In the wake of the deadly terror attack in London last week, UK officials have renewed pressure on Facebook’s popular encrypted messaging service, WhatsApp, to create a backdoor for law enforcement.

Khalid Masood, the man identified as the Westminster Bridge attacker, reportedly logged on to the app minutes before he went on a murderous rampage that left four dead and dozens wounded. UK Home Secretary Amber Rudd believes WhatsApp and other encryption messaging services like it should give authorities access to their platforms in cases like this because “there should be no place for terrorists to hide.”

“We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” said Rudd on BBC One’s “Andrew Marr Show” on Sunday.

“It used to be that people would steam open envelopes or just listen in on phones when they wanted to find out what people were doing, legally, through warranty,” added Rudd. “But on this situation we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp.”

WhatsApp use something called end-to-end encryption, which ensures all messages are secure by generating a unique “lock and key” that allows only the designated sender and recipient(s) access to the material shared. The messages are so secure in fact, that even WhatsApp doesn’t have access to the material that is shared.

Therefore, investigators are unable to see if Masood sent a message before the attack, and if so to whom–hence the UK investigators’ request for a backdoor. Police believe that Masood acted alone in the attack and are determined to understand if he “was a lone actor inspired by terrorist propaganda or if others have encouraged, supported or directed him.”

WhatsApp isn’t the the only app that uses end-to-end encryption. Apple’s iMessage service features the same level of security. In February of last year, Apple CEO Tim Cook spoke out against building a backdoor to the iPhone, after his company was asked to assist the FBI in unlocking an iPhone linked to the terrorist attack in San Bernardino, California. Cook said the backdoor would be “too dangerous to create.”

On Sunday, however, Rudd said, “I would ask Tim Cook to think again about other ways of helping us work out how we can get into the situations like WhatsApp on the Apple phone.”

Rudd said she is planning to meet with internet technology giants Google, Facebook, and Twitter later this week to discuss the issue further, but it’s unlikely that any of these companies will be willing to take a gamble with their users’ security.

According to BBC, a WhatsApp spokeswoman said that the company was “horrified at the attack” and is cooperating with the investigation.

Alexis Evans

Alexis Evans is an Assistant Editor at Law Street and a Buckeye State native. She has a Bachelor’s Degree in Journalism and a minor in Business from Ohio University. Contact Alexis at aevans@LawStreetMedia.com.

The post Encryption Battle: UK Calls for WhatsApp Backdoor After London Attack appeared first on Law Street.

“Government should have lawful access to any encrypted message or device.” That was the resolution at the center of a debate between CNN’s Fareed Zakaria and Edward Snowden, former NSA contractor and infamous (or famous, depending on your opinions) leaker of classified information.

The Sides

Zakaria, the host of CNN’s “Fareed Zakaria GPS” and Washington Post columnist, supported the resolution, arguing that no one should be able to have a “zone of immunity,” and that with due process, all information should be accessible to law enforcement. Edward Snowden, the NSA contractor responsible for an unprecedented leak of classified information about the agency’s surveillance programs, took the opposing position, arguing that computer security is the preeminent challenge of our time and that making it possible for the government to access devices makes everyone’s information less safe.

The People and the Place

The debate, which took place in the New York Times Building just steps away from Times Square, was co-hosted by the Century Foundation and NYU’s Wagner School for public service. Zakaria stood before the audience in New York while Snowden was teleconferenced in from Russia.

Fareed Zakaria and Edward Snowden debate encryption. [Image courtesy of Kevin Rizzo for Law Street Media]

With the help of moderator Barton Gellman–a two-time Pulitzer Prize-winning journalist who broke the story after Snowden’s leak and current Senior Fellow at the Century Foundation–the debaters managed to debate the merits of encryption. Although discussion of encryption often becomes abstract, with talk of backdoors and impenetrable walls, Snowden and Zakaria got to the crux of the issue: when possible, should companies be forced to comply with court orders to release information when law enforcement cannot access it?

The Fuss Over Encryption

Encryption tends to quickly polarize people. On one hand there are people like FBI Director James Comey who has said that one day, law enforcement officers will need to get into an encrypted device to save a kidnapped child, and without the ability to do so, someone might die. On the other are privacy advocates, who say that weakening security by making every device accessible to the government, or creating a so-called backdoor, will make devices insecure for everyone, criminals and upstanding citizens alike. But the reality is often more complicated.

Drawing from his unique position as a former NSA contractor and current privacy advocate, Snowden noted that nothing is completely protected. If someone can access their device, then it is possible for others to access it as well. He used examples from his time at the NSA, saying that he was able to get around encryption. He also cited the FBI’s success in arresting Ross Ulbricht, the man behind the infamous Silk Road website–an online black market that often facilitated illegal activity. The FBI managed to arrest Ulbricht and access his encrypted information because agents physically took his computer while he was logged into Silk Road at a public library.

But Zakaria shot back arguing that getting around encryption like that is very difficult and often extremely expensive. He noted the recent battle between the FBI and Apple, in which the FBI ended up paying more than a million dollars to break into a phone used by one of the San Bernadino shooters. Zakaria asked why wealthy law enforcement agencies should be able to break into the phones of murderers while similar crimes go unsolved in Harlem and the Bronx.

