Privacy, Hacking, and Information Security Tools: A Primer for Legal Professionals (Part I)

I thought it might be useful to describe some commonly used tools in the Information Security sphere that should be on every attorney's radar, for myriad reasons. Perhaps you are defending a client who has used such a tool; or, you wish to uphold your obligations under the Model Rules to truly make your attorney-client communications confidential.

This may become a multi-part post, given the plethora of tools out there (and further posts will, to some extent, depend on whether people find this post to be useful - so feedback would be great).

1.   To start, a tool used by hackers, privacy enthusiasts, and others is Tails, "The Amnesic Incognito Live System." It is a LiveCD/Bootable OS that comes packed with baked-in privacy tools; the most important feature being that the network configuration forces all traffic through the Tor Network. From the Tails page, the OS allows you to:

-use the Internet anonymously and circumvent censorship;

-all connections to the Internet are forced to go through the Tor network;

-leave no trace on the computer you are using unless you ask it explicitly;

-use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

So, you can boot with the LiveCD, do all of your surfing anonymously in the Tails OS (modified Linux), and then restart back into your regular operating system without leaving forensic tidbits on the hard drive; the OS operates in running memory, so upon reboot the memory is wiped (RAM does not persist a reboot, with some caveats). The "Warning" page gives a good synopsis of various gotchas that can limit your anonymity and/or complicate the goal of covering your tracks.

Some people, like yours truly, use Tails in a bootable VM image. There are some drawbacks to that approach (it makes it easier to leave forensic artifacts). Thankfully, I'm not doing anything illegal, so I really don't care. It's a good way to get on Tor and ensure all traffic does indeed travel through onion routing.

**Side note - most people are familiar, at least superficially with Tor (given the press surrounding Silk Road). However, there are other closed/anonymous peer-to-peer networks out there, most notably, I2P. **

2. A lot of people are lulled into a false sense of security when they sign-up for offshore or self avowed "totally anonymous" VPN providers. HideMyAss, a popular VPN provider, didn't hide the ass of a LulzSec member, instead providing information to the FBI that assisted in his arrest. More nuanced yet, is that even if you use a VPN provider rgR does not keep logs (an assertion I always take with a grain of salt), VPN users often misconfigure their VPN tunnel and accidentally send DNS requests via their regular ISP. So, your traffic is going over the VPN, but if you are also sending DNS traffic to your ISP over VPN, it is possible to track, at the very least, what sites you are going to (but not, to be sure, the actually content of the traffic itself). Enter the next tool: DNSLeakTest. This tool will run a test against your configuration to show whether or not you are actually using the DNS servers you want to/need to/assumed were set up. For example - when I run the Extended Test using my home internet connection, I receive, inter alia, the following result:

What this image shows is that my DNS is being routed to Charter (my provider), in Wisconsin. To be expected when I am surfing without attempting anonymity. But, I would not want this to show up if I am trying to be anonymous. Using a common VPN provider, I receive the following results, showing my DNS queries are going through their servers:

The key here is that if you are arguing that you never visited (insert site with criminal ties here), and there is a DNS request around the time of the specific activity, you've got a credibility (and evidentiary problem) that is hard to refute. Granted, you are once again trusting the anonymity ("short memory") of the VPN provider's DNS records.

3. When it comes to chatting, many users swear by Cryptocat. The app is described as follows:

Cryptocat is a fun, accessible app for having encrypted chat with your friends, right in your browser and mobile phone. Everything is encrypted before it leaves your computer. Even the Cryptocat network itself can't read your messages.

With the following caveats:

Cryptocat is not a magic bullet. Even though Cryptocat provides useful encryption, you should never trust any piece of software with your life, and Cryptocat is no exception.

Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor. 

Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn't mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party. 

Cryptocat does not protect against untrustworthy people: Parties you're conversing with may still leak your messages without your knowledge. 

Cryptocat aims to make sure that only the parties you're talking to get your messages, but that doesn't mean these parties are necessarily trustworthy.

4. With respect to mobile messaging apps, it also should be noted there are various other apps advertising the same anonymity. See the following:

• Secret - "Share with your friends, secretly. Speak freely." -- See this news story (from Gigaom) for more: The design decisions behind the tech industry’s beloved anonymous Secret app

• Confide - "Your Off-the-Record Messenger" -- From the website: "Spoken words disappear after they're heard. But what you say online remains forever. With confidential messages that self-destruct, Confide takes you off the record."

5. On the hacking side of things, there are a few popular LiveCDs that bundle common hacking tools into an easy to use interface. The following distros are worth taking a look at:

• Kali Linux - "The most advanced penetration testing distribution, ever" -- (formerly Backtrack) -- Kali is a LiveCD used by penetration testers, hackers, and information security professionals to streamline various hacking/recon/exploitation tasks. It includes Metasploit, the most used exploitation tool out there. Metasploit is the tool of choice for "script kiddies," essentially allowing exploitation of systems with no coding; a hacker normally must only provide a few parameters and choose a payload before the ownage of systems can commence.

• Samurai Web Testing Framework -- Created by whitehats at Inguardians, Samurai WTF focuses on Web Penetration Testing and Exploitation. It includes many of the tools in Kali, with a focus on web-based exploits, including SQL injection, XSS, CSRF, and various other methods for web shenanigans.

6. Finally, much has been made of social engineering as the easiest, most-effective, and hardest to defend method of enterprise infiltration. (In security, the weakest link is often the human element). Social engineering has been used to gain ownership of Twitter accounts (too many examples to note), the RSA breach, etc. See this article from Dark Reading for more evidence: Socially Engineered Behavior To Blame For Most Security Breaches.

The toolkit of choice for script kiddies, penetration testers, and various others is TrustedSec's Social-Engineer Toolkit (SET). TrustedSec's website notes:

The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. 

The Toolkit makes it trivial to create webpages that are identical to real enterprise websites that require credentials (allowing login/password harvesting), and also allowing Man-in-the-Middle attacks where the engineered website is passed off as a legitimate portal while the SSL traffic is stripped in the middle (allowing the "hacker" to obtain unencrypted credentials without alerting the user). The toolkit also automates phishing and has various tools and tips to help trick enterprise users into giving up the keys to the kingdom.

Read More

Federal Ct. in web scraping case: accusations of "hacking" and "theft" could be defamatory, but privileged under facts

** All docs for the case here:  Def. Motion for Summary Judgment, Motion in Opposition to SJ, Def. Reply to Pl. Opp, and the Order/Memorandum Opinion **

Can accusing someone of harvesting data from a publicly accessible webpage, by referring to that conduct as "hacking" and/or "theft," be a defamatory statement? Under the facts noted below, a federal court just said "yes," but ultimately found the statements privileged. There is an interesting discussion in the opinion about "protecting" website data with an exclusion in robots.txt (although, as an aside, robots.txt doesn't protect much of anything), and whether that choice to exclude makes any legal difference. The court also discusses the unsettled nature of CFAA law at the time the statement was made; to the court, the muddled precedent regarding whether scraping public web data was a CFAA violation was germane to determining if an accusation of "hacking" was accurate (i.e. a legal cause of action under the CFAA could be sustained).

As an initial matter, here is Mirriam-Webster Online's definition of "hack":

intransitive verb
...
4
a :  to write computer programs for enjoyment
b :  to gain access to a computer illegally

noun (1)
...
6
:  a usually creative solution to a computer hardware or programming problem or limitation 

And, the Free Dictionary's:

hack 1  (hk)
v. hacked, hack·ing, hacks
v.tr.
...
3.
a. Informal To alter (a computer program): hacked her text editor to read HTML.
b. To gain access to (a computer file or network) illegally or without authorization: hacked the firm's personnel database.
…
v.intr.
…
a. To write or refine computer programs skillfully.
b. To use one's skill in computer programming to gain illegal or unauthorized access to a file or network: hacked into the company's intranet.
...
The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights reserved. 

hack1
vb
...
7. (Electronics & Computer Science / Computer Science) to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
...
Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers 1991, 1994, 1998, 2000, 2003

And from the Oxford English Dictionary, Copyright © 2013 Oxford University Press

"hacking"
1.
...
 d. The use of a computer for the satisfaction it gives; the activity of a hacker (hacker n. 3). colloq. (orig. U.S.).
1976   J. Weizenbaum Computer Power & Human Reason iv. 118   The compulsive programmer spends all the time he can working on one of his big projects. ‘Working’ is not the word he uses; he calls what he does ‘hacking’.
1984   Times 7 Aug. 16/2   Hacking, as the practice of gaining illegal or unauthorized access to other people's computers is called.
1984   Sunday Times 9 Dec. 15/2   Hacking is totally intellectual—nothing goes boom and there are no sparks. It's your mind against the computer.

In Tamburo v. Dworkin, -- F.Supp.2d -- (N.D. Ill. Sept. 26, 2013), Judge Joan B. Gottschall granted Henry (another named defendant) motion for summary judgment; the causes of action against Dworkin were (1) tortious interference with a contractual relationship, (2) tortious interference with prospective economic damage, (3) defamation per se, and (4) defamation per quod.

The court stated the facts as follows:

The essential facts in this 2004 case are undisputed. Defendant Kristen Henry, a dog breeder and computer programmer, spent almost five years creating an extensive database of dog pedigrees, which she made freely available for use by fellow breeders through her web site. Plaintiffs John Tamburo and Versity Corporation (“Versity”) used an automated web browser to harvest the data from Henry’s website. They incorporated it into software which they attempted to sell to dog breeders for a profit. Henry was outraged. When the plaintiffs spurned her requests to cease using her data, she reached out to the dog breeding community, through emails and online messages, for assistance in responding to the plaintiffs’ misappropriation of her work. This lawsuit arose from her statements.

Henry (defendant) accused Tamburo of "hacking" in a Freerepublic.com article, as well as in an email; Henry also made various statements to a dog enthusiast message board using the words "theft" and "steal." One of the statements read: "[Tamburo] has written an agent robot to go to these individual sites and steal certain files...that were not offered to them except through a query user interface for page by page query of a single dog’s pedigree at a time."

Addressing the defamation allegations, the court analyzed whether the statements were non-actionable because they were either substantially true or protected by privilege. The court first discussed the defendant's use/lack thereof of robots.txt, which the court refers to as "the Robot Exclusion Standard." The court stated:

The parties dispute whether Tamburo and Versity evaded security measures to access Bonchien.com. Henry contends that a user could access the data on her site only through a query based search, by entering an individual dog name and the generations of ancestry to be displayed. Tamburo, however, states that the data could also be accessed through the site’s URL. He states in his affidavit that Henry admitted during her deposition that the URL used by the Data Mining Robot to access the web site was plainly visible, and that her allegations that the plaintiffs accessed data from non-public areas of the web site were false. 

Henry states in an affidavit that she did not give Tamburo or Versity express permission to access and gather the data on her website by any automated means, such as the Data Mining Robot. She contends that she placed a “robots.txt” header on the site to keep robots from indexing the site. The robots.txt protocol, or Robot Exclusion Standard, is a convention “to instruct cooperating web crawlers not to access all or part of a website that is publicly viewable. If a website owner uses the robots.txt file to give instructions about its site to web crawlers, and a crawler honors the instruction, then the crawler should not visit any pages on the website. The protocol can also be used to instruct web crawlers to avoid just a portion of the website that is segregated into a separate directory.”

As for allegedly defamatory statements regarding stealing of data, the court found them "substantially true." Here is the court's logic:

Tamburo argues that Henry’s statements that he stole from her are false because he did not commit theft. He did not delete or remove data from Henry’s site (thus depriving her of her property), Henry had made her data freely available, and no robots.txt file was visible on her site at the time the Data Mining Robot copied information on the site. According to Tamburo, because the data was not protected, either legally or by security protections on Henry’s web site, he could not have committed theft by appropriating it. 

Even so, the court concludes that no reasonable jury could find that Henry’s statements were not substantially true. ... It may be true that Tamburo could not be prosecuted or held liable for his actions because the data was publicly available and not protected by adequate security measures. But Tamburo’s argument relies on a narrow legal meaning of “theft.” Under Illinois law, the court must consider whether Henry’s use of the word “theft” is reasonably susceptible to a non- defamatory construction. (citation omitted) It is. To a lay person such as Henry, “theft” can also mean the wrongful act of taking the property of another person without permission. The data Henry had collected could be reasonably understood as her property—she had collected it, and it was her work in compiling it that gave it value. She did not give Tamburo permission to copy it and sell access to it. Although Henry might not be able to successfully sue Tamburo for using her data in this way, the gist of her statements was true: he took the data without her permission.

I can't say I agree with this -- the holding, in essence, means that anyone copying and pasting data from another individuals website is "stealing" that data if pre-approved permission isn't obtained. To me, the choice to post information on the internet, available to anyone in the world, means you assume the risk that your now "public" information will be used by others. You can't steal what is given away for free. And theft normally involves some deprivation of a property interest; what was the website owner deprived of, other than control of the information. Control which was given up when it was posted on the web.

Ultimately, the court held the statements were covered by privilege because "they related to her interests in protecting the substantial time and effort spent accumulating her data and in making it freely available to the community of Schepperke breeders, to promote the health of the breed. She also had an interest in ensuring that her data was presented in a certain way and in controlling the manner in which it could be accessed. Furthermore, the statements were published to people who likewise had an interest in the way in which the dog pedigree data was made available, and they involved a public interest in how access to information available on the internet is regulated."

