Senate Gives Nod To Controversial Cross-Border Data Access Bill

The United States Senate on Thursday approved a controversial cross-border data access act, dubbed the CLOUD Act, that was part of the overall omnibus government spending bill.

Buried on page 2,201 of the government spending bill is the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a provision that sets rules for how the government should handle accessing personal data that is stored by tech platforms abroad. For the US specifically, the bill would permit law enforcement to access citizens’ information that is stored on systems in a different country, given that they have a US court-approved subpoena.

“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” said senator Orrin Hatch (R-UT), one of the founders of the bill, in a statement. “We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes.”

As it stands in the bill, the government needs to undergo a series of steps with the country in which data is stored in order to access that data – even if it data of a citizen in their own country.

Law enforcement agencies currently use the mutual legal assistance treaty (MLAT) process to request data stored outside their borders, meaning they need to abide by the data privacy laws both of their country and of the country where the requested data is stored.

“Communications-service providers face potential conflicting legal obligations when a foreign government orders production of electronic data that United States law may prohibit providers from disclosing,” according to the act.

One such famous instance is Microsoft’s continuous struggle with US law enforcement over access to data stored in a data center in Ireland.

In 2013, US authorities tried to access customer emails from Microsoft from a data center housed in Dublin, Ireland as part of a U.S. trafficking investigation. While the Justice Department argued that a warrant issued in the US is enough, Microsoft countered that US law enforcement needs to first go through Irish authorities in order to obtain data stored in an Irish country.

Several major tech companies support the act, and in a Feb. 6 letter, several companies – including Microsoft, Google, Apple, Facebook and Oath – said that “if enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law.”

Meanwhile, Microsoft chief legal officer Brad Smith tweeted his support for the bill, calling it crucial “for building trust in the technology we all rely on every day.”

While many large technology companies have strongly supported the CLOUD Act, the bill has also been scrutinized by privacy groups for its implications about data access.

ACLU legislative counsel Neema Singh Guliani argued in a statement that the act would give Attorney General Jeff Sessions “nearly unchecked power over global digital privacy rights.”

“The bill would strip power away from Congress and the judicial branch, giving Sessions and [Michael] Pompeo (and future executive branch officials) virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not. That’s a major shift from current law, and one that Congress should reject,” he said.

David Ruiz, with Electronic Frontier Foundation, said that the CLOUD Act has “enormous implications for data privacy protections abroad.”

“Plainly, this bill—which is now law—will erode [data privacy] protections,” he told Threatpost. “In the [Microsoft example], where U.S. law enforcement will issue search warrants to U.S. companies for data that is stored outside the United States, we already have a legal process for that. It’s called the MLAT process.  The CLOUD Act bypasses the MLAT process, and it allows U.S. law to be applied to information stored in non-U.S. countries, forgoing the data protection laws of those countries.”


from Threatpost – English – Global – thr…

AMD Will Release Fixes for New Processor Flaws in a Few Weeks

AMD Will Release Fixes for New Processor Flaws in a Few Weeks

Security firm that disclosed flaws accuses chipmaker of downplaying flaws; says timeline is overly optimistic.

Less than 10 days after getting blindsided by a report about purportedly severe vulnerabilities in some of its products, AMD on Wednesday confirmed the issues and said it would have fixes for them in the next several weeks.

In an alert Wednesday, AMD said it had completed an initial technical assessment of the flaws that Israeli security research firm CTS-Labs had reported to it on March 12 and then controversially released publically just one day later.

The assessment confirmed issues associated with the firmware for AMD Secure Processor and the Promontory Chipset used in AMDs Ryzen and EPYC platforms.

However, exploiting the flaws that CTS identified requires an attacker to already have full administrative access to a system, AMD’s CTO Mark Papermaster said. An attacker would need to overcome multiple OS-level controls such as Microsoft’s Windows Credential Guard to gain the administrative access needed to exploit the flaws, he said.

AMD is working on a firmware update for the Secure Processor issue and will release it in coming weeks, Papermaster said, without offering any specific dates. AMD is also working with the third-party manufacturer of the Promontory chipset on appropriate mitigations, he said. No timeline was given for when those mitigations might become available.

AMD’s advisory is its first public update after CTS released details on the vulnerabilities March 13.

It evoked an immediate response from the Israeli firm. In a statement posted on a website describing the AMD flaws, CTS criticized the chipmaker for attempting to downplay the severity of the flaws. It called AMD’s promise to deliver fixes in a few weeks as overly optimistic and said that some of the flaws would take months to fix. The central idea behind Secure Process in fact is to prevent administrators from gaining access to certain data on systems, the company noted.