Eventually, Gellman, the moderator, raised a question that got to the heart of the issue. He noted that the messaging service WhatsApp has, based on available evidence, managed to create comprehensive end-to-end encryption for its users–meaning that even the company cannot read its users’ messages. Gellman asked Zakaria if such services should exist, noting that a bill in the Senate would require companies to be able to decrypt their customers’ data with a court order, making impenetrable encryption against the law.

Zakaria conceded that if a company was able to create a system that the company itself could not decrypt, then they would not be held liable. “If WhatsApp says we literally do not know how to write this code—WhatsApp could demonstrate to a court that they don’t have to do it,” Zakaria said. But he maintained that if uncovering the data is possible, the government should be allowed to do so with a court order.

At that point, the disagreement became clear–Zakaria, and the pro law enforcement camp in general, believe that when it is possible (and it often is) the government should be able to gain access to devices if they obtain a court order. But Snowden, technologists, and privacy advocates, counter that making companies exploit their own systems to gain access to devices makes everyone’s information less safe.

A Welcome Focus on Realism

While strong disagreement between the two sides remained at the end of the event, they managed to discuss the issue based on its merits without exclusively dealing in abstract hypothetical situations. The debate boiled down to the tension between cyber security and law enforcement’s ability to get information, echoing the larger battle between preserving privacy and providing safety. While the debate remains far from settled, Snowden and Zakaria’s discussion of encryption should help shape the conversation going forward.

Kevin Rizzo

Kevin Rizzo is the Crime in America Editor at Law Street Media. An Ohio Native, the George Washington University graduate is a founding member of the company. Contact Kevin at krizzo@LawStreetMedia.com.

The post Fareed Zakaria and Edward Snowden Debate the Limits of Encryption appeared first on Law Street.

A hospital in Los Angeles, the Hollywood Presbyterian Medical Center, recently agreed to pay a ransom of $17,000. But the ransom wasn’t paid to free some worker held hostage or to prevent the release of a catastrophic pathogen. Instead it was handed over to hackers for the safe return of its patients’ medical files. Hackers managed to penetrate the hospital’s computers and encrypt its files, and demanded a large sum to be paid in the form of Bitcoins. While this scenario sounds far-fetched, this type of crime is actually on the rise. Read on to find out more about ransomware, bitcoins, why these types of attacks are increasing, and what can be done to stop them.

What is Ransomware?

Ransomware is a type of malware employed by hackers to stop users from accessing their own information or data.  It does this in one of two ways. Either a screen is locked and instructions are provided for unlocking it, or important information is encrypted and a password or key known only to the hackers is required to reopen the essential information. While the exact date of ransomware’s origin is non-definite, it appears to have started in Russia sometime around 2006, spreading globally by 2012.

By 2013, ransomware hackers were using encryption through something known as CryptoLocker. Before encryption, ransomware typically blocked people from using their computers or tricked users into paying to regain access to their computers. An example of this is Reveton, which shows notifications claiming to be from a law enforcement agency, informing the user that a crime has been committed and a fine must be paid. But such malware could be uninstalled or removed with an antivirus program, though even that can be particularly difficult. When encryption came on the scene, hackers began encrypting files, making it impossible for users to access their own information without an encryption key. Even if the ransomware is removed, the files remain encrypted. This key element of ransomware is what makes it both very dangerous and lucrative, as it can be removed yet continue to do damage.

In 2014, ransomware hackers also began using the Tor network to remain anonymous. Tor is a unique network that does not directly plug into the internet, connecting through a series of servers instead. Hackers began using this network to communicate with command and control servers that store the encryption key, which can be sent to an infected computer after a ransom is paid. Doing so makes it nearly impossible to track an attack to an individual because their identity is concealed throughout the process.

The accompanying video gives a quick look at what ransomware is:

Payment

Paying the ransom part of ransomware is also an increasingly complex process. In the case of ransomware like Reveton, hackers often request payment through several services that are difficult to trace such as UKash, PaySafeCard, and MoneyPak. But a growing trend among these hackers has been to request the money in Bitcoins, which is how the hospital in Los Angeles paid its ransom. Bitcoin is a type of cryptocurrency that exist entirely online with no physical presence. Bitcoins are not controlled by a central bank and are based on mathematics, making it completely decentralized and not tied to the value of a commodity like gold or silver. Bitcoin is particularly attractive to hackers because of the anonymity it provides.

Growing Popularity of Ransomware

The threat of ransomware is also on the rise. As of January 2013, there had been 100,000 such attacks but by the end of that year alone that number rose to nearly 600,000, according to Antivirus software company Symantec. Symantec also looked at data from command and control servers used by ransomware hackers to estimate how profitable these scams really are. According to its calculations, hackers can earn around $33,600 per day, amounting to as much as $394,000 in a month. Two primary questions remain: how do hackers select targets and why are attacks increasing?

To answer the first question, targets so far have generally been chosen at random, although future hackers could research a target beforehand to find the most lucrative one. While targets are generally chosen at random, many victims have been infiltrated by viruses or spyware before, suggesting that certain victims may be chosen simply because their systems are easy to penetrate. Traditionally, these random targets were individuals who paid small sums, but recently, the size of the target and the requested ransoms have increased. Conventional wisdom on the use of ransomware is also changing as the payment for these random attacks has shifted more and more to Bitcoins.