Also, relating to privilege, the court discussed the current state of CFAA law at the time:

...Henry was a lay person, and the record shows plainly that as of May 4 and 5, 2004, when she made the statements that her data was “stolen,” Henry believed that Tamburo had stolen her data and was attempting to determine whether the law afforded her any protection against that theft. 

Moreover, even had Henry immediately consulted with an attorney, no such actual knowledge that Tamburo’s actions were lawful would have been revealed. Rather, in May 2004, the law governing the automated harvesting of data from web sites was unsettled. For example, a number of courts had held that website owners might have a remedy under the Computer Fraud and Abuse Act (“CFAA”) against defendants who had accessed information on their websites using automated harvesting. (citation omitted) In 2003, the First Circuit reversed a district court that had issued an injunction pursuant to the CFAA against a company using an automated “web scraper” to copy pricing information from a travel website. The district court had relied in part on “the fact that the website was configured to allow ordinary visitors to the site to view only one page at a time.” (citation omitted) The First Circuit disagreed and noted, “It is . . . of some use for future litigation . . . in this circuit to indicate that, with rare exceptions, public website providers ought to say just what non-password protected access they purport to forbid.” ...

The First Circuit’s opinion suggests that it is unlikely Henry could have pursued a CFAA claim, given the state of the law, and Tamburo is correct that a collection of data is normally not subject to copyright protections. See Feist Publ’ns v. Rural Tel. Serv. Co., 499 U.S. 340, 364 (1991) (noting that “copyright rewards originality, not effort”). Even so, further investigation on Henry’s part would not have revealed that Tamburo’s actions were undisputedly legal or illegal. Thus, even if Henry’s lawyer advised her that Tamburo had acted legally and that she did not have a remedy against him, such advice is not dispositive as to whether she abused the qualified privilege in making the statements in question. Henry was entitled to disagree with the lawyer about whether Tamburo had any right to access her database, another lawyer might have held a different opinion, and her statements were made as part of her efforts to seek help in protecting her interests. Thus, the fact that the law has evolved in a way that does not protect Henry’s years of work is not evidence that she made the statements about Tamburo’s theft with “a high degree of awareness of the[ir] probable falsity or entertaining serious doubts as to [their] truth.” (citation omitted)

Finally, addressing hacking, the court stated:

Tamburo argues that Henry’s statement that he committed “hacking” and that he took data from non-public areas of her website are defamatory because they imply illegal activity. He claims that the statements are false because he did not evade any security measures employed on Henry’s site, and no prohibition on robotic browsing was visible on the site.
The statements that Tamburo “wrote an agent robot to take specific files off of specific sites” and that the “files were not in a public venue” are substantially true and thus not actionable. Although Tamburo argues that the files were accessible to him through a URL, it is undisputed that Henry’s site was designed to allow the user to search manually for the pedigree of an individual dog. Nothing in the record indicates that Henry intended to make the entire database available to the public. The “gist” of the statements is therefore true. (citation omitted)

As to the word “hacking,” Henry argues that the term is susceptible to innocent construction because “the term has positive connotations,” implying the development of “a creative solution” to a computer problem. (citation omitted)) The innocent construction rule “requires a court to consider the statement in context and give the words of the statement, and any implications arising from them, their natural and obvious meaning.” (citation omitted) Courts “are to interpret the words of the statement as they appear to have been used and according to the idea they were intended to convey to a reader of reasonable intelligence,” and “should avoid straining” to give a term an innocent meaning. (citation omitted). Although Henry proposes that the word “hacking” can be used to convey an innocent meaning, it is clear from the context of her statement that she meant to imply that the way Tamburo accessed her database was unethical or illegal, not “creative.” Thus, the word, as used by Henry, was defamatory. 

Even so, the statement is protected by the same qualified privilege that renders Henry’s statements about theft non-actionable. Tamburo has presented no evidence showing that Henry abused the privilege. Although she admitted during her deposition that Tamburo had not evaded any security measures on her site, nothing in the record indicates that, at the time she made the statement about “hacking,” on May 5, 2004, she had serious doubts about the truth of the statement. Rather, the evidence shows that Henry designed her website to make data available to the public through a query search, which would provide information about one dog pedigree at a time. There is no dispute that this was the way Henry intended the site to be used, and that Tamburo instead accessed the site in a way that allowed him to copy Henry’s entire database.

Read More

Current issue of American University Law Review focuses on cybersecurity landscape

Volume 62, Issue 5 of the American University Law Review features a variety of works tackling the challenging and often complex issues surrounding cybersecurty. The Forward, written by Jorge L. Contreras, Laura DeNards and Melanie Teplinsky, states that this special issues

represents the culmination of a concerted effort to bring together scholars, legal practitioners, industry representatives, and government officials to discuss and debate the pressing issues surrounding cybersecurity in today’s increasingly interconnected environment.

As is the is case with cybersecurity policy, the topics vary greatly. While the article by appellate advocacy counsel for the Electronic Privacy Information Center, Alan Butler, addresses "the novel approach to cybersecurity policy by considering the implications of the Third Amendment of the U.S. Constitution,"  the piece by Professor Scott Shackelford, assistant professor of business law and ethics at the Indiana University Kelley School of Business, "searches for alternative avenues to foster cyberpeace by applying a novel conceptual framework termed polycentric governance."

The lasted issue of the American University Law Review is a great read for those interested in anything cybersecurity. Here are the links to the articles

Jorge L. Contreras, Laura DeNards, & Melanie Teplinsky, Foreward, Mapping Today's Cybersecurity Landscape, 62 Am. U.L. Rev. 1113 (2013)

Ivan K. Fong & David G. Delaney, Transcript, America the Virtual: Security, Privacy, and Interoperability in an Interconnected World, 62 Am. U.L. Rev. 1131 (2013)

Keir X. Bancroft, Regulating Information Security in the Government Contracting Industry: Will the Rising Tide Lift all the Boats?, 62 Am. U.L. Rev. 1145 (2013)

Alan Butler, When Cyberweapons End Up on Private Networks: Third Amendment Implications for Cybersecurity Polity, 62 Am. U.L. Rev. 1203 (2013)

Michael McNerney & Emilian Papadopoulos, Hacker's Delight: Law Firm Risk and Liability in the Cyber Age, 62 Am. U.L. Rev. 1243 (2013)

Scott J. Shackelford, Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance,  62 Am. U.L. Rev. 1273 (2013)

Miles L. Galbraith, Comment, Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information, 62 Am. U.L. Rev. 1365 (2013)

Peter S. Frecehette, Note, FTC v. LabMD: FTC Jurisdiction over Information Privacy is "Plausible," But How Far Can it Go?, 62 Am. U.L. Rev. 1401 (2013)

Danielle E. Sunberg, Note, Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA,  62 Am. U.L. Rev. 1417 (2013)






Author's Note: In addition to being an author at Cybercrime Review, Andrew Proia is a postdoctoral fellow in information security law & policy at the Indiana University Center for Applied Cybersecurity Research. David G. Delaney serves as a Senior Fellow at CACR, while Scott Shackelford also serves as an affiliated Fellow. Both have contributed to the recent law review issue described in this post. All opinions expressed by the author of this post are solely in his individual capacity.

