Archive for the ‘hacking’ tag

Survey says nearly half of lawyers want to move key functions into “the cloud”

leave a comment

As more of our lives, and more of our work move into the digital realm, a Legal IT Professional’s survey indicates a split in the profession over whether firms should move key technology functions into “the cloud”. The survey’s sample size was fairly small (there were 438 respondents), yet 45% of lawyers and paralegals were in favor of the shift, with the slightly larger 46% opposing it (the remaining 9% very diplomatically had no opinion on the issue). Small to mid-size firms were more likely to be in favor, with 57% of firms boasting over 1,000 fee earners opposing the move. This is unsurprising, as larger firms tend to have in-house IT departments that might suffer from the move.

What is surprising is that such a high level of the profession seems so willing to embrace what would doubtlessly be a huge change for the field. On one hand, it would certainly make remote access easier, which may explain the high number of lawyers in favor of the move. Yet increasing the technological complexity of day-to-day legal work will involve training staff in the new processes, taking risks with a lot of the firm’s documentation, and ultimately, opening up a large amount of confidential information to the risk of hacking.

It is likely that none of these problems will ultimately prevent the shift from occurring, and 81% of those responding indicated they thought it would likely happen in the next decade. The willingness of such a large swath of a generally conservative, risk-averse profession to make the leap already is still worth noting however. In a profession that tends to eschew development for stability and to prefer precedent over novelty, the fact that these numbers are so high already may tell us a lot about the way all of society has embraced technology over the past few decades, and how much larger a role it is likely to play in our lives in years to come.

Written by

February 20th, 2013 at 3:21 pm

Are Your E-mail Communications Protected by the Stored Communications Act?

leave a comment

Last month, the Supreme Court of South Carolina ruled that the Stored Communications Act (“SCA”) did not protect e-mails contained in a user’s webmail account. Jennings v. Jennings, No. 27177 2012 WL 4808545 (S.C. Oct. 10, 2012). The e-mail user sued his wife and her relative for violating the SCA by accessing his Yahoo! account to obtain e-mails he exchanged with another woman.

The SCA was enacted in 1986 as part of the Electronic Communications Privacy Act and provides protection to electronic communication service providers and users by limiting when the government can compel disclosure of certain communications, limiting when service providers can voluntarily disclose information, and providing a cause of action against a person that intentionally obtains an “electronic communication while in electronic storage” without authorization. 18 U.S.C. § 2701(a)(2) (2000). Due to outdated definitions, the SCA affords little protection to internet communications exchanged today.

An electronic communication service is a service providing “electronic storage,” which is defined as “(A) any temporary intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17) (2000). This definition of electronic storage tracked the way e-mail was used at the time the SCA was enacted; mail was temporarily copied and stored before being downloaded to the recipient’s computer. Today, webmail services allow the user to access mail on the web through any computer rather than require the user to download the mail onto their personal computer, which raises the question of whether webmail is ever in temporary intermediate storage or stored solely for backup protection.

The Department of Justice (“DOJ”) has adopted a narrow interpretation of “electronic storage.” According to the DOJ, a communication is not electronic storage under §2510(17)(A) unless it is stored in the course of transmission, and communications stored as backup protection under § 2510(17)(B) are those that are stored by the service provider as a backup copy prior to delivery to the recipient. CCIPS, U.S. Dep’t of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, 123 (3d ed. 2009). Conversely, in Theofel v. Farey-Jones, the Ninth Circuit found that e-mail read by the recipient but still available on the server was stored for the purpose of “backup protection” and thus protected by the SCA under § 2510(17)(B). 359 F.3d 1066 (9th Cir. 2004).