Bitcoins help answer the second question–why are ransomware attacks on the rise? While Bitcoin is completely transparent when it comes to transactions, it is often very difficult to trace a Bitcoin address back to an individual, making it easy for hackers to remain anonymous. The rise of Bitcoin has given hackers a reliable and anonymous method to receive ransom payments, which likely contributes to the rise in ransomware attacks.

The video below comments on the attack in LA and the rise of such attacks:

Stopping Ransomware

So with ransomware attacks increasing, how can people avoid falling victim?  There are several steps any user can take to eliminate or, at least, mitigate their exposure to dangerous ransomware. First is to use a reputable anti-virus software to help prevent and remove malicious programs. But reputation is important, as there are many fake options that may actually give your computer a virus. Similarly, it is important to make sure your computer’s existing firewall is strong and activated.

Even with anti-virus software in place and a strong firewall, it is still paramount to be cautious. Using a pop-up blocker and being careful when opening email attachments is also an important way to avoid exposure. It is additionally important to back up files and information regularly. If you have a backup of your files in the cloud or on an external hard drive, you will still have access to your information even after it is encrypted by ransomware.

In the event of a ransomware attack, it is also important to get the authorities involved, including the FBI, as ransomware is generally beyond the scope of local police departments. In fact, the police themselves are not immune to attacks either, as police departments in both the Boston area and in Maine fell victim and paid subsequent ransoms.

So far, the FBI has actually had some success fighting ransomware.  In 2013, for example, it stopped the software platform Citadel, which was behind the Reveton-style ransomware attacks. In 2014, the FBI also disrupted a major botnet–a network of computers used to infect computers with malware– and seized control of the servers behind CryptoLocker. While the FBI has had some success fighting these hackers, in certain cases the bureau says the best way to fight ransomware is to actually pay the ransom. While this goes against the conventional wisdom of not giving into criminals’ demands, the encryption used is often nearly impossible to crack and the requested ransoms may be relatively small. Put simply, for some people its often easier to just pay up.

Conclusion

Not only is ransomware on the rise, it is becoming much harder to combat and hackers are moving to even more lucrative targets. While it is bad enough that individuals often have to deal with ransomware, hackers are now starting to go after essential institutions such as police departments and hospitals. While targets take on an ever-growing importance, the reality is that ransomware is not going away anytime soon. In many respects, ransomware is not that different from other types of malware, with the exception that it offers to restore the user’s capabilities for the right price. As is the case with other malware, ransomware shows no signs of fading. Its methods are becoming more effective and recovering payments is easier than it has ever been.

Unfortunately, potential targets and those already affected have little recourse in this battle. While the FBI has made some progress, even it suggests that paying up for relatively small amounts may be victims’ best option. An important question going forward is how to respond if hackers increasingly target important institutions. And as the profiles of these targets increase, will the ransoms increase as well?

Resources

Symantec: Ransomware: A Growing Menace

Tech Times: LA Hospital Hit By Ransomware Pays Hackers $17,000: Is It The Right Choice

Trend Micro: Ransomware

Tor Project: Tor Overview

Coin Desk: What is a Bitcoin?

Phys.org: Why Ransomware is on the rise

Norton: Beware the Rise of Ransomware

Federal Bureau of Investigations: Ransomware on the Rise

The Security Ledger: FBI’s Advice on Ransomware? Just Pay The Ransom

Michael Sliwinski

Michael Sliwinski (@MoneyMike4289) is a 2011 graduate of Ohio University in Athens with a Bachelor’s in History, as well as a 2014 graduate of the University of Georgia with a Master’s in International Policy. In his free time he enjoys writing, reading, and outdoor activites, particularly basketball. Contact Michael at staff@LawStreetMedia.com.

The post Ransomware: Holding Our Digital Lives Hostage? appeared first on Law Street.

An iPhone used by one of the two attackers who killed 14 people in the San Bernardino shooting has become the subject of an intense battle over cell phone privacy after Apple publicly refused to help the FBI hack into it.

U.S. Magistrate Judge Sheri Pym ordered Apple Tuesday to provide “reasonable technical assistance” to the FBI, which has been struggling to unlock Syed Rizwan Farook’s password-protected phone. More specifically, the FBI wants Apple to develop a custom version of the iPhone software that could be loaded onto Farook’s phone in order to unlock the device. Apple, however, has opted to challenge the court order in a stand to protect encryption rights and customers.

In an open letter to Apple customers, CEO Tim Cook explained Apple’s decision, stating:

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

Apple claims the software would essentially create a “back door” or “key” in the system that could potentially be used later by sophisticated hackers and cyber-criminals, which would effectively put tens of millions of Americans at risk. Cook continued writing,

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

But without Apple’s help, there is possibly some important information that the FBI could be missing out on that remains buried inside the encrypted iPhone.

According to CBS, investigators are still trying to uncover what happened during the 18-minute gap in the timeline between the shooting at the Inland Regional Center and the police shootout that ended both shooters’ lives. The FBI is also most likely still looking for information that could connect the shooters to a possible terror network, or reveal evidence of possible co-conspirators in the attack. While the shooting may have been inspired by ISIS, the terrorist group has never taken responsibility for the attack.

Therein lies the catch-22 that Apple faces. If the issue only concerned Farook’s phone, it’s highly doubtful Apple would even be making a stand.

When asked by the New York Times about Apple’s resistance, the Justice Department pointed to a statement by Eileen M. Decker, the United States attorney for the Central District of California that read,

We have made a solemn commitment to the victims and their families that we will leave no stone unturned as we gather as much information and evidence as possible. These victims and families deserve nothing less.

As of yet, it’s unclear what kind of legal repercussions Apple could face in the standoff, but the company has been extremely transparent with its intentions to fight the order and protect encrypted information on its devices.

Alexis Evans

Alexis Evans is an Assistant Editor at Law Street and a Buckeye State native. She has a Bachelor’s Degree in Journalism and a minor in Business from Ohio University. Contact Alexis at aevans@LawStreetMedia.com.

The post Why is Apple Refusing to Unlock the San Bernardino Shooter’s IPhone? appeared first on Law Street.

Hacking attacks are estimated to cost the global economy a whopping $400 billion each year. With recent attacks on Sony and U.S. Central Command, it seems like nothing online is completely safe. The United States is scrambling to improve cybersecurity and prevent attacks that could otherwise have major impacts on national security, the economy, and personal safety. Here’s what you need to know about cybersecurity policy, government efforts, and what to expect in the future.

What is cybersecurity?

In the increasingly digital world with an ever-growing e-commerce sector, cybersecurity is of vital importance. Cybersecurity is a broad concept that resists a precise definition; it involves protecting computers, networks, programs, and data from cyber threats. Cybersecurity can help protect privacy and prevent unauthorized surveillance and use of electronic data. Examples of cyberattacks include worms, viruses, Trojan horses, phishing, stealing confidential information, and control system attacks. Because of it loose definition, it is hard for the government to regulate how businesses should protect their systems and information. A number of different measures are used to ensure at least a basic level of cybersecurity.

How does cybersecurity work?

Cybersecurity helps to prevent against the risks associated with any cyber attack, which depend on three factors:

1. Removing the threat source. Determining who is attacking can indicate what kind of information or advantage they are seeking to gain. Cyberattacks may be carried out by criminals, spies, hackers, or terrorists, all of whom may do it for different reasons.
2. Addressing vulnerabilities through improving software and employee training. How people are attacking is important in trying to set up the best cybersecurity possible. This can be likened to an arms race between the attackers and defenders. Both try to outsmart the other as the attackers probe for weaknesses in their target. Examples of vulnerabilities include intentional malicious acts by company insiders or supply chain vulnerabilities that can insert malicious software. Previously unknown, “zero day” vulnerabilities are particularly worrisome because they are unknown to the victim. Since they have no known fix and are exploited before the vendor even becomes aware of the problem, they can be very difficult to defend against.
3. Mitigating the damage of an attack. A successful attack may compromise confidentiality, integrity, and even the availability of a system. Cybertheft and cyberespionage might result in the loss of financial or personal information. Often the victims will not even be aware the attack has happened or that  their information has been compromised. Denial-of-service attacks can prevent legitimate users from accessing a server or network resource by interrupting the services. Other attacks such as those on industrial control systems can result in destruction of the equipment they control, such as pumps or generators.

Examples of common cybersecurity features include:

• Firewall: a network security system to control incoming and outgoing network traffic. It acts as a wall or barrier between trusted networks and other untrusted networks.
• Anti-virus software: used to detect and prevent computer threats from malicious software.
• Intrusion Prevention System: examines network traffic flows to prevent vulnerability exploits. It sits behind the firewall to provide a complementary layer of analysis.
• Encryption: involves coding information in such a way that only authorized viewers can read it. This involves encrypting a message using a somewhat random algorithm to generate text that can only be read if decrypted. Encryption is still seen as the best defense to protect data. Specifically, multi-factor authentication involving a two-step verification, used by Gmail and other services, is most secure. These measures (at least for the time being) are near impossible to crack, even for the NSA.

Watch the video for a basic overview of cybersecurity.

What is the role of the federal government in cybersecurity?

Most agree the federal role should include protecting federal cyber systems and assisting in protecting non-federal systems. Most civilians want to know online shopping and banking is secure, and the government has tried to help create a secure cyber environment. According to the Congressional Research Service, federal agencies on average spend more than 10 percent of their annual IT budget on cybersecurity measures.

There are more than 50 statutes that address various issues of cybersecurity. While much legislation has been debated in recent years, no bills have been enacted. The most recent and significant cybersecurity legislation came in 2002 with the passage of the Federal Information Security Management Act (FISMA), which requires each federal agency to implement and report on cybersecurity policies.

Over the past several years, experts and policymakers have shown increasing concern over protecting systems from cyberattacks, which are expected to increase in both severity and frequency in the coming years. Most proposed legislation and executive branch action with regard to cybersecurity focus on immediate needs, such as preventing espionage and reducing the impact of successful attacks. Historically there has been an imbalance between the development of offensive versus defensive capabilities. Coupled with slow adoption of encryption technologies, many programs were vulnerable to attack. While the cybersecurity landscape has improved, needs still exist with regard to long-term challenges relating to design, incentives, and the environment. Overcoming these obstacles in cybersecurity remains a challenge.

Design

Developers of software or networks are typically more focused on features than the security of their product. Focusing primarily on the product’s features makes sense from an economic standpoint; however, shifting the focus away from security makes these products more vulnerable to cyberattacks.

