Malware

SPOTLIGHT ON SECURITY

Cops Seek Law Requiring 2-Year SMS Storage

A number of law enforcement groups are lobbying Congress to add provisions to a bill revamping the 1986 Electronic Communications Privacy Act (ECPA) that would require wireless carriers to archive text messages for as long as two years. There may be reasons for companies to archive messages — but simply functioning as a record-keeping arm for law enforcement is not one of them, privacy advocates maintain.

The law-enforcement groups want Congress to consider the SMS retention requirement during discussions over the revamp of the 1986 law, a version of which cleared the Senate Judiciary committee two weeks ago.

“It doesn’t belong in reform of the privacy act,” Chris Calabrese, legislative counsel for the American Civil Liberties Union in Washington, D.C. told TechNewsWorld. “The proposal creates enormous privacy problems for ordinary citizens. These records aren’t just open to law enforcement. They can be open to civil litigants and divorce lawyers, and they can be leaked. Once you start retaining these records, everybody loses a great deal of privacy.”

Enabling Criminals

Businesses should not be forced to retain records solely to benefit of law enforcement, argued Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation.

“I understand that companies need to keep certain forms of information for periods of time,” he told TechNewsWorld. “The problem is when the sole purpose of keeping the records is for law enforcement to gain access to them.”

The nation needs a consistent policy on text-message retention, several law-enforcement groups wrote in a Nov. 28 letter to the Senate Judiciary Committee.

“Records retention is an issue that should be considered in any effort to update ECPA,” the letter said. “Certain types of widely used electronic communications are not retained by some providers, which can hinder law enforcement investigations. This issue is not addressed in the current proposal before the committee, and yet it will become even more important in the future.”

The letter was signed by representatives of the Association of State Criminal Investigative Agencies, the Major Cities Chiefs of Police Association, the Major County Sheriffs’ Association, the National Sheriffs’ Association, the National Narcotic Officers’ Associations’ Coalition and the National District Attorneys’ Association.

“We have no rules at all right now,” NDAA Executive Director Scott Burns told TechNewsWorld. “There are two or three carriers now that don’t retain them at all.”

Without retention rules, terrorists and criminals can easily destroy all evidence of their text communication, he reasoned.

He acknowledged that a reasonable retention period needed to be created. “Two years isn’t reasonable,” he observed, “but zero isn’t reasonable either.”

Cutwail Campaign Tied to Gameover

A massive spam campaign spawned by the Cutwail botnet designed to infect PCs with the Gameover Zeus banking Trojan was spotted spreading over the Internet last week.

The spam messages are posing as communications from banks and airlines and contain attachments that if opened will lead to a computer infection that will steal any account credentials and credit card numbers on the machine.

Unlike some variants of Zeus, Gameover is controlled over a peer-to-peer network, rather through a centralized command-and-control server. “That makes it more difficult to stop because it eliminates a single point of failure,” Dell SecureWorks Senior Security Researcher Brett Stone-Gross told TechNewsWorld.

One way to counter peer-to-peer Trojans is to “poison” the network with IP addresses that lead back to a server controlled by malware fighters. “You essentially turn a distributed network into a centralized system,” Stone-Gross said.

Gameover, though, has been designed to counter efforts to poison it, he added.

Gameover is tightly controlled by its developers and contains features not found in other versions of Zeus. One such feature allows the malware to create a Distributed Denial of Service attack to screen its malicious activity at a website.

Mac Attack

A Trojan targeting Macintosh computers was spotted in the wild last week, but owners of the machines who have installed the latest software updates from Apple should have nothing to worry about from the threat.

The malware called Dockster exploits a vulnerability in Java to open up a Mac to attack. The same vulnerability was exploited by the Flashback virus attributed with infecting some 800,000 Macs before it was cleaned up.

The malware is planted on Macs that visit a website dedicated to the Dalai Lama. “We’ve been seeing a consistent flow of attacks on activists, particularly from Tibet,” Lysa Myers, a virus hunter at Intego, a company that makes security software for Macs, told TechNewsWorld.

“We consider this low risk at this point because anyone who has updated their Java version will be fine,” she said.

Breach Diary

  • Dec. 4: Swiss intelligence warns the United States and Great Britain of a possible leak of counterterrorism information by a disgruntled employee. The employee stole terabytes of classified materials before he was captured by authorities last summer. The Swiss are still unsure if the employee sold or exposed the information to others before his arrest.
  • Dec. 4: Alere Home Monitoring alerts more than 100,000 patients that their personal information may have been compromised when a laptop was stolen from an employee’s vehicle. Information on the computer was password-protected but not encrypted and included names, Social Security numbers, addresses and diagnoses of patients who take drugs to prevent blood clots.
  • Dec. 6: Nationwide insurance alerts state regulators that a breach of the company’s computers on Oct. 3 compromised personal information about an estimated 1.1 million people. Information included names, Social Security numbers, driver’s license numbers, birth dates, marital status gender and employer name and address. The company is offering affected parties a year of free credit monitoring and identity theft protection.
  • Dec. 6 Poneman Institute releases study showing 94 percent of healthcare organizations have suffered at least one data breach in the past two years. Nearly half the organizations (45 percent) have experienced more than five data breeches doing that period. According to Poneman, data breaches could be costing the industry an average of $7 billion a year.
  • Dec. 6: CipherCloud, an online security company, releases survey of 300 executives in the UK showing that 68 percent of the decision-makers do not know how much a data breach would cost the company. Two of the biggest concerns the executives had about stashing their data in the cloud were risk of breaches (44 percent) and loss of control of their data (33 percent).

    Upcoming Security Events

    • Dec. 20: Black Hat Webcast: Another Year in Web Security– What did 2012 teach us about surviving 2013? 1 p.m. ET. Free.
    • Jan. 7-9:Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. sponsored by Oxford Computer Group. Early registration: $450. Registration after Nov. 21: $650.
    • Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels