President Obama’s cybersecurity plan – Part 1 updates for law enforcement

Prison cell photo courtesy of abardwell's Flickr photostreamLast week President Obama announced his proposal for updates to US cybercrime law. While I am not a lawyer, I have spent a significant amount of time poring over the legal documents to extract their meaning and provide my comments.

The proposed legislation is quite long and detailed, so I will begin with the changes that will impact law enforcement. These changes relate to what items are criminal and the penalties the courts may impose for breaking the law.

In my second post I cover the proposed national Data Breach Notification Act.

  • The Racketeer Influenced and Corrupt Organizations (RICO) Act would be updated to include organized computer criminals. This law was originally designed to target mafia-like crime syndicates and would now include their electronic equivalents.
  • The Computer Fraud and Abuse Act (CFAA) would be modified with new restrictions for judges during sentencing. Attacks against critical infrastructure would have a mandatory minimum sentence of three years.
  • Cyberattackers targeting critical infrastructure would not be eligible for probation or concurrent sentencing (unless it is the same crime) or eligible for a reduction of their sentences for multiple counts of the offense.
  • Maximum sentences would be changed from ten years to 20 for attacking US government systems related to defense, energy or foreign relations.
  • Maximum sentences would be changed from one year to three for unauthorized access to records or systems related to financial services, government systems or foreign/interstate communications. They would change from five years to ten if the purpose is private gain or commercial advantage or if the value of the information exceeds $5000.
  • Maximum sentences would be reduced from five years to one for unauthorized access to non-public government computers.
  • Maximum of 20 years for unauthorized access or exceeding authorization to obtain more than $5000 in a year’s time.
  • Maximum of 20 years for someone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer” resulting in more than $5000 in damages, tampering with medical systems, causing physical injury, causing a threat to public health and safety, interfering with systems related to defense, justice or national security, or ten or more computers in a one year period.
  • A maximum of life imprisonment for incidents that result in someone’s death.
  • Maximum of ten years for unauthorized access causing reckless damages.
  • Maximum of one year in prison for unauthorized access causing damages.
  • Maximum of ten years for “knowingly and with intent to defraud [trafficking] in any password or similar information through which a computer may be accessed without authorization.” This provision previously applied only to US government systems.
  • Maximum of ten years for extortion using a threat to attack/expose flaws in security.
  • A long list of changes related to the forfeiture of profits and assets in any way related to the aforementioned criminal activity.

The raising of maximum penalties gives American judges more flexibility and sends a very clear message to cybercriminals. However, the requirement for a three year minimum sentence for attacking critical infrastructure raises questions.

There are many shades of grey when it comes to unauthorized access to sensitive systems and mandatory minimums do not account for the edge cases that a judge can take into account.

The adjustments to the RICO statute are a welcome change and by including organized cybercrime provide new tools for law enforcement to treat electronic crimes just like any other.

Hacker Dojo sign courtesy of mightohm's Flickr photostreamThe addition of this statement:

“knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”

appears to directly address today’s malware threat. Facing up to 20 years for what many consider to be mischief sets the record straight. Producing and spreading malware is a serious crime, and under this proposal, if you participate you could face serious penalties.

Creative Commons image of a jail cell courtesy of abardwell’s Flickr photostream. Creative Commons image of Hacker Dojo sign courtesy of mightohm’s Flickr photostream.

Security hole could affect 99% of Android smartphones

Android smartphoneAccording to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.

The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.

According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled “Catching AuthTokens in the Wild: The Insecurity of Google’s ClientLogin Protocol”, in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information “in the clear” via HTTP, and retrieve an authentication token (authToken) from Google.

That means that there’s the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.

Wireshark sniffing an authToken

As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data – such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.

Yuck!

The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.

According to the researchers, Google has fixed the problem in Android 2.3.4. But there’s the rub. Just how many people are still running older versions of the Android OS?