Incentives

The distorted incentives of cybercrime make it hard to prevent. Cybercrime is typically cheap, profitable, and relatively safe for criminals. In contrast, cybersecurity is expensive, often imperfect, and companies can never be certain of the returns on the investments they make in cybersecurity.

Environment

Cybersecurity is a fast-growing technology. Constantly-emerging properties and new threats complicate the cybersecurity environment. It is very difficult for the government or private companies to keep up with the pace of changing technology used in cyberattacks. What laws and policies do exist are almost always out of date given the rapid pace of change in cybersecurity.

Watch the video below for an overview of the difficulties of cybersecurity policy.

Has President Obama taken any action on cybersecurity?

With recent attacks and data breaches at Sony, Target, Home Depot, and the Pentagon’s Central Command, the need for toughened cybersecurity laws has been highlighted. Cybersecurity is an issue where both sides of the political aisle see the need to work together. It is clear that a comprehensive policy playbook is needed to guide the government’s response to such serious cyberattacks.

On January 13, 2015, President Obama announced a new cybersecurity legislative proposal, which consists of three parts:

1. Enabling cybersecurity information sharing: The proposal enhances collaboration and cybersecurity information within the private sector and between the private sector and the government. The proposal calls for the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Sharing information about cyber threats with the NCCIC would shield companies from liability. The bill would require the Department of Homeland Security to share threat information as quickly as possible with other agencies like the FBI or NSA. The proposal would also require private entities to comply with privacy restrictions like removing unnecessary personal information and taking measures to protect any personal information that must be shared.
2. Modernizing law enforcement authorities to fight cybercrime: This ensures that law enforcement has the proper tools to investigate and prosecute cybercrime. These provisions would criminalize the sale of stolen U.S. financial data, expand authority to deter selling of spyware, and shutdown programs engaged in denial-of-service attacks. Other components criminalize various cybercrimes.
3. National data breach reporting: Many state laws require businesses that have suffered from breaches of consumer information to notify consumers. The proposed legislation would simplify and standardize these existing state laws. The proposal would also put in place a timely notice requirement to ensure companies notify their customers about security breaches.

Watch the following video for an outline of President Obama’s plan.

On January 16, 2015, President Obama and British Prime Minister David Cameron promised to cooperate with regard to cybersecurity. Cameron expressed concerns about encryption technologies that might make it easier for would-be terrorists to avoid detection. Cameron hopes to outlaw certain forms of encryption. President Obama did not as easily dismiss privacy concerns, but did state that he believes the government can do a better job of balancing both privacy and security.

Why is it hard to implement effective cybersecurity policy?

Congress has tried for years to pass legislation encouraging companies to share information from cyberattacks with the government and with each other; however, liability issues and privacy concerns stopped such laws from passing. Many privacy advocates are speaking out against President Obama’s proposed legislation for the same reasons. They fear that such information-sharing legislation could further the government’s surveillance powers. Some groups caution that substantial National Security Agency reform should come before considering any information-sharing bill. Privacy concerns such as these have made it difficult to pass cybersecurity packages in Congress in the past; however, the recent Sony attack may prove to be a game changer in passing new cybersecurity bills.

Even if President Obama and Congress can implement the above changes, it will still be difficult for the government to enact more effective policy changes. Technology can easily mask the identity or location of those organizing cyberattacks. This can make identifying and prosecuting those responsible near impossible. Justifying an appropriate response to attacks is even harder.

Legislatures and citizens also tend to be kept in the dark due to extreme security regarding a country’s cyber capabilities. Edward Snowden’s revelations about the NSA sparked public interest in cybersecurity and in the extent of the government’s capabilities. But still, information regarding the U.S.’ cyber policies remains classified and not open to general discussion. Without transparency, it is hard to exercise oversight or explain to the public the government’s cybersecurity activities.

Critics also contend that President Obama’s proposal leaves large gaps in cybersecurity policy. The policy fails to establish ground rules for responding to cyber attacks once they have occurred and it remains unclear how the United States might respond to cyberattacks against government networks or even private sector entities like Sony. While attacks may be criminalized, prosecuting these cases with limited evidence is difficult.

A recently uncovered 2009 U.S. cybersecurity report warned that the government was being left vulnerable to online attacks because encryption technologies were not being implemented fast enough. While the country has come a long way since 2009 there is still much room for improvement. A 2015 review of the Department of Homeland Security stated that:

DHS spends more than $700 million annually to lead the federal government’s efforts on cybersecurity, but struggles to protect itself and cannot protect federal and civilian networks from the most serious cyber attacks.

Conclusion

More needs to be done in the realm of cybersecurity to prevent against cyberattacks. While less legislation may have worked in the past, the scale of recent cyberattacks shows the vast potential for damage to the government, companies, and individuals. President Obama’s recent proposal may be a good start, but more long-term policies are needed to protect citizens from serious cyberattacks. No cybersecurity solution is permanent, so public policy must constantly evolve to suit the needs of its citizens in the cyber realm.