In Jennings, a lower court relied on Theofel in determining that the e-mails were in electronic storage “for purposes of backup protection.” The Supreme Court reversed, holding that the “passive inaction” involved in opening e-mail and leaving the single copy on the server cannot constitute storage for backup protection. Based on this holding, it is unclear whether any web-based e-mail communication would be protected under the SCA. Although the question of whether the e-mail could be protected under §2510(A) (“temporary intermediate storage of a wire or electronic communication”) was not raised in Jennings, it is unlikely that any opened e-mail could be said to be “intermediate storage.” The SCA’s outdated definitions are difficult to apply to electronic communications as they are used today and therefore do not adequately protect web-based communications.

Written by

November 12th, 2012 at 8:24 am

Posted in Commentary

Tagged with , ,

Tightening Security–What We Can Learn from the Yahoo! Voices Hack

one comment

Yahoo’s digital publishing platform, Yahoo! Voices, was the latest major website to fell prey to a cyberattack. A group called ‘D33Ds Company’ stole over 450,000 usernames and passwords from the site (fortunately, less than 5% were still valid) and published the data on its webpage. Though no longer available on the D33Ds website, various sources report that the data is still circulating through torrents.

Following recent similar hacks of major social networking sites such as LinkedIn and eHarmony and Last.fm, Yahoo!’s woes remind us that the Internet still has serious safety concerns. The data taken from Yahoo! was–astonishingly–not encrypted. D33Ds pulled off their feat through a relatively simple technique known as a SQL Injection, a well-known method of attacking a database, and one that is relatively easy to combat.

D33Ds described their attack “as a wake-up call and not as a threat.” If nothing else, they’ve woken up Yahoo!. In response to this embarrassment, Yahoo! is not going to leave unencrypted data lying around any time soon. And generally, it’s clear that social networking sites have a strong incentive to self-regulate when it comes to data security and will respond swiftly to breaches.

But maybe the incentive isn’t strong enough. Building a better mousetrap can be costly, many sites can bank on users staying despite breaches because those sites lack competition (where would dissatisfied LinkedIn users go?), and users have little way of knowing how secure a site is until it’s too late.

This newest installment in the seemingly never-ending saga of security breaches might start a push for more serious data security laws for the gargantuan tangle of social networks. It’s certainly feasible. Financial institutions have to follow strict data security procedures under the Gramm-Leach-Bliley Act. The National Institute for Standards and Technology sets security standards for non-classified government information. Some Senators have been asking for tighter social networking security regulations as early as 2010. Do the breaches of Yahoo, LinkedIn, eHarmony, and Last.fm mean that it’s time to start thinking more seriously about federal regulation of social networking data security?

Written by

July 15th, 2012 at 10:46 pm

Expansion of Cyber Warfare… Possibly

leave a comment

In a small town outside Springfield, Illinois, a controversy emerged this past month as to whether or not the U.S. had fallen victim to its first known industrial cyber attack.  In a public water district, a water pump malfunctioned causing it to turn on and off until the piece of equipment eventually burned itself out.  Cyber-security expert and blogger Joe Weiss notified the media that the Illinois Statewide Terrorism & Intelligence Center had identified the event as a cyber attack launched from somewhere in Russia.  Subsequently, the Department of Homeland Security and FBI pursued investigations and concluded that there was no actual evidence of hacking of the controls to the facility.  No malicious intrusion appears to have occurred.  According to a source with DHS, the Russian IP address found in the computer log was present because the contractor, who had remote access to the computer system, was there on personal business.

As implausible as this and similar scenarios might seem, where hackers could gain control of industrial equipment anywhere in America—outside action movies—the U.S. has already been implicated in committing this exact activity.  Last year, the Stuxnet worm was discovered and linked to U.S. and Israeli governments as an attempt to derail Iran’s nuclear program.  The worm spread to hundreds of thousands of computers but was designed, ostensibly, so specifically as to execute a process only to destroy a network of the centrifuges in Iran’s nuclear facility.  While Stuxnet originally mystified security companies and programmers, it now exists as (1) a well-studied “playbook” for those wishing to design a similar computer worm and (2) part of an acknowledgement that the U.S. is innovating beyond cyber espionage and into industrial cyber warfare.  Realizing that the cyber arms race favors the innovation of hackers, which is often unpredictable for those working cyber defense, many are asking if there is any possible legal regime applicable to this type of attack.