Android OS platform usage

Approximately 99% of Android users are vulnerable, as they haven’t updated to at least version 2.3.4 (codenamed “Gingerbread”).

GingerbreadUnfortunately it’s not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren’t so simple for Google’s users. This fragmentation inevitably leaves Android devices open to security problems.

Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.

But what should you do if you’re a concerned Android owner?

My recommendation would be to upgrade to the latest version of Android if at all possible.

Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you’re worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.

Using 3G may eat into your data plan, but it’s far less likely that your communications are being snooped upon.

Update: Good news. Google has started rolling-out a fix for this vulnerability.

MailChimp tightens up security – will other email marketing services follow suit?

MailChimpI may be a little late to the party, but I was pleased to discover today that MailChimp – a popular online tool used by companies and individuals for managing email campaigns – has tightened up its security with a number of new features.

If you’ve never been involved in managing mailing lists, you might not be familiar with MailChimp. But it’s certainly made a name for itself both through its ease-of-use and strong branding courtesy of its chimp mascot.

In an email to its users, MailChimp explains that the new security features are “optional but strongly encouraged”:

* TXT and email security alerts: MailChimp can send your phone an SMS text message when it detects a login, attempted list download, or other change that might affect your account’s security. Email alerts are also available. More info.

* Detect location changes: If someone logs in to your account from a different location than usual (determined via the IP address used), MailChimp users can force them to answer your account security question. More info.

* Multi-factor authentication: Whenever you log in to MailChimp, a passcode – generated from a smartphone – can be required. More info.

Personally, I think all of these options make a lot of sense for people who manage their mailing lists, and although I would prefer for there to be an option for a physical keyfob generating an authentication passcode, I think MailChimp has done some good work here.

No doubt MailChimp is very aware of the harm that was done to one of its larger rivals, Epsilon, who suffered a horrendous mega-leak of email addresses last month which tarnished many well-known brand names.

Epsilon’s lax security meant that many internet users received email alerts from organisations of which they’re customers, including Best Buy, McKinsey Quarterly, Beachbody, 1800Flowers.com, Marks & Spencer, Hilton, AbeBooks and Lacoste:

Epsilon leaks email

None of MailChimp’s new security features can completely protect accounts from hackers, of course. But they certainly can make life much more complicated for cybercriminals.

And don’t forget, if you manage a mailing list of thousands of customers, the last thing you need is for a criminal to gain access to that list and begin to spam out malicious messages to your users.

If you’d like to understand more about e-marketing security why not read Sophos’s Best practices top 10: Keep your e-marketing safe from threats guide all about how to avoid security vulnerabilities in your e-marketing strategy.

Ronaldinho website Jar Jar Binks hack should be a warning to others

Here’s what the website of Brazilian soccer star Ronaldinho normally looks like:

Ronaldinho website

And here’s what it looked like for a few hours on Saturday after a hacker defaced it with images of Star Wars hate figure Jar Jar Binks and Osama bin Laden.

Ronaldinho hacked website

The footballer’s website was attacked by a hacker calling himself “Terrorist MC”, who wrote a number of messages in Arabic alongside a claim in English that he would not stop hacking:

Im muslim For ever , I love Oussama ben laden
I dont Stop The Hacking, F*** Obama F*** America

Quite what Ronaldinho has done to anger a hacker enough to compare him to Jar Jar Binks is beyond me.

But there’s a serious message here. Whether you’re a big corporation, a small business or an individual, you need to protect your web presence or risk having hackers plant malware, spam pages or a mischievous message on your site.

Fortunately it looks like the attack against Ronaldinho’s website was more akin to electronic graffiti than an attempt to infect visiting computers with malware, but it still requires someone to spend time and effort cleaning up afterwards.

The best thing to do is to prevent the attack happening in the first place, by ensuring that you’re taken the appropriate steps to maximise security on your website.

If you haven’t already done so, check out our free technical paper about “Securing websites”, which discusses common ways web servers are attacked and the various ways they can be protected.