Read More

Must Read: Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

Steven M. Bellovin (Columbia), Matt Blaze (Penn), Sandy Clark (Penn), and Susan Landau (Harvard; Sun Microsystems) have posted an incredible paper that was presented at the Privacy Legal Scholars Conference in June 2013. The paper is entitled "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet"; I have a general aversion to the term "must read," so my use of that term is indicative of the quality of the content.

 The abstract:

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications — there was no longer just “Ma Bell” to talk to — and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication — Skype, voice chat during multi-player online games, many forms of instant messaging, etc.— law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­like interface in Internet software.  

CALEA, though, has its own issues: it is complex software specifically intended to create a security hole — eavesdropping capability — in the already-­complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, but time has proven the experts right. The so-­called “Athens Affair”, where someone used the built-­in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. 

In this paper, we explore the viability and implications of an alternative method for addressing law enforcement's need to access communications: legalized hacking of target devices through existing vulnerabilities in end-­user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. 

Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: 

• Will it create disincentives to patching?
• Will there be a negative effect on innovation? (Lessons from the so-­called “Crypto Wars” of the 1990s, and, in particular, the debate over export controls on cryptography, are instructive here.)
• Will law enforcement’s participation in vulnerabilities purchasing skew the market?
• Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role?
• Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?
• What happens if these tools are captured and re-purposed by miscreants?
• Should we sanction otherwise-­illegal network activity to aid law enforcement?
• Is the probability of success from such an approach too low for it to be useful? 

As we will show, though, these issues are indeed challenging. We regard them, on balance, as preferable to adding more complexity and insecurity to online systems.

Read More

Second LulzSec hacker sentenced in California federal court

According to a press release issued by federal prosecutors on Thursday, August 8, 2013,  Raynaldo Rivera (known online as "neuron") "was sentenced  . . . to one year and one day in federal prison for participating in an extensive computer attack that compromised the computer systems of Sony Pictures Entertainment." According to the release, District Judge John A. Kronstadt with the Central District Court of California ordered Rivera to "13 months of home detention, to perform 1,000 hours of community service and to pay $605, 663 in restitution," in addition to his prison sentence. Rivera is the second member of the "hacking group" to be sentenced for involvement in the Sony Pictures hack, which exposed online the personal information of over 130,000 individuals.

According to a press release by the Federal Bureau of Investigations back on August 28, 2012, Rivera surrendered to authorities after a sealed indictment was issued by a federal grand jury on August 22, 2012. The FBI press release briefly described the indictment, as follows

The indictment alleges that in order to carry out the attack, Rivera allegedly used a proxy server in an attempt to mask or hide his Internet protocol (IP) address. The indictment alleges that Rivera and co-conspirators, including defendant Cody Kretsinger, who was indicted in September 2011 in connection with the same intrusion, obtained confidential information from Sony Pictures’ computer systems using an SQL injection attack against its website. An SQL injection attack is a technique commonly used by hackers to exploit vulnerabilities and steal information. The indictment alleges that Rivera and his co-conspirators distributed the stolen information, including by posting the data on LulzSec’s website, and by announcing the attack via its Twitter account.

Rivera would plead guilty in October 2012 for conspiring to cause damage to a protected computer. As the recent press release details, Kretsinger (known online as "recursion") was sentenced by Judge Kronstadt back in April. Kretsinger's sentence, which was similar to the Rivera order, was also detailed in the recent press release

In addition to [a prison term of one year and one day], Judge Kronstadt ordered Kretsinger to serve one year of home detention following the completion of his prison sentence, to perform 1,000 hours of community service, and to pay $605,663 in restitution.

Author's Note: For a little more information about the Sony Pictures hack by LulzSec (and a great read), I would suggest Parmy Olson 2012 book, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency.

Read More

Five hackers indicted in New Jersey federal court for "largest known data breach conspiracy"

UPDATE: The title of this article has been edited to avoid any confusion. A grand jury sitting for the District Court of New Jersey returned an indictment against the named defendants. The district court did not itself indict the defendants. My apologies for any who many have misinterpreted the original heading.

The Department of Justice announced last Thursday, July 25, 2013, that a federal indictment has been issued charging five individuals from Russia and Ukraine for one count of conspiracy to commit computer hacking, one count of conspiracy to commit wire fraud, six counts of unauthorized computer access, and three counts of wire fraud. A recent press release by the U.S. attorney's office has called this indictment the “largest known data breach conspiracy" ever prosecuted by the United States.

According to the release, the five defendants, Vladimir Drinkman, Alexandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets, in cooperation with four other co-conspirators, “allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit.” The alleged victims include “NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.” The group is alledged to have stolen “more than 160 million credit card numbers,” resulting in “hundreds of millions of dollars in losses.”

The indictment claims that the defendants utilized sophisticated hacking techniques that compromised users' personal information maintained by the victimized companies.The defendants then sold the information "dumps" to resellers who then, according to the indictment, "sold them either through on-line forums or directly to individuals and organizations ('cashers')."

The indictment itself outlines some of the methods the group is alleged to have used in order to gain access to the companies' information and to conceal their activities. Included in the indictment are allegations that the group used SQL injection attacks (or "methods of hacking into and gaining unauthorized access to computers connected to the Internet") and utilized so-called "bulletproof hosting" ( or "leasing servers from which law enforcement supposedly could not gain access or obtain information"). This will be an interesting case, and definitely one to keep an eye on.

Author's Note: My first thought when reading through the indictment related to extradition (specifically, I wondered how the United States planned to properly prosecute five individuals from Russia and Ukraine). As I believe I might not be the only one with such a question, I thought I should provide a small exerpt from the press release that addresses that issue

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Smilianets was extradited Sept. 7, 2012, and remains in federal custody. He will appear in District of New Jersey federal court to be arraigned on the superseding indictment on a date to be determined. Drinkman is in custody in the Netherlands pending an extradition hearing. Kalinin, Kotov and Rytikov remain at large. All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.

Mystery solved.

2nd Author's Note: Brian Krebs, a former reporter with the Washington Post and current blogger at KrebsOnSecurity, provided some great commentary on the recent indictment here.

Read More

A deeper look at United States v. Vargas, the case concerning the NYPD detective accused of violating the CFAA

The recent allegations against New York Police Department detective Edwin Vargas have been making headlines recently, and were the subject of a recent press release by the U.S. Attorney's Office for the Southern District of New York. The press release announced that on May 20, 2013, a complaint was filed in the Southern District of New York alleging that Vargas had committed two offenses under the Computer Fraud and Abuse Act, 18 U.S.C §1030.  Below, I take a look at the two counts and offer some thoughts on the "Unlawful Access of Law Enforcement Database" allegation (count two).