CTS has come under considerable criticism for its decision to publicly disclose the vulnerabilities without giving AMD the opportunity to review them fully or issue any fixes for them. In a March 13 release, CTS said it had discovered 13 critical security vulnerabilities and manufacturer backdoors in AMD’s Ryzen and EPYC product sets.

The research firm grouped the vulnerabilities under four broad categories and described them as affecting millions of devices, users and organizations worldwide. Among other things, the flaws give attackers a way to permanently install malicious code in AMD Secure Processor and to steal credentials for moving laterally through compromised networks – including those protected by Microsoft’s Credential Guard.

CTS also warned that ASMedia, a Taiwanese company from which AMD sources some of its chipsets, was shipping products with exploitable manufacturer-installed backdoors in them that could allow attackers to inject malware into the chip.

Many faulted CTS for disclosing the flaws without giving AMD proper notice and also for overblowing the severity of the threat posed by them. An independent security research firm that CTS hired to validate its findings described the flaws as extremely hard to exploit even if complete exploit details were available. Others have maintained that the vulnerabilities are a threat only if a system has already been fully compromised, at which point an attacker would be able to do pretty much what they wanted on the system, anyway.

CTS’ decision to go public with its discovery just weeks after the storm over the Spectre and Meltdown vulnerabilities in Intel chips also prompted wide-ranging questions about the motives and the timing behind the vulnerability disclosure.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

City of Atlanta Hit with Ransomware Attack

City of Atlanta Hit with Ransomware Attack

FBI investigating computer outages in the city’s network possibly tied to Samsam-type ransomware variant.

Computer systems for the City of Atlanta were hit by an apparent ransomware attack that has caused outages and is now under investigation by the FBI.

According to Atlanta’s local news channel 11Alive, the attack appears to have the earmarks of the Samsam variant of ransomware. Some of the city’s customer-facing billing and court information systems have suffered outages due to the attacks.

“At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue. We are confident that our team of technology professionals will be able to restore applications soon. Our city website,, remains accessible and we will provide updates as we receive them,” the City said in a statement provided to 11Alive.

According to the report, a screenshot from one of the infected machines showed the attackers demanding ransom of $6,800 “per unit,” or $51,000 to decrypt the entire system.

For more on this developing story, read the report here.

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

San Diego Sues Experian Over ID Theft Service

The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

The lawsuit, filed by San Diego city attorney Mara Elliott, concerns a data breach at an Experian subsidiary that lasted for nine months ending in 2013. As first reported here in October 2013, a Vietnamese man named Hieu Minh Ngo ran an identity theft service online and gained access to sensitive consumer information by posing as a licensed private investigator in the United States.

In reality, the fraudster was running his identity theft service from Vietnam, and paying Experian thousands of dollars in cash each month for access to 200 million consumer records. Ngo then resold that access to more than 1,300 customers of his ID theft service. KrebsOnSecurity first wrote about Ngo’s ID theft service — alternately called Superget[dot]info and Findget[dot]mein 2011.

Ngo was arrested after being lured out of Vietnam by the U.S. Secret Service. He later pleaded guilty to identity fraud charges and was sentenced in July 2015 to 13 years in prison.

News of the lawsuit comes from The San Diego Union-Tribune, which says the city attorney alleges that some 30 million consumers could have had their information stolen in the breach, including an estimated 250,000 people in San Diego.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds,” writes Union-Tribune reporter Greg Moran.

Experian did not respond to requests for comment.

Ngo’s Identity theft service,, which relied on access to consumer databases maintained by a company that Experian purchased in 2012.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers who had been harmed by the incident. However, soon after Ngo was extradited to the United States, the Secret Service began identifying and rounding up dozens of customers of Ngo’s identity theft service. And most of Ngo’s customers were indeed involved in tax refund fraud with the states and the IRS.

Tax refund fraud affects hundreds of thousands of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

In May 2014, KrebsOnSecurity reported that Ngo’s identity theft service was connected to an identity theft ring that operated out of New Jersey and New York and specialized in tax refund and credit card fraud.

In October 2014, a Florida man was sentenced to 27 months for using Ngo’s service to purchase Social Security numbers and bank account records on more than 100 Americans with the intent to open credit card accounts and file fraudulent tax refund requests in the victims’ names. Another customer of Ngo’s ID theft service led U.S. Marshals on a multi-state fugitive chase after being convicted of fraud and sentenced to 124 months in jail.