Those trying to determine international rules of law are grappling with almost boundless uncertainty.  Questions of interpretation deal with whether a cyber attack might trigger the collective self-defense provision in Article V of the NATO Charter or qualify as the use of force according to Article 2(4) of the U.N. Charter.  However, a practical issue any lawmaker faces is that it may be next to impossible to know with certainty where an attack is coming from.

The U.S. has endeavored to establish a legal framework for cyber warfare within its own government regarding policies and rules of engagement, but even there deliberations are “ongoing.”  This year, instead of waiting for answers from international bodies, the Pentagon clarified the U.S. view that these attacks may constitute acts of war.  Just recently, the U.S. joined efforts at the NATO cyber defense research center in Estonia, whose government was temporarily crippled by a cyber attack years ago that is presumed to have come from Russia.  Likewise, in the past week the U.K. announced its own Cyber Security Strategy that voiced intentions to pursue an aggressive cyber defense policy.

Still, one important consideration should emerge while we’re worrying about cyber warfare: there is still no evidence of any significant physical harm befalling anyone due to cyber warfare.  These worries can be overblown.  There are few, if any, successful cases of cyber industrial sabotage—even Stuxnet probably only worked to destroy a tenth of its target centrifuges.  On the other hand, many people, even experts, may have vested interests in with raising cyber security fears.  As engaging and serious as this discussion sounds, we should take cyber security threats with a grain of salt.  Before considering retaliation, we especially need to make sure that the problem is not simply a glitch within our own equipment controls.

 

Written by

December 7th, 2011 at 4:12 pm

Due to Russian crackdown Amount of Spam Email Drops

leave a comment

I had not thought about email Spam mail in ages.  It used to be that whenever I logged into my email, including my school email accounts, the vast majority of my emails were unsolicited junk—advertisements for Viagra or other drugs available on the cheap through online “pharmacies,” offers for cash in exchange for sending emails, get rich quick schemes and emails with provocative subject headings that led to XXX websites.

Earlier this week The New York Times published an article chronicling a drop in the past month of about 50 billion email spam messages per day.  There still remain about 200 billion spam messages in circulation daily, a staggering number, especially considering that my inbox is only clogged these days by the various updates, newsletters and advertisements to which I have subscribed or agreed to, whether wisely or otherwise.  Regardless, they have been solicited.

According to the Times, Russia, a “haven” for cyber criminality has become a major exporter of spam due in large part to the alleged work of “spam kingpin” Igor Gusev.  Although he denies a connection, Gusev is widely believed to have run SpamIT.com, which paid spammers to promote online pharmacies.  The SpamIT operation closed inexplicably on September 27th and was followed by the 50 billion messages per day curtailment of junk mail sent by spammers.  It turns out the Russian government, which has traditionally been lax in its prosecution of cyber crime, had cracked down and charged Gusev not with cybercrime but with operating a pharmacy without a license and failing to register a business.

As someone who had not thought about spam in years, I was amazed at the amount of junk mail that is sent daily and also the amount of spam for which one man seems to have been responsible.  Users like me no longer feel the effects of spam due to the ubiquity of spam filters.

Thus, I wondered why I should care about spam and its continued use.  It seems that an increased use of spam filters should be followed by a loss of incentive to use spam as a marketing tool.  Who is still a) receiving this spam and b) investing in the products advertised?  Clearly those people exist since Gusev is reported to have earned 120 million dollars from his company.  As long as spam still reaches even a limited audience, it seems likely to continue.  There is little cost associated with email spam.  Once hackers have lists of email addresses, emails just need to be sent.  Any kind of more legitimate advertising is clearly more costly—both economically and in terms of time—paying hosts to post the advertising, making paper copies, phone calls, walking from bulletin board to bulletin board to hang signs.  As long as people open spammed email messages and make purchases, spamming is clearly a cost-efficient, if illegal, method of marketing.