Resources

Primary

Department of Homeland Security: Federal Information Security Management Act

White House: Securing Our Cyberspace: President Obama’s New Steps

Homeland Security and Governmental Affairs Committee: A Review of Missions and Performance

Additional

Congressional Research Service: Cybersecurity Issues and Challenges

National Journal: Obama’s New Cybersecurity Proposal Facing Skepticism

UMUC: Cybersecurity Primer

Forbes: Why a Global Security Playbook is Critical Post-Sony

Guardian: Secret U.S. Cybersecurity Report

Reuters: Obama Seeks Enhanced Cybersecurity Laws to Fight Hackers

NPR: Obama, Cameron Promise to Cooperate on Cybersecurity

Yahoo: Obama Says Hacks Show Need for Cybersecurity Law

Huffington Post: What’s Wrong with America’s Cybersecurity Policy?

Alexandra Stembaugh

Alexandra Stembaugh graduated from the University of Notre Dame studying Economics and English. She plans to go on to law school in the future. Her interests include economic policy, criminal justice, and political dramas. Contact Alexandra at staff@LawStreetMedia.com.

The post Cybersecurity: Will We Ever Be Safe? appeared first on Law Street.

Fingerprint technology has long been hailed as the next great frontier in security features. Whether that’s because pretty much every spy movie includes a fingerprint scan scene, or because of all the hubbub over various tech companies like Apple releasing fingerprint technology for their new devices, it’s hard to tell. But for a long time a lot of us have believed that fingerprints are so unique that they would make for safe security features. Unfortunately, that may not actually be the case. According to a German hacker, it may be pretty simple to copy fingerprints…and all you need is a camera and some luck.

Hacker Jan Krissler (alias “Starbug”) of the hacking group Chaos Computer Club (CCC) in Hamburg, Germany, presented his fingerprint-stealing theory at a conference earlier this week. Krissler chose German Defense Minister Ursula von der Leyen as his example target. He used high resolution photographs that had been taken of von der Leyen–and he had a lot to choose from, given that she’s a pretty high profile figure in Germany. The photographs were all able to be zoomed in on to see her fingers. Then, using a readily available app called VeriFinger, he processed and reproduced her fingerprint.

CCC, which says that it’s the largest hacking group in Europe, has long tried to show how relatively unsafe fingerprint technology is. When Apple released the iPhone 5s last year with fingerprint scan technology included, CCC claimed that it was able to easily bypass Apple’s security system. Taking a photograph of a fingerprint and then making a wax-model of it allowed them to break into iPhones.

Krissler personally has long rallied against this technology that’s supposed to keep our devices and information safer. It’s not just fingerprint technology–he also has a serious problem with computers and other devices that unlock based on facial recognition, explaining that that kind of technology can be hacked by using a photo of a person. He also explained another probably less probable security concern with our current device mechanisms: “Reading a user’s PIN code from reflections in their pupils while taking selfies.”

The chances that these hacks are actually used in practice don’t seem very likely. I mean, how often do you have very high resolution photographs taken of your fingertips? Furthermore, in order to actually break into a technological device with a copy, you’d need said device.

This is not me saying that we all need to go off the grid and live in a cave to protect our information–I would fare horribly in a cave, as there probably aren’t many caves with good access to Netflix. However, I think the point that Krissler makes–that we rely too much on technology at face value–is a point well taken.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post German Hacker: Fingerprint Scans Can be Hacked appeared first on Law Street.

Bitcoin first started making headlines in 2009 and has continued to grow into one of the world’s most well-recognized, thorough, and usable cryptocurrencies. But with multiple legal controversies and the general public’s skepticism when it comes to something as new as “cryptocurrency,” it’s difficult to tell whether Bitcoin has much of a future. Read on to learn more about the currency and its future.

What is Bitcoin?

Bitcoins are widely known as a digital or cryptocurrency. Unlike conventional currencies that are regulated by central authorities in their respective regions (such as the Federal Reserve Bank for the United States Dollar), Bitcoin is border-less and managed by a cryptographically-secured peer-to-peer network. The demand for Bitcoins determines their value in the market, and their supply is determined by complex mathematical algorithms developed by the founder–a person who goes by the pseudonym Satoshi Nakamoto. This supply generation process is called Bitcoin mining. So, Bitcoins are usually created by being “mined” by computers solving a complex string of processing problems, although one can now purchase existing Bitcoins.

Only fifty were created at the time of the cryptocurrency’s genesis and the maximum number of coins that can be issued is locked at 21 million. Just like the lowest value that the United States dollar can be divided into is one-cent pennies, a Bitcoin can at most be divided into eight decimal places. It gained prominence in April 2013 when its value spiked to $266 US Dollars compared to only $22 earlier that  same year. More than 10 million coins had been issued at that point at a total market value of $2 billion.

Courtesy of Idology.com.

Who likes Bitcoins?

Proponents of the cryptocurrency appreciate its purity in terms of supply and demand without any governmental interference. Bitcoins mitigate privacy concerns because they eliminate the need to enter information such as name and address for online transactions. For many tech aficionados, the cryptocurrency provides the thrill of following a new trend in the virtual world. Bitcoins are now being accepted by many platforms like WikiLeaks, restaurants, mobile payment applications, and retail apps that have partnered with major consumer brands like GAP and Sephora.

A federal district court recently ruled that Bitcoin is indeed a currency, given that it can be either used to purchase goods and services directly, or to purchase currency that can in turn be used to purchase goods and services. According to a study conducted by the European Central Bank, Bitcoins do not pose a risk to price instability given that their supply is capped at 21 million coins, and will not negatively affect  the economy as long as the government monitors it to ensure that its not being used for fraudulent purposes.