According to the Union-Tribune, the lawsuit seeks civil monetary penalties under the state’s Unfair Competition Law, as well as a court order compelling the Costa Mesa-based company to formally notify consumers whose personal information was stolen and to pay costs for identity protection services for those people. If the city prevails in its lawsuit, Experian also could be facing some hefty fines: Companies that fail to notify California residents when their personal information is exposed in a breach could face penalties of up to $2,500 for each violation.

Tags: , , , , ,

from Krebs on Security

Winners and Losers in Password ‘Bracketology’

Winners and Losers in Password ‘Bracketology’

A recent study shows that there’s a clear winner in the ‘most used sports mascot’ password competition.

Everyone knows you shouldn’t use words like “password” as part of your secure password, but what about other words? What about sports team mascots? Keeper Security ran an analysis they’ve called “Password Madness” to check on which mascots win the most-used prize and the brackets have been filled.

Keeper Security ran their analysis on the massive database of 1.4 billion clear-text credentials 4iQ found on the dark web. What they found was a clear winner and loser.

According to a statement from Keeper Security, of all the passwords looked at, those containing “Tiger” and its variations (such as “T1ger”, “T1g3r”, etc.) appeared 187 percent more often than passwords containing variations of “Eagle,” the second-most common password set found, and nearly 850 percent more than the least common password, which was “Bluejay” and its variations.

Since many people re-use the same password on nearly every online account, patterns such as this open up hundreds of thousands of credentials to speedy hacking. Keeper Security recommends that users find other, less risky, ways of honoring their favorite sports teams.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Crooks infiltrate Google Play with malware in QR reading utilities

Thanks to Chen Yu of SophosLabs for her behind-the-scenes work on this article.

SophosLabs just alerted us to a malware family that had infiltrated Google Play by presenting itself as a bunch of handy utilities.

Sophos detects this malware as Andr/HiddnAd-AJ, and the name gives you an inkling of what the rogue apps do: blast you with ads, but only after lying low for a while to lull you into a false sense of security.

We reported the offending apps to Google, and they’ve now been pulled from the Play Store, but not before some of them attracted more than 500,000 downloads.

The subterfuge used by the developers to keep Google’s “Play Protect” app-vetting process sweet seems surprisingly simple.

First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.

In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.

Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.

Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.

By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you’d expect to find in a regular Android app, the adware engine buried in the app can effectively hide in plain sight.

For all its apparent innocence, however, this malware not only pops up advertising web pages, but can also send Android notifications, including clickable links, to lure you into generating ad revenue for the criminals.

When you run one of the these infected apps for the first time, it “calls home” for configuration information to a server controlled by the crooks.

Each configuration download tells the malware what to do next:

  • The Google Ad Unit ID to use.
  • How long to wait before showing ads.
  • The URLs to open in your browser to push ads on you.
  • The messages, icons and links to use in the notifications you’ll see.
  • When to call home for the next configuration update.

This makes it easy for the crooks to adapt the behaviour of the malware remotely, changing both its ad campaigns and its aggressiveness easily, without needing to update the malware code itself.

When SophosLabs tested these samples, the first configuration settings pushed out by the crooks were very low-key.

For the first six hours, the list of ads was empty, meaning that the behaviour of the apps was unexceptionable to start with…

…before flooding the device with full screen ads, opening various ad-related webpages, and sending notifications with ad-related links in them, even when the apps’ own windows were closed.

What to do?

As mentioned, Google no longer endorses these apps, and if you install our free Sophos Mobile Security for Android product, we’ll detect and optionally remove these ad-foisting apps if you already have them on your device.

Despite Google’s failure to spot the roguery of these particular “utilities” before blessing them into the Play Store, we nevertheless recommend sticking to Google Play if you can.

Google’s app vetting process is far from perfect, but the company does at least carry out some pre-acceptance checks.

Many off-market Android app repositories have no checks at all – they’re open to anyone, which can be handy if you’re looking for unusual or highly specialised apps that wouldn’t make it onto Google Play (or trying to publish unconventional content).

But unregulated app repositories are also risky, for all the same reasons.

from Naked Security – Sophos

A Closer Look at APT Group Sofacy’s Latest Targets

Threatpost talks to Kaspersky Lab researcher Kurt Baumgartner who was instrumental in tracking the latest activities of the Russian-speaking Sofacy APT gang. Research shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.

Baumgartner, a researcher with Kaspersky Lab’s Global Research and Analysis Team, presented his findings earlier this month at the Security Analyst Summit.

Full Threatpost coverage of the conference can be found here.

from Threatpost – English – Global – thr…