Tech Law

SPOTLIGHT ON SECURITY

Facebook Exec’s Brazilian Misadventure Signals Bigger Problem

The jailing last week of Facebook Regional Vice President Diego Dzoda in Brazil may have been the tip of an iceberg. Frustrated police made the arrest after Facebook failed to produce WhatsApp messages connected to a drug trafficking case. The incident is one of a growing heap of examples that highlight the difficulties law enforcement agencies face when trying to collect evidence in a digital world without borders.

In international cases involving digital data, it’s not uncommon for national laws to be at loggerheads. That’s especially true when the nations involved have laws that treat privacy differently. Those conflicts can produce frustration that leads to the kind of extreme behavior Brazilian authorities engaged in last week.

“These conflicts will continue, because the way foreign governments can obtain data stored with a U.S. provider is to go through the Mutual Legal Assistance Treaty process,” explained Jadzia Butler, a fellow on privacy, surveillance, and security at the Center for Democracy & Technology.

“Unfortunately, this process is extremely cumbersome. It can take up to 10 months for a foreign law enforcement agency to get the data it needs,” she told TechNewsWorld.

“So governments like Brazil and others have started to resort to extreme tactics in order to get the data,” Butler said. Those measures include data localization mandates and intimidation of local officials.

Reform Needed

Reform of the existing MLATs system is on the U.S. congressional agenda.

The House Judiciary Committee last month held a hearing on the subject. The committee is considering what rules should apply when two countries claim jurisdiction over the same piece of data, noted Gregory T. Nojeim, director of the CDT’s Project on Freedom, Security and Technology.

“Increasingly, one country’s law will require disclosure and another country’s law will prohibit it, or at least subject the disclosure to local rules that the requesting country may find difficult to meet,” he observed.

“Because of the explosive growth of global communications and of communications service providers, and because of the increasingly central role that communications content and metadata play in law enforcement investigations worldwide, this problem is growing,” Nojeim continued.

“Moreover, because the largest communications service providers are located in the U.S., the volume of data demands coming into the U.S. from foreign governments far exceeds the volume of demands made by the U.S.,” he said.

The CDT is one of several groups that are trying to find a way to streamline the MLAT process. One possibility is to create an alternative framework for obtaining data for countries that meet specific human rights criteria, suggested CDT’s Butler.

“Until that happens, I would say conflicts like the one in Brazil will continue to happen,” she said. “It’s frightening.”

The Geography of E-Fraud

Electronic fraud claimed 13 million victims in 2015, according to a Javelin study released earlier this year, but where you live in the United States can determine your chances of being one of those victims.

The states with the highest rates of billing fraud were Florida, Delaware, Oregon, California and Washington, D.C., according to an Experian study released last week. The highest for shipping fraud were Delaware, Oregon, Florida, California and Nevada.

Why are some regions more prone to e-fraud than others?

“A lot of it has to do with proximity to port cities,” said Adam Fingersh, senior vice president of fraud and identity solutions at Experian.

Counter to many expectations, big cities are not necessarily fraud magnets, he noted.

“While there are a number of big cities that are ranked high, we also see a number of small cities that are ranked as having high risk,” Fingersh told TechNewsWorld.

Path of Least Resistance

Fraud appears to follow the path of least resistance.

“We’ve seen that as a result of pulling pin-and-chip technologies into the U.S., fraudsters are looking for other avenues to exploit,” Fingerish said.

“As a result, card-not-present fraud, as anticipated from what we’ve seen in other regions, becomes one of those channels that fraudsters can look to backfill opportunities prior to the introduction of chip-and-pin,” he explained.

Although hard numbers aren’t yet available for correlating card-not-present fraud rates with the introduction of chip-and-pin or EMV technology, there is evidence that CNP rates will be getting higher.

“During the most recent Black Friday holiday, there was a significant volume in card-not-present fraud, and some of the geographies referenced in our study saw a significant increase in that time frame,” Fingersh said.

“We know there’s a gradual climb in card-not-present fraud as EMV is rolled out,” he added.

Drafting Hackers

The Pentagon last week announced that it was launching a bug bounty program to make Defense Department computers more secure.

The “Hack the Pentagon” initiative is the first bug bounty program in the history of the federal government, according to DoD.

Under the pilot program, the department will use commercial sector crowdsourcing to allow qualified participants to conduct vulnerability identification and analysis on its public Web pages.

The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies in an effort to improve the security and delivery of networks, products and digital services.

The pilot marks the first in a series of programs designed to find vulnerabilities in the department’s applications, websites, and networks.

Outside the 5-Sided Box

The bug bounty program shows a willingness on the part of Secretary of Defense Ashton Carter to push the Pentagon bureaucracy out of its comfort zone in meaningful ways, according to the Center for a New American Security.

“This initiative, with its potential to cause embarrassment or unintended breaches of critical systems, undoubtedly drew bureaucratic push back in its development,” wrote CNAS Program Director Ben Fitzgerald and CNAS Senior Fellow Loren DeJonge in a statement. “But these are precisely the fears and cultural factors the secretary needs to incentivize the institutional Pentagon to overcome if his innovation agenda is to take hold.”

Although the bug bounty program has received kudos from the security community, some have questioned whether the momentum Secretary Carter is trying to build will fizzle when a new administration takes office in 2017.

That’s not likely, said Casey Ellis, CEO Bugcrowd.

“The need for people to solve the vulnerability discovery problem will never go away, and ultimately a distributed resourcing approach like a bug bounty program is the only way for the DoD to access resourcing and economics that are on parity with their adversaries,” he told TechNewsWorld.

Breach