However, the costs are borne by the rest of us.  Due to the fact that different countries have different laws or policies regarding the use of spam, it is difficult to mitigate the effects.  We have to bear the costs of providing and operating spam filters and tracking the use of spam.   Moreover, in terms of privacy we are still reminded that hackers continue to gather our information for these uses.  The New York Times also writes that spam accounts for 90% of all email traffic on the internet.  I cannot help but wonder in what ways the internet would be a difference place in a spam-less world.

Written by

October 31st, 2010 at 5:01 pm

Emergency Powers in Cyberspace

leave a comment

In the past year, there has been an increase in the number of hack attacks on U.S. companies. In one particularly worrisome case, the attacks were targeted against Google and 33 other companies, including financial institutions and defense contractors. In light of this situation, several senators are drafting a bill that would give the president the power to declare an emergency next time there is a threat in cyberspace. Companies could be forced to take measures, or even shut down, to combat the threat.

According to Reuters, which reported to have obtained a copy of the draft bill on September 21st, the draft is the result of a merger of two cybersecurity bills. One of these is bill S.3480, titled Protecting Cyberspace as a National Asset Act of 2010, which was introduced by Senator Joseph Lieberman in June. The bill tries to establish an Office of Cyberspace Policy within the executive branch and amend the Homeland Security Act of 2002 to add a new National Center for Cybersecurity and Communications (NCCC) within the Department of Homeland Security. The bill also allows the president to declare a “national cyber emergency” to companies classified as part of the nation’s critical infrastructure network, which would then give the NCCC Director the power to enforce cybersecurity policies over the private sector.

There will surely be strong opposition from technology and telecommunications firms that might be classified as critical infrastructure. These companies will have to front the costs of implementing security measures or be shut down. Undoubtedly, some or all of these costs would be passed down to the consumer. On the other hand, as Senator Lieberman put it in a press release, “our economic security, national security and public safety are now all at risk . . . .”

Written by

October 31st, 2010 at 4:48 pm

Dilemmas in Electronic Voting: An Example from the Garden State

leave a comment

by Ryan Walden, MTTLR Associate Editor


Image I Voted? by Kenn Wilson. Used under a Creative Commons BY-NC 2.0 license.

Today’s voters are more likely than ever to read online blogs for political news and views, use candidate websites to examine their stances on the issues, and then make donations to their favored candidates online. Today’s voters are also more likely to cast their vote using an electronic voting machine, but not all consider that a welcome change. Just ask the plaintiffs in a New Jersey case challenging the use of electronic voting machines.

Last month, Andrew Appel, a computer science professor at Princeton, released a report of findings on the security of the Sequoia AVC Advantage voting machines (executive summary | pdf report). This report was submitted to the New Jersey Superior Court in support of the plaintiffs in Gusciora v. Corzine, a lawsuit alleging that the use of the AVC Advantage voting machines violates the state constitution’s guarantee to count every vote due to the possibility of fraud. The report finds that the machines, used in 18 of New Jersey’s 21 counties, can be hacked in as little as seven minutes by installing a new program into the computer to change vote totals. Appel demonstrates how the machines can be hacked in this (90 minute) video.

To combat possible fraud, Appel recommends voter verified paper trails, which would entail “an individual paper record of each vote cast, seen and verified by the voter at the time the vote is cast, collected in a ballot box so that it can be recounted by hand if necessary.” Voter verified paper trails is not a new idea – proposed legislation from Congressman Rush Holt (also of New Jersey) would mandate voter verified paper trails in federal elections. Even with voter verified paper trails, there must be a way to properly audit paper records to ensure no misconduct has occurred. The Brennan Center for Justice at NYU School of Law has released a report (pdf file) with recommendations for such audit mechanisms.