The first count alleges that Vargas and other “known and unknown" defendants "willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking.” Specifically, the complaint alleges that Vargas conspired with individuals associated with an "e-mail hacking service" to violate §1030(a)(2)(C). That section under the CFAA, for context, states in relevant part

Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished as provided in subsection (c) of this section. 

The CFAA also provides as an offense, in §1030(b), any attempted violations or conspiracy to commit violations of the Act. According to the complaint, Vargas “paid certain e-mail hacking services to hack into numerous e-mail accounts . . . in order to obtain the log-in credentials for those accounts.” The complaint continues

In total, Vargas ordered hacks of at least 43 personal e-mail accounts belonging to at least 30 different individuals including 21 who are affiliated with the NYPD; of those 21, 19 are current NYPD officers, one is a retired NYPD officer, and one is current NYPD administrative staff. Vargas accessed at least one personal email account belonging to a current NYPD officer after receiving the account's log-in credentials from the hacking service. 

While the first count contains allegations that one would typically associate with a criminal hacking statute like the CFAA, the second count is a bit more interesting. According to the allegations in the complaint, Vargas

intentionally and knowingly accessed a computer without authorization and exceeded authorized access and thereby obtained information from a department and agency of the United States, [specifically], Vargas accessed, and obtained information from the federal National Crime Information Center ("NCIC") database, without authorization, and exceeding the scope of his authority. 

Vargas’ alleged actions are believed to have violated §1030(a)(2)(B) of the CFAA, which states in relevant part

Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any department or agency of the United States . . . shall be punished as provided in subsection (c) of this section. 

This allegation centers on Vargas accessing the NCIC database to gain information on fellow NYPD officers (referred to as “Victim 2” and “Victim 3” in the complaint). According to the complaint, FBI Special Agent Samad Shaheani states

From my discussions with NYPD representatives, I have learned that on or about November 5, 2011, Edwin Vargas . . . accessed the NCIC database and obtained information about Victim 2 and Victim 3. Based on my review of the records provided by the NYPD, I have learned that at the time that he accessed the NCIC database, Vargas was in his precinct in the Bronx. I have learned that Vargas did not have authorization to perform those searches or to access that information about Victim 2 or Victim 3. 

Much of the complaint focuses on the e-mail hacking allegations featured in the first count. However, I have my reservations on whether the second count can hold up. I recently reported on a Southern District of New York case, JBCHoldings v. Pakter, in which the court applied a narrow interpretation of “without authorization” and “exceeds authorization.” As I stated,

In applying the plain meaning of the term “without authorization” the court found that “an employee ‘accesses a computer without authorization’ when he does so without permission to do so. This definition plainly speaks to permitted access, not permitted use.” The court also found the CFAA’s statutory definition of “exceeds authorized access” was inherently similar to the plain meaning of “without authorization” stating, “[b]y its plain terms, this definition also speaks to access, not use.” 

A similar application might come into play in the case against Vargas. While JBCHoldings was a civil case, the court's application of “without authorization” and “exceeds authorized access” might hold some weight as this case moves forward (however, as the court JBCHoldings observed "[d]istrict courts within the Second Circuit have taken opposing views [as to the meaning of “without authorization” and “exceeds authorized access]”). Its true that Vargas might not have had “authorization to perform those searches” or to “access that information,” as the complaint alleges, but the question to consider would be whether Vargas, as in NYPD detective, was generally given access through his employment to use the the NCIC system. Did Vargas simply misuse the information from the NCIC system that he had the right to access through his employment? If so, that might make the second count against Vargas a bit more challenging. I’ll be interested to see how this case progresses.

What do you think? Feel free to sound off in the comments.

Read More

Featured Paper: Hacking Speech: Informational Speech And The First Amendment (Update)

The Northwestern University Law Review's newest issue (a special edition recognizing Northwestern Law faculty member Martin Redish) offers an interesting piece by Andrea M. Matwyshyn titled "Hacking Speech: Informational Speech And The First Amendment." Dr. Matwyshyn is an assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School, a faculty affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania School of Law, and an affiliate Scholar of the Center for Internet and Society at Stanford Law School. The abstract appears below:

The Supreme Court has never articulated the extent of First Amendment protection for instructional or “informational” speech—factual speech that may be repurposed for crime. As technology advances and traditional modes of speech become intertwined with code speech, crafting a doctrine that expressly addresses the First Amendment limits of protection for informational speech becomes pressing. Using the case study of “vulnerability speech”—speech that identifies a potentially critical flaw in a technological system but may indirectly facilitate criminality—this Article proposes a four-part “repurposed speech scale” for crafting the outer boundaries of First Amendment protection for informational speech.

Author's Update: I recently contacted Dr. Matwyshyn to expand a bit on her recent article for our readers. Here is what she had to say:

My goal with the article was to highlight existing gaps in the Supreme Court's jurisprudence that will present challenges as courts face future cases dealing with instructional/informational speech and technology. I also sought to propose one possible model for these judicial determinations. As vulnerability exploit markets, 3D printer drivers and other controversial categories of code become more prevalent, it is inevitable that a case of the type considered in the article will end up before the Supreme Court. The Court will then need to decide when, if ever, code crosses the line from protected speech into a regulable commodity and when, if ever, a release of code later used as part of a criminal enterprise constitutes a basis for criminal prosecution. I hope to reinvigorate the legal conversation around these topics.

Read More

Tallinn Manual applies "international law norms" to cyber warfare

It seems almost every day we see new reports of computer and network “attacks” allegedly perpetrated by nation states. China, Russia, and North Korea have all allegedly been involved in a variety of cyber attacks––and with the evidence mounting as to the now infamous Stuxnet attack, it can be safely assumed that the United States is not absent from this list. What cannot be assumed, however, is how these attacks fit into the complex set of policies, treaties, and international laws that govern national and international conflicts. Can a country use cyber operations to attack or defend another country? If so, to what extent can these cyber operations be used? How do we define a “cyber attack” under international law?

The Tallinn Manual On The International Law Applicable to Cyber Warfare (Cambridge University Press, 2013) attempts to answer these questions and many more just like them. The Tallinn Manual was made at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence and was authored by an “independent, international Group of Experts.” The result is a comprehensive guide that applies various international rules to cyber warfare. The group of experts, led by U.S Naval War College Professor and international law scholar Michael N. Schmitt, developed a set of “ninety-five ‘black-letter rules’” governing cyber warfare.

Contrary to some reports, the manual is by no means the official policy of NATO but is instead, as stated on the Cooperative Cyber Defence Centre of Excellence’s website, “an expression of opinions of a group of independent experts acting solely in their personal capacity.”