Who doesn’t like Bitcoins?

Opponents worry that the unregulated and anonymous nature of cryptocurrency lends itself to be used for illegal trade, tax evasion, money laundering, and investment frauds like Ponzi schemes. Dread Pirate Roberts, the owner of Silk Road, an online drug market in the deep web that is now shutdown, blatantly admitted that Bitcoin helped him win the war of drugs against the state.

Opponents also criticize Bitcoin’s algorithmic design for specifically inducing rise and fall in its value. But unlike traditional currencies, Bitcoin is not insured by the government in case it gets devalued enough to cause a major financial crisis in its market. Some claim that Bitcoin is being used more like a stock than a currency and that once the initial hype dies down its value will eventually decrease to nothing because it doesn’t have anything to offer except for its cool factor. Since Bitcoin is primarily digital (though coins are now available), it can be lost forever if a user loses his/her computer or account in which it’s stored.

What’s next for Bitcoin?

Bitcoin’s future is somewhat uncertain. While the cryptocurrency is still growing, there are many concerns that it’s not worth it. Detractors point out things like a possible Ponzi-style scheme involving Bitcoin in North Texas as indicative of the worthlessness of the currency. On the other hand, Bitcoin-based ventures have been growing, such as the development of startups like Coinffeine, which aims to create a new way to exchange Bitcoins. These are just a few examples of the ways in which Bitcoin is slowly breaking its way in into the mainstream, albeit with many setbacks.

Conclusion

Bitcoin. and other similar digital currencies, is just one of many interesting developments that has come about because of the internet. In essence, it’s a pretty revolutionary and fascinating idea, but whether or not it is actually good for the global economy remains to be seen. The potential for the use of Bitcoin as part of illegal activity though, should not stop people from using it for legitimate means. It’s only through incorporating online tools into the mainstream that it will become a genuinely useful and productive innovation.

Resources

Primary 

Bitcoin: Official Site

US District Court: Securities & Exchange Commission v. Trendon T. Shavers  and Bitcoin Savings & Trust

Additional

European Central Bank: Virtual Currency Schemes

Techland: Online Cash Bitcoin Could Challenge Government, Banks

Coindesk: Confirmed: Bloomberg Staff Are Testing a Bitcoin Price Ticker

CIO: In Kenya, Bitcoin :Linked to Popular Mobile Payment System

ParityNews: The Internet Archive Starts Accepting Bitcoin Donations

Webcite: In Bitcoin We Trust: The Berlin District Where Virtual Currency is as Easy as Cash

Readwrite: What’s Bitcoin Worth in the Real World?

Wire: Today’s Bitcoin Shows Why It’s Not Really a Currency

Fox Business: The Consumer Risks of Bitcoins

Slate: My Money is Cooler Than Yours

Washington Post: Imagining a World Without the Dollar

Social Science Research Network: Are Cryptocurrencies ‘Super’ Tax Havens?

The New York Times: Winklevoss Twins Plan First Funds for Bitcoins

Forbes: Goodbye Switzerland, Hello Bitcoins

Treasury Department: Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies

GAO: Virtual Economies and Currencies: Additional IRS Guidance Could Reduce Tax Compliance Risks

Forbes: IRS Takes a Bite Out of Bitcoin

The New York Times: New York and U.S. Open Investigations Into Bitcoins

TechCrunch: New York’s Financial Services Subpoenas Bitcoin Firms To “Root Out Illegal Activity”

Salome Vakharia

Salome Vakharia is a Mumbai native who now calls New York and New Jersey her home. She attended New York School of Law, and she is a founding member of Law Street Media. Contact Salome at staff@LawStreetMedia.com.

The post Bitcoin: What’s Next? appeared first on Law Street.

I was watching television recently when I saw an awesome AT&T commercial that summed up the greatness that is technology. Take a look.

The dad literally turned off all the appliances and locked the door with a press of a button on his smartphone. Mind… Blown… I’m not easily impressed, but after seeing this I had to know more. How could all of these different things be turned off remotely with one app? Are they connected to the internet? What did I just see?

After some research, I found out that everything in that mind-blowing commercial will probably be common in about seven years. Household appliances like toasters, refrigerators, ovens, and coffee pots are being enabled to communicate with each other and with your applications — technology referred to as IoT, or the Internet of Things. We know about smart TVs, but say hello to smart thermostats. These devices have the ability to connect wirelessly via router signals, and some can even connect to the internet on their own. Not only that, but these appliances are able to connect, control, and share resources over different operating systems. This is so cool that even Google wants a piece of the action — which explains their $3.2 billion purchase of Nest, creator of smart thermostats and smoke alarms.

Last year 10 billion of these devices were connected to the internet, and there are estimates that up to 212 billion devices will be connected by 2020. The Internet of Things is slated to be an $8.9 trillion market by 2020, and will include many more things than just household devices. State, local, and federal governments are preparing to expand on these kinds of technologies and use them to create entire smart cities, as well as tech-supported infrastructure and energy sources such as wind turbines. These will all fall under the category of IoT and therefore could have some of the same vulnerabilities.

Proofpoint, a new tech security firm, has found evidence that smart appliances have the ability to be cyberattacked. In a study conducted from December 23, 2013 to January 6, 2014, Proofpoint found that more than 100,000 common appliances like multimedia centers, TVs, routers, and refrigerators were able to send 750,000 malicious emails in bursts of 100,000, three times a day. While some people may not be frightened by the prospect of their toaster sending out spam, we should note that this implies a bigger problem.

