “ISS” in the same speech, got excited and conflated the two.
Even if Stuxnet were found aboard the ISS, it would only be a problem if they were running uranium centrifuges up there, and if they are, we have bigger problems.
All together now:
- Don’t stick strange USB sticks in your ports.
- Control access to the USB drives.
- Scan USB drives before inserting them.
We don’t want to have to tell you this again!