Despite such formalities, the manual is an important document for governments, students, and academics alike. The manual’s in-depth analysis provides a foundation for nations to build upon as they being to develop in and adapt to an increasingly cyber-dependent world. And while not an authoritative document, it will be interesting to see how the Tallinn Manual impacts the current discussions revolving around the continued escalation of cyber attacks by nations-states.

For a report on the Tallinn Manual, as well as an interview with one of the manual’s authors, Professor Thomas Wingfield, see Bernhard Warner’s Bloomberg article here.

Read More

Latest stories about cybercrime/cyberlaw

From our Twitter feed @cybercrimerev

#CFAA the @TheMatthewKeys Indictment can be found here. LA Times/Fox hacking case - he provided CMS l/p

Wiretapping Firm Says Telecom Providers Could Be Handing Over More Data Than Authorized

Belden Research Shows that Patching for Industrial Cyber Security is a Broken Model

Cyber criminals offer black market peers bug discovery service

Hackers play Space Invaders on Belgrade billboard, get rewarded with iPads, from @cfarivar

Hacker group plans massive online attack against Israel next month (Anonymous)

Companies buying cyber insurance increased 33% in 2012, says Marsh

US NIST's Vulnerability Database Hacked

Criminals can buy cyber hacking kits (supposedly off-the-shelf)

U.S. Government Twitter Accounts: Just As Vulnerable To Hacking As Burger King's, from @Forbes

 

Read More

Video from House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations re: CFAA

The video of the hearing today can be seen here. It includes commentary from Orin Kerr regarding the Nosal holding of the 9th Circuit and his recommendation that Congress act to amend the CFAA to clarify the ambiguity in the statute regarding "unauthorized access" and "exceeds authorized access" which has led to a circuit split on the statute's reach.

There is also an interesting discussion about hacking back.

Here is a link to the House Judiciary Committee's page with materials about the hearing: "Investigating and Prosecuting 21st Century Cyber Threats"

Read More

Nosal on remand - another reading of CFAA's "exceeds authorized access"; court denies motion to dismiss

Update 3 - 12:19pm: I re-read Nosal (en banc), and I believe the court, here, failed to contemplate the following words from the en banc opinion:

Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password, . . . let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so. 

I am unable to understand how the above scenario differs from the CFAA count against Nosal the court wrangles with, below. Here, an employee logged into a computer they had access rights to and then handed that over to another person who proceeded to download sensitive information. Of course this is a violation of an Acceptable Use Policy/Terms of Use, and there is (likely) liability under theft of trade secrets (and other torts), but is this a federal crime deserving of prison? Judge Kozinski's words in Nosal (en banc) seem to contradict the district court's holding, below.

Also, I am not convinced the court gets the circumventing technological access barriers analysis correct. Nosal did not employ trickery, tools, exploits, or anything else malicious to gain access to the information. He used another human being. Yes, passwords are technological barriers to information. But, he didn't circumvent that in a commonly understood (and contemplated manner) - i.e. password guessing, cracking, logical flaws, etc. The court's holding, here, expands the CFAA less than a year after the 9th Circuit reduced its scope.

Update 2 - 11:34am: For those of you, like me, who like to dig a little deeper, here are: Nosal's Motion to Dismiss, the government's Memo in Opposition, and Nosal's reply.

1/17/13 - Nosal's Amended Motion to Dismiss Remaining CFAA Counts And Supporting Memorandum Of Points And Authorities
1/30/13 - USA Memorandum in Opposition to Motion to Dismiss (and Exhibits)
2/13/13 - Nosal's Reply to USA Memo in Opposition (and Exhibits)

Update 1 - 11:07am: In regards to the DMCA language, it may have originated from Jennifer Granick's EFF proposal for changing the language of the CFAA to define "access without authorization" consistent with the DMCA. Orin Kerr has similar language in his proposal (see this Kerr post for a link and thoughts about Granick's proposal), but it was not (to my knowledge) lifted from the DMCA. I think the defense attorney, here, missed the point that these were proposed reforms to the CFAA's statutory language; reading the DMCA language into the statute isn't possible under its current iteration.

******************************************************************************************
In United States v. Nosal, No. CR-08-0237 EMC (N.D. Cal. March 12, 2013), on remand from the en banc opinion of the 9th Circuit, and addressing additional counts, Judge Edward M. Chen denied Nosal's motion to dismiss the remaining CFAA counts (5 were dismissed previously). Nosal argued that the en banc opinion clarified application of the CFAA, requiring dismissal; Chen did not buy it, and provided an interesting take on what Nosal meant, but more importantly, what it didn't mean. I excerpt the relevant analysis portion from Judge Chen's order at length, below, because it is worth it to read the entire thing.

Of note, also, is the fact that in his motion to dismiss the remaining counts, Nosal tried to have "hacking" defined by reading a portion of the DMCA into the CFAA. I thought this was an interesting, albeit totally unworkable and unsound argument. It had to have been conjured understanding that it was a "reach" argument; otherwise, the tactic was distracting and silly owing to the fact that courts rarely read in definitions from completely unrelated statutes, passed many years apart.

First, for some background, see our previous posts on Nosal:

Jeffrey Brown, Ninth Circuit en banc adopts narrow reading of CFAA
Justin P. Webb, Why Nosal's dissent is surprisingly persuasive

Also, see Orin Kerr's testimony to the House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations, which he is giving today, and which references the 9th Circuit's en banc decision in Nosal

Here is the relevant excerpt from the order denying Nosal's motion to dismiss from Judge Chen of the Northern District of California, mentioned above(the entire order is here (and above): Chen Order denying motion to dismiss) (I have marked in red parts I feel are important/interesting):

D. Application to Remaining CFAA Counts 

1. Defendant's Definition of Hacking 

Defendant now argues that the Ninth Circuit's opinion in Nosal limits the applicability of the CFAA to not just unauthorized access but to hacking crimes where the defendant circumvented technological barriers to access a computer. Thus, Defendant argues, the remaining CFAA claims must be dismissed because they do not include allegations that Defendant or his co-conspirators circumvented any technological access barriers. 

The Ninth Circuit acknowledged that the CFAA was passed "primarily to address the growing problem of computer hacking." Id. at 858. The court further rejected the government's argument that accessing a computer "without authorization" was intended to refer to hackers, while accessing a computer in a way that "exceeds authorized access" necessarily refers to authorized users who access a computer for an unauthorized purpose. 

it is possible to read both prohibitions as applying to hackers: "[W]ithout authorization" would apply to outside hackers (individuals who have no authorized access to the computer at all) and "exceeds authorized access" would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate. 

Id. at 858 (emphasis in original). The court noted that the Defendant's "narrower interpretation [of the CFAA] is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking – the circumvention of technological access barriers – not misappropriation of trade secrets – a subject Congress has dealt with elsewhere." Id. at 863. 

The court did not, however, explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute. For example, the court did not revisit the elements of crimes under § 1030(a)(4) as articulated in Brekka, where it held the elements of a violation of that provision were: (1) accessing a protected computer; (2) without authorization or exceeding such authorization that was granted; (3) knowingly and with intent to defraud; and thereby (4) furthering the intended fraud and obtaining anything of value. Brekka, 581 F.3d at 1132. Nowhere does the court's opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4). Instead, Nosal holds only that it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement. 676 F.3d at 863-64. The court did not address limits on liability under the CFAA based on the manner in which access is limited, whether by technological barrier or otherwise. Id. Thus, Defendant's interpretation is not a fair reading of Nosal on this front is simply incorrect. Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase "circumvention of technological access barriers" was an aside that does not appear to have been intended as having some precise definitional force. 

Even if Nosal added a "circumventing technological access barriers" element to crimes under § 1030(a)(4), the indictment sufficiently alleges such circumvention. As the government points out "password protection is one of the most obvious technological access barriers that a business could adopt." Gov.'s Opp. at 1. Faced with this reality, Defendant acknowledges that the Ninth Circuit did not offer a definition of hacking, and urges this Court to look to the definition in the Digital Millenium Copyright Act, which provides that to "'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A). However, there is no legal basis to incorporate into the CFAA the Digital Millenium Copyright Act which was passed 14 years after the CFAA and which concerned matters separate and distinct from the CFAA. Moreover, it is noteworthy that neither the CFAA nor the Digital Millenium Copyright Act employs the term "hacking." In any event, even if the Digital Millenium Copyright Act's definition of "circumvent a technological measure" were to inform the scope of the CFAA, as noted above, the actions alleged in the indictment fall within it. Use of another's password "avoids" and "bypasses" the technological measure of password protection. 

Defendant argues that the remaining CFAA claims fail because they do not allege "J.F.'s password was obtained illegally or without her consent." Def.'s Mot. at 5. Defendant's argument is premised in part on the notion that because J.F. allowed Defendant's co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting "without authorization" in accessing the Searcher database. In Brekka, however, the Ninth Circuit made clear that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization. Brekka, 581 F.3d at 1135 ("The plain language of the statute therefore indicates that 'authorization' depends on actions taken by the employer."). Further, the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization, as it elsewhere provides penalties for anyone who "knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization." 18 U.S.C. § 1030(a)(6). 

Additionally, Defendant argues that the CFAA does not cover situations where an employee voluntarily provides her password to another by analogizing to the law of trespass with regards to physical property: "Just as consensual use of an employee's key to gain physical access is not trespass, consensual use of an employee's computer password is not hacking." Def.'s Mot. at 6. Defendant argues that the court in Nosal held that "the CFAA was based on principles of trespass." Id. This is a mischaracterization of the opinion in Nosal, which merely noted that the CFAA was passed to address the growing problem of hacking, and quoted a Senate report that stated "[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system." Nosal, 676 F.3d at 858 (quoting S.Rep. No. 99-432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.)). Aside from these passing comments positing an analogy, Defendant points to nothing in the wording of the CFAA or interpretive case law to support its construction. If the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely, Congress could not have intended such a result.

2. "Access" 

The factual scenario presented in count nine, does, however, raises the question of how to interpret the term "access" in the CFAA. Defendant argues that J.F. was the individual "accessing" the Korn/Ferry system when she logged in using her password, and that M.J.'s use of the system after the login does not constitute unauthorized "access" within the meaning of the statute. The government, on the other hand, argues that "access" encompasses ongoing use, including M.J.'s unauthorized use of the system after J.F. logged in. 

In support of its argument, the government cites to two Senate Reports from the CFAA's legislative history. The first, from the 1996 amendments to the CFAA, notes that "the term 'obtaining information' includes merely reading it." Sen. Rep. No. 104-357, at 7 (1996). The government argues that just as "obtaining information" may include merely reading, so too may access be as simple as reading the materials in question.5 The second Senate Report, associated with the 1986 version of the CFAA, notes the intention to criminalize "knowingly trafficking in other people's computer passwords." Sen. Rep. No. 99-432, at 3 (1986). This comment, however, seems to be in reference to § 1030(a)(6) of the CFAA, which criminalizes trafficking in passwords, and is not at issue in the current case. See id. at 13. 

The Court need not opine on whether § 1030(a)(4) should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files. The allegation in Count Nine is that J.F. logged on to the computer using her credentials, then handed over the computer terminal to M.J., who ran his own searches through the Korn/Ferry database and then downloaded files therefrom. 

Functionally and logically, this is no different than if J.F. gave M.J. the password, and M.J. typed in the password himself. The only distinction differentiating the two scenarios is one based on a constrained and hypertechnical definition of "access" in which access focuses solely on the moment of entry and nothing else. Not only would such a definition produce a non-sensical result; it is not supported by the language of the statute. The crime under § 1030(a)(4) is "accessing" a protected computer, or not "entering" or "logging on to" a protected computer. 18 U.S.C. § 1030(a)(4). Nothing in the CFAA suggests anything other than a common definition of the term "access," applies. The Oxford English Dictionary defines "access" as, inter alia, "[t]he opportunity, means, or permission to gain entrance to or use a system, network, file, etc." See Oxford English Dictionary, www.oed.com (emphasis added); see also Black's Law Dictionary (defining access as, inter alia, "[a]n opportunity or ability to enter, approach, pass to and from, or communicate with"). The common definition of the word "access" encompasses not only the moment of entry, but also the ongoing use of a computer system. Under the facts alleged in the indictment, M.J. "proceeded to query Korn/Ferry's Searcher database and download information, after obtaining initial access." SI ¶ 19o. That J.F. entered the password for him rather than having M.J. type it himself does not alter the fact that in common parlance and in the words of the CFAA, M.J. accessed the protected computer system, and he did not have authorization to do so.

I would love comments on this.

Read More

A fantastic social engineering infographic

I thought this was particularly well done:


Infographic by Veracode Application Security

Read More

Are we becoming numb to large-scale data breaches?

For the past few weeks, we have been inundated with news of various security breaches from some big names. Here are a few of the biggest ones:

• Evernote - required all users to change their passwords
• cPanel - warned users to change their administrator passwords
• Microsoft, Apple, Facebook, Twitter
• Zendesk - held user data for Twitter, Pinterest, and Tumblr
• NBC - hack infected website visitors' computers with malware
• Multiple Twitter account hacks (Donald Trump, Burger King, Jeep, AFP)
• Bit9
• Goldman Sachs
• Bush family e-mails

Buzzfeed recently called 2013 "the year of the hack," noting "[t]he hackers have been getting better, and their targets haven't been keeping up. Meanwhile, some victims have begun to believe that rather than concealing their compromised data, their best bet is to speak up about it, in hopes of improving security measures."