Proofpoint was not the first entity to point out these security issues, as there have been reports dating back to 2009 of concerns with the ability to hack routers. However, Proofpoint is the first to show supporting evidence that these security breaches can, will, and have happened to appliances. So what is happening? First, these devices are mass produced without much antivirus software to protect against security breaches. Because the devices have internet connectivity, hackers are able to exploit some of the known software vulnerabilities of the devices and apps that are used to control them. By exploiting these vulnerabilities, these devices become spam-sending machines capable of conducting denial of service attacks used to steal usernames and passwords. Another problem is that hackers may gain the ability to control the functions of the devices. What’s even more frightening is that many consumers won’t even know their networks and devices have been compromised.

The reason these vulnerabilities have not been dealt with is the lack of security standards for these gadgets. Not only have companies not produced universal security standards, there has been no government intervention to set security standards. With technology changing so rapidly, government officials have not been able to keep up with the changes and pass laws accordingly. Until such time as these standards are created, either by companies or by the government, we’re on our own folks.

On the bright side, I’m sure companies don’t want their products to be responsible for spreading viruses and spamming people. For that reason, I believe companies will develop more robust antivirus software as smart appliances become more common. However, if you already have one of these devices, you may want to take some precautions to protect them. Some suggestions are to screen your internet connections and bar devices that aren’t email servers from being able to send email. Another suggestion is to encrypt your devices. While my mind is still completely blown by the commercial I saw, I think that’s where I’ll let my interest pique…for now.

—

Teerah Goodrum (@AisleNotes), is a graduate student at Howard University with a concentration in Public Administration and Public Policy.  Her time on Capitol Hill as a Science and Technology Legislative Assistant has given her insight into the tech community.  In her spare time she enjoys visiting her favorite city, Seattle, and playing fantasy football!

Featured image courtesy of [James Nash via Flickr]

Teerah Goodrum

Teerah Goodrum is a Graduate of Howard University with a Masters degree in Public Administration and Public Policy. Her time on Capitol Hill as a Science and Technology Legislative Assistant has given her insight into the tech community. In her spare time she enjoys visiting her favorite city, Seattle, and playing fantasy football. Contact Teerah at staff@LawStreetMedia.com.

The post Did Your Toaster Just Spam Me? appeared first on Law Street.

For most Americans, large chunks of our lives play out online. We have numerous social media sites, we check our bank accounts through “secured” websites, and we use email for almost all we do—work, social plans, and everything in between. It’s sad, but I can say without a doubt that there have been days where I have interacted with people over email more than in person. And every day, we’re reminded that our Internet lives are lulled into a false sense of security. Yet we still make our email password the name of our dog combined with the year we were born, and assume digital theft will never happen to us.

In 2004, Texas-based Ladar Levison created Lavabit, a highly encrypted email host that aimed to fix these Internet security problems for anyone who wanted it. Characterizing Lavabit as highly encrypted is actually a gross understatement—Lavabit encryption was viewed as uncrackable for even government intelligence agencies. There were free and paid versions of Lavabit’s email services. As of August 2013, Lavabit counted about 410,000 users.

One of these users was the now infamous Edward Snowden; his Lavabit email address was discovered this July. The Federal Government almost immediately obtained a search warrant commanding that Lavabit allow the government access to its system.

Because of the way this request was phrased—the government wanted access to the entire Lavabit system, not just Snowden’s account—Levison refused to cooperate. Levison was first instructed to hand over the “SSL” keys to his site (essentially a way to allow the government to view all the information contained in Lavabit accounts). Levison first responded to this order by handing over the SSL keys on paper in tiny font, rendering them almost unusable.  Finally he handed over the SSL keys digitally—he will pay a $10,000 fine for that delay—but shut down the site.

No one is completely sure exactly why Levison suspended the site, given that he is now under gag order. He has said that he is banned from sharing some information even with his lawyer. He has also said that he could be arrested for closing down Lavabit instead of just releasing the SSL keys. He is currently filing an appeal with the United State Court of Appeals for the Fourth Circuit. His appeal is based on the Fourth Amendment, which prevents unreasonable search and seizure. He has also claimed that the government cannot ask a company to do something that will go directly against the purpose of their business. His lawyers likened it to “commanding the City of Richmond to give the police a key to every house within the city limits. To comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut it own entirely.”

Lavabit did actually go back online very briefly for 72 hours starting the evening of October 14^th so that users could download any emails they needed that remained on the site. As of yet, there are no plans for Lavabit to reopen.

This shutdown offers ramifications for any other sites that offer completely encrypted email services. Silent Circle, one of Lavabit’s competitors, shut down its silent email software right after Lavabit went dark.

Levison’s appeal will be interesting to watch. In a modern world that is inundated with fast, online, communication, privacy is always at issue. Online identity should be a concern for everyone. Can companies create services that allow us to hide those online communications from Big Brother? The results of Levison’s appeal will answer that question, for better or for worse.

[Forbes]

—

Featured image courtesy of [IGregma via Flickr]

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post The New Frontier of Privacy: Lavabit’s Encrypted Email No More appeared first on Law Street.