For their part, Sequoia Voting Systems, which makes the AVC Advantage voting machines, has rebutted the Appel report with a report of its own (pdf report | press release). Sequoia argues that the study was not conducted under real world settings, where detection of tampering is very likely. Sequoia also argues that the AVC Advantage machines were evaluated under “inappropriate standards” – noting that the Appel report’s assertion that the machines “must be correct in all circumstances” is an impossible standard to meet for any sort of voting system.

Ultimately, the arguments on both sides prompt the question: If we can’t have 100% accuracy, what level of inaccuracy is permissible? Sequoia is certainly right that no system will be correct in all circumstances, but if the Appel report is correct with regards to the sheer ease of changing votes, then that is not a sufficient rebuttal. Technology makes voting and counting votes easier, but it may also make voter fraud easier. Do the benefits outweigh the costs? A New York Times article notes that two-thirds of voters in the recent election were anticipated to vote by paper, with some states, including Florida, having switched back from electronic voting machines. Virginia and Maryland will switch back to paper ballots for the 2010 election. As for New Jersey? In light of this controversy, at least one Garden State political blogger suggests a decidedly un-21st century method of voting: through the U.S. Mail with an absentee ballot.

Written by

November 21st, 2008 at 2:06 pm

Posted in Uncategorized

Tagged with , ,

Palin Email Hack – Time to Update and Expand the Computer Fraud and Abuse Act?

one comment

by: Sherri Nazarian, Associate Editor, MTTLR

Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse ActPart one argues that the CFAA should not be expanded to address the problem of online bullying. Part two (this post) looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA’s provisions.

padlock and latch
Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.

It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

Written by

November 5th, 2008 at 8:30 am

Posted in Uncategorized

Tagged with , ,

Pwning your life

2 comments

by Nancy Sims, MTTLR Blog editor

“Void your warranty, violate a user agreement, fry a circuit, blow a fuse, poke your eye out…”

So exhorts a t-shirt on sale from Make magazine. They also sell shirts with slogans like “If you can’t open it, you don’t own it“, and “Permission to play“. Make is not remotely a unique phenomenon – Instructables, Evil Mad Scientist Laboratories, and a host of other sites provide how-tos and what-ifs for the growing population of hardware modders and hackers. Make’s sister publication, Craft, and sites like Etsy, and Craft Mafia, demonstrate that the sensibility isn’t limited purely to hardware. It’s remix culture applied to real-world, physical objects, and it’s a growing phenomenon.

Hacking, remixing, modifying – whatever you call it, messing with technology, even physical objects you own, raises a host of legal issues. First of all, just opening the case of most tech objects voids the warranty. It may also void other user agreements, and as more of the technology in our daily lives requires ongoing relationships with service providers, that can be a real problem. Physical or software hacks may also violate anti-hacking laws in various jurisdictions.

The DMCA’s Anti-Circumvention provisions may open tech remixers to civil or criminal liability if they bypass “access control devices” or “technological protection measures” to explore or modify their devices. While there is currently an administrative exception that allows individuals to modify cellphones to ensure compatibility with various service providers, the exception doesn’t cover telling other people how to make the same modifications. Similar worries about the “no telling people how to circumvent, either” provisions delayed publication of the book “Hacking the XBox”.

And yet, the community of hackers and modders continues to expand. The revolutionary, compelling, or just plain entertaining products that the maker/crafter/modder cultures produce, make it difficult to see how anyone could want to rein them in. A (very) few highlights:

To get a sense of the philosophies/worldviews of makers, hackers, crafters, and modders, take a look at:

Explore the history of hacking:

So, what do you think? What are your favorite hacks and mods? What legal issues do you see?

Written by

June 14th, 2008 at 8:38 am

Posted in Uncategorized

Tagged with , ,

Search the Blog