An interesting question, however, is whether it works to publicize the hacks. Are people so concerned with information security that they will close an account with a company that is not doing what it needs to do to protect their data? Or, as I imagine is likely the case, are people just becoming immune to it?

Read More

US cybersecurity firm releases report on Chinese army hacks of American companies

Mandiant, a United States cybersecurity firm, released a report on Tuesday detailing its findings of what it believes to be a series of hacks conducted by the Chinese army. They believe they have detected the hacks of "141 companies spanning 20 major industries."

Here's an except from the executive summary:

The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.

Mandiant also released a video demonstrating a method used by APT1 to hack American companies.

A Chinese foreign ministry spokesperson responded, "To make groundless accusations based on some rough material is neither responsible nor professional."

The findings have been widely reported including by the New York Times, Wall Street Journal, and ABC News.

Read More

Your Password is Obsolete. Now What?

Be sure to check out this infographic about passwords which describes the hack of Wired writer Mat Honan, explains how hackers are able to get a person's data, discusses alternatives to passwords, and provides password advice. It's really worth a few minutes of your time.

Here's the introduction:

Some say 2012 may have been the year the password broke. With password leaks and dumps becoming common occurrences our lives are simply too easy to crack. That string of characters you use as a password can't protect you anymore.

Read More

Recent articles related to technology and the law

Here are some recently published (or posted) articles I found on SSRN that you might enjoy reading. Feel free to e-mail me if you have suggestions for an upcoming list.

GPS / Jones

• The Missed Opportunity of United States v. Jones - Commercial Erosion of Fourth Amendment Protection in a Post - Google Earth World - Mary Leary (Catholic University)
• United States v. Jones: Fourth Amendment Applicability in the 21st Century - Thomas K. Clancy (University of Mississippi / West Virginia University)

Privacy

• 'eyePhones': A Fourth Amendment Inquiry into Mobile Iris Scanning - Christopher Rutledge Jones (University of South Carolina)

Hacking / Cyber Attacks

• Skills and Trust: A Tour Inside the Hard Drives of Computer Hackers - Benoit Dupont (University of Montreal)
• Cyber Deterrence - Eric Talbot Jensen (Brigham Young University)

Read More

Hacking Back - are you authorized? A discussion of whether it's an invitation to federal prison or a justified reaction/strategy?

The concept of hacking back has continued to gain attention as cyber-attacks continue. I'd be remiss if I didn't point readers to the Volokh Conspiracy and its latest coverage on the issue. The contenders in this argument, which has gone back and forth for 4 days so far, are Stewart Baker, a Partner at Steptoe & Johnson, with experience working for DHS, and Orin Kerr, Fred C. Stevenson Research Professor of Law at The George Washington University.

As an initial matter, Jeffrey and I did a back and forth on this in June. Our posts can be found here:

Justin's take - The Illegality of Striking Back Against Hackers
Jeffrey's argument in the alternative - An Attempt to Make the Case for "Hacking Back"

In a generalized way, it appears I side with Orin Kerr, whereas Jeffrey's argument in the alternative (which is not necessarily his view) is more favorable to Stewart Baker. Here are the posts from the Volokh Conspiracy, in chronological order:

October 13th, Stewart Baker, RATs and Poison: Can Cyberespionage Victims Counterhack?
October 14th, Stewart Baker, RATs and Poison II — The Legal Case for Counterhacking
October 15th, Orin Kerr, The Legal Case Against Hack-Back: A Response to Stewart Baker
October 16th, Stewart Baker, The Legality of Counterhacking: Baker Replies to Kerr

I will update if the back and forth on the VC continues.

Update Oct. 16th, 12:53pm CST: Kerr just responded in another post
October 16th, Orin Kerr, More on Hacking Back: Kerr Replies to Baker

Update Oct. 16th, 5:00pm CST: Baker's final response
October 16th, Stewart Baker, The Legality of Counterhacking: Baker’s Last Post

Update Oct. 17th, 6:18pm CST: Kerr's final post
October 17th, Orin Kerr, A Final Post on Hacking Back

Read More

If I read your emails, change your password, and use your emails against you in a divorce proceeding, am I cyberstalking you?

If you said "yes" to the question posed in the title of this post, you may have some difficulties in Florida. In Young v. Young, 2012 Fla. App. LEXIS 15112 (Sept. 28, 2012), a Florida appellate court said "no" to that question, holding that cyberstalking, per Florida statute, requires "electronic communications by [a person] of "words, images, or language . . . directed at" another individual (the person allegedly getting stalked).

In Young, the husband allowed his wife to use his computer password to install a multi-user licensed anti-virus program. Under these facts, I'm not exactly sure why she needed the password, but the case does not clarify. The husband, in my estimation, was operating under good faith because at the time of disclosure, the couple was either at, or still amidst, their dissolution proceeding.  (At this point I'd like to stop and offer what should be obvious advice at this point - short of a court order, never disclose your password to anyone, for anything, at any time. Including your wife. I can't think of many stories I have heard that open with "so I gave her/him my password" and end happily.)

The wife, without the husband's consent, then "used the password to read his email and then changed the password so that he could no longer gain access to his account." Subsequently, she "filed a paper in the divorce proceeding that contained extensive personal information taken from the emails." The husband filed for a domestic violence injunction, which was granted by the lower court after interpreting that the wife's actions "amounted to cyberstalking."

The court of appeals overturned the injunction, stating that reading your emails, changing your password, and using the information discovered in your email account are not electronic communications directed at another, and therefore fall outside the purview of the statute.

In my common understanding of stalking in general, but also cyberstalking, I was never under the impression that stalking had to include some sort of communication to the "stalkee." Isn't part of stalking doing so by use of stealth? Indeed, one online dictionary defines it as:

1. To pursue by tracking stealthily.

2. To follow or observe (a person) persistently, especially out of obsession or derangement.

To me, this is an odd outcome - but, it is more a failing of statutory drafting than a mistake by the court. The husband may also have other remedies (computer intrusion statutes at the state level), however those will certainly not be sufficient to obtain a DV injunction. The larger question is this, does the wife's behavior give rise to the husband's belief that he was in imminent danger of domestic violence, which is the DV injunction standard in Florida. That's a high bar to meet, but one would need to know the content of the emails to know just how angry she might have been. As a public policy matter, I think a DV injunction here wouldn't be a bad thing.

Read More

Map shows cyber attacks in real-time

Be sure to check out this real-time map that shows cyber attacks throughout the world. Red dots represent the location of attackers, and a ticker at the bottom lets you see their location and IP address.

The data is collected by The Honeynet Project whose mission is "[t]o learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned."

Read More