Experts Cite Cybersecurity Concerns in 2020 Census

Concerns over data security have increased after revelations that Cambridge Analytica, a political consulting firm, harvested data from as many as 87 million Facebook profiles and that Russians involved stole personal information on 500,000 voters from one state’s elections website in 2016.

Cybersecurity experts are raising concerns about plans for the U.S. Census Bureau to use digital questionnaires for the first time in 2020, Time reports. Eleven former government cybersecurity employees demanded the Census Bureau and Department of Commerce outline any planned security measures in a letter coordinated by Georgetown Law’s Institute for Constitutional Advocacy and Protection. Concerns over data security have increased after revelations that Cambridge Analytica, a political consulting firm, harvested data from as many as 87 million Facebook profiles and that Russians involved stole personal information on 500,000 voters from one state’s elections website in 2016.

Joshua Geltzer, a former senior director for counterterrorism at the National Security Council, said he is worried not only about Russian entities, but also about “those who may be watching and learning from what Russia has been doing.” “The stakes are huge for this information,” he said, noting that information from the decennial census helps determine how many House seats and electoral college votes each state is allocated.The Government Accountability Office issued a report highlighting similar security concerns about the 2020 census in October 2017, to no avail. At a minimum, the Census Bureau should retain an outside cybersecurity firm to conduct an audit of the bureau’s plans to either publicly confirm they are satisfactory, or address their vulnerabilities, the cybersecurity letter-signers suggest.

from https://thecrimereport.org

Russian Hacker Vendors Probably Won’t be Charged

Russian agents allegedly used servers they leased in Arizona and Illinois to infiltrate Democratic Party computers. The vendors are unlikely to be charged with a crime unless it can be proved that they were a knowing part of the scheme.

Seven months before the 2016 presidential election, Russian government hackers made it onto a Democratic committee’s network. One of their carefully crafted fraudulent emails hit pay dirt, enticing an employee to click a link and enter her password. To steal politically sensitive information, prosecutors say, the hackers exploited some U.S. computer infrastructure against it, using servers they leased in Arizona and Illinois, the Associated Press reports. The details were included in the new indictment accusing the GRU, Russia’s military intelligence agency, of taking part in a wide-ranging conspiracy to interfere in the 2016 presidential election.

The Russians are accused of exploiting their access to inexpensive, powerful servers worldwide — conveniently available for rental — that can be used to commit crimes with impunity. Two Russian hacking units were charged with tasks, including the creation and management of a hacking tool called “X-agent” that was implanted onto computers. The software allowed them to monitor activity on computers by individuals, steal passwords and maintain access to hacked networks. In emails, the hackers embedded a link that purported to be a spreadsheet of Clinton’s favorability ratings, but instead it directed the computers to send its data to a GRU-created website. Despite the use of U.S.-based servers, vendors typically aren’t legally liable for criminal activities unless it can be proved that the operator was party to the criminal activity. A 1996 federal statute protects internet vendors from being held liable for how customers use their service and provides immunity to the providers. “The fact that someone provided equipment and or connectivity that was used to engage in data theft is not going to be attributed to the vendor in that circumstance,” Eric Goldman, a professor of law and co-director of the High Tech Law Institute at Santa Clara University School of Law, said.

from https://thecrimereport.org

Gas Pump Hack

This is weird: Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers. The theft, reported…

This is weird:

Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers.

The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled.

Here's what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station's system to shut off the individual pump.

Slashdot post.

Hard to know what's true, but it seems like a good example of a hack against a cyber-physical system.

from https://www.schneier.com/blog/

Gas Pump Hack

This is weird: Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers. The theft, reported…

This is weird:

Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers.

The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled.

Here’s what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station’s system to shut off the individual pump.

Slashdot post.

Hard to know what’s true, but it seems like a good example of a hack against a cyber-physical system.

More Hackers Hitting Municipal Computer Systems

About 38 percent of public entities may face a ransomware attack this year. The FBI advises against paying, but some cities do anyway when all their redords are frozen.

A rising tide of hacking incidents has hit municipal systems across the U.S., from major cities like Atlanta to counties, tiny towns and even a library system in St. Louis, the Wall Street Journal reports. Local governments are forced to spend money on frantic efforts to recover data, system upgrades, cybersecurity insurance and, in some cases, to pay online extortionists if they can’t restore files some other way. Public-sector attacks appear to be rising faster than those in the private sector, reports the Ponemon Institute of Traverse City, Mi. Ponemon estimates 38 percent of the public entities it samples will suffer a ransomware attack this year, up from 31 percent last year and 13 percent in 2016. “We’re right at the front end of this,” said Marshall Davies of the Alexandria, Va.-based Public Risk Management Association. Hackers are “just now coming after the public entities. They’ve been hitting the businesses for years”

Hackers generally don’t target specific cities, but instead constantly search for vulnerabilities wherever they may occur. Hackers attacking cities aren’t typically nation states, but rather cybercriminals. Some hackers demand ransoms in poorly written English, and they typically demand to be paid in bitcoin. The FBI advises against paying, and warns that “some individuals or organizations are never provided with decryption keys after paying a ransom.” Officials in Leeds, Al., folded when faced with a ransom demand from hackers who froze the Birmingham suburb’s computer system. Everything from email to personnel records was effectively locked down, and the city of 12,000 felt powerless. “You just hold your nose and do it,” Mayor David Miller said. After being paid, the hackers provided a code that helped the city regain access to most files. Every victim asks the same question, said Jeffrey Carpenter of SecureWorks Corp., an Atlanta-based cybersecurity firm: “Should we pay the ransom?”

from https://thecrimereport.org

Are Free Societies at a Disadvantage in National Cybersecurity

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post: It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft,…

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:

It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.

I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)

I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.

EDITED TO ADD (6/21): Jack Goldsmith also wrote this.

from https://www.schneier.com/blog/

Pentagon Goes on Offensive in Cyber Warfare

The Pentagon has empowered the US Cyber Command to take a far more aggressive approach to defending the nation against cyber attacks. The shift in strategy could increase the risk of conflict with foreign states that sponsor malicious hacking groups.

The Pentagon has empowered the US Cyber Command to take a far more aggressive approach to defending the nation against cyber attacks, the New York Times reports. The shift in strategy could increase the risk of conflict with foreign states that sponsor malicious hacking groups. Until now, the Cyber Command has assumed a defensive posture, trying to counter attackers as they enter U.S. networks. In the few instances when it has gone on the offensive, particularly in trying to disrupt the online activities of the Islamic State and its recruiters, the results have been mixed. In the spring, as the Pentagon elevated the command’s status, it opened the door to nearly daily raids on foreign networks, seeking to disable cyber weapons before they can be unleashed.

The change in approach reflects a widespread view that the US has mounted an inadequate defense against the rising number of attacks. It was not clear how carefully the administration weighed the various risks involved if the plan is acted on in classified operations. Adversaries like Russia, China and North Korea, all nuclear-armed states, have been behind major cyber attacks, and the US has struggled with the question of how to avoid an unforeseen escalation as it wields its growing cyber arsenal. Another complicating factor is that taking action against an adversary often requires surreptitiously operating in the networks of an ally, like Germany. The new strategy envisions constant, disruptive “short of war” activities in foreign computer networks.

from https://thecrimereport.org

California Sues Mugshots.com Over Removal Fees

California Attorney General Xavier Becerra filed extortion and money laundering charges against the owners of a website that publishes mugshot photos and charges a fee to remove them. He is targeting Mugshots.com, which pulls photos and identifying information about criminal suspects from law enforcement departments around the U.S.

California Attorney General Xavier Becerra filed extortion and money laundering charges against the owners of a website that publishes mugshot photos and charges a fee to remove them, reports the Sacramento Bee. His office is targeting Mugshots.com, which pulls photos and identifying information about criminal suspects from law enforcement departments around the U.S. The site charges a “de-publishing fee” to remove someone from its archives. Becerra said it has frustrated people who were accused of crimes they did not commit. “This pay-for-removal scheme attempts to profit off of someone else’s humiliation,” he said. “Those who can’t afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others. This is exploitation, plain and simple.”

An affidavit filed in Los Angeles County Superior Court describes California residents who paid hundreds of dollars to have their photos removed from the website. One example: A Santa Rosa resident spent a night in jail but was not charged with a crime. He asked the company to take down his photo. It refused. He recorded a phone conversation with someone from the company who cursed at him and said, “We’ll never take your calls again. You’ve been permanently published (expletve, expletive).” The young man believed his inclusion on the website contributed to his inability to find work. Becerra filed charges against Sahar Sarid, Kishore Vidya Bhavnanie, Thomas Keesee and David Usdan. They live in other states, and Becerra wants to have them extradited to California. Investigators are working with law enforcement in Broward and Palm Beach counties in Florida, and state police in Connecticut and Pennsylvania. Becerra’s office alleged the suspects collected at least $64,000 in removal fees from 175 Californians.

from https://thecrimereport.org

Cybercrime Extortion Group Member Arrested in Serbia

The FBI appears to have made headway in cracking a cybercrime extortion group that has plagued health and dental clinics, schools, law firms and Hollywood production companies since 2016. Serbian authorities, saying they were working with the FBI, arrested a 38-year-old man, believed to be a member of The Dark Overlord.

The FBI appears to have made headway in cracking a cybercrime extortion group that has plagued health and dental clinics, schools, law firms and Hollywood production companies since 2016, McClatchy Newspapers reports. Serbian authorities, saying they were working with the FBI, arrested a 38-year-old man, believed to be a member of The Dark Overlord, the nation’s Interior Ministry said. “The aim of the campaign was to uncover a large number of people who, using the name ‘The Dark Overlord’ on the Internet, have (gained) unauthorized access to computer networks and data of at least 50 victims since June 2016,” Serbia said.

Hackers from The Dark Overlord have breached scores of U.S. institutions and clinics, freezing hard drives and demanding payment in bitcoin as ransom to decrypt files, including medical records. They’ve mocked and threatened victims, and have released private medical records and Social Security numbers on the internet to pressure for payment. Last October, the group issued threats to parents and students at Johnston Community School District in suburban Des Moines that forced schools to shut for a day. Other school districts in Montana, Tennessee and Texas were also subject to ransom demands from The Dark Overlord, and dental and health clinics in Florida, New York, California, Missouri and Oklahoma reported breaches linked to the group, followed by ransom demands. The group gained notoriety last year when it released 10 unaired episodes of the Netflix hit show “Orange is the New Black,” declaring that the Los Gatos, Ca., streaming media company had declined to pay a ransom.

from https://thecrimereport.org

Will the Roberts Court Defend Online Fake News?

A professor at the University of California Davis School of Law predicts Supreme Court justices will defend the First Amendment principles of free speech against government attempts to curb Internet abuses—even when those abuses involve promoting falsehoods online.

How will the Roberts Supreme Court weigh in on the emerging debate over how to prevent the abuse of online media and social networks?

A forthcoming paper argues that, although the justices are now evenly divided between “technology optimists and technology pessimists,” they are likely to defend the principles of free speech against attempts to regulate content on the Internet.

Ashutosh Bhagwat, a law professor at the University of California Davis School of Law, bases his prediction on several recent rulings—although he notes that it is “astonishing” that Internet and free speech issues have rarely been addressed in the 12 years since Chief Justice John Roberts was appointed.

“It seems inevitable that going forward, this is going to change,” Bhagwat writes in an article scheduled for publication this month in the Washington University Law Review.

“Recent calls to regulate ‘fake news’ and otherwise impose filtering obligations on search engines and social media companies will inevitably raise important and difficult First Amendment issues.”

Basing his analysis on reviews of several cases brought before the Roberts Court, Bhagwat identifies Justices Roberts and Samuel Alito as the “pessimist” justices most in favor of stricter regulation; and Justices Anthony Kennedy, Sonia Sotomayor, Ruth Bader Ginsburg, and Elena Kagan as those most aligned with defending free speech.

The remaining justices—Clarence Thomas, Stephen Breyer and Neil Gorsuch—are somewhere in the middle, he writes.

According to Bhagwat, the court’s future rulings on Internet issues can be gleaned from an analysis of several recent cases that touched on free speech and technology, most recently Brown v Entertainment Merchants Association (2011), and Packingham v. North Carolina (2017).

Packingham concerned a challenge to a North Carolina statute that forbade any registered sex offender from accessing a commercial social networking Web site where the sex offender knows that the site permits minor children to become members or to create or maintain personal Web pages.

The Court upheld the challenge, ruling the statute unconstitutional. Justice Kennedy, writing for the majority, held that First Amendment protections could be constitutionally extended to the “vast democratic forums of the Internet…and social media in particular.”

The Court’s decision in a non-Internet case, United States v. Alvarez, which upheld an individual’s right to make a false claim that he had received the congressional Medal of Honor, made clear that “even intentional falsehoods are entitled to some level of First Amendment protection, and there is no reason to expect that principle not to be extended” to cyberspace, Bhagwat wrote.

“Given the enormous risk of self-serving political manipulation or bias posed by government regulation of social media falsehoods on political topics, I would expect all the Justices to balk” at similar attempts to discipline the use of so-called fake news, he added.

Why Supreme Court Justices lean one way or another is uncertain, but Bhagwat argues the Roberts Court’s approach to free speech issues reflects the “longstanding tension in American political thinking between Jeffersonians who embrace change and individual autonomy at the cost of occasional disorder; and Hamiltonians, who embrace order at the cost of occasional limits on liberty.”

But the paper finds that more Justices lean in the direction of free speech and openness when it comes to regulating technology.

“I think it likely, but not certain, that a working majority of the Roberts Court will vote to fend off heavy-handed efforts to assert state control over new technology such as the Internet and social media,” he writes.

He cautions that for the “technology optimists” to succeed in future cases they only have to persuade one of the three “uncertain” Justices, whereas the technology pessimists would have to persuade all three.

Nevertheless, he adds, the most critical element in shaping how the Constitution is interpreted on these issues will be the regulatory initiatives emanating from Congress, the Federal Communications Commission (FCC), and state legislatures.

“If past history is any guide, content-neutral structural regulations such as the Net Neutrality policy adopted by the Obama-era FCC (and recently repealed by the Trump-era FCC) are likely to fare well in courts and the Court, especially given the existence of precedent, authored notably by Justice Kennedy, upholding similar structural regulations of cable television,” writes Bhagwat.

The full report can be downloaded here.

This summary was prepared by TCR news intern John Ramsey. Readers’ comments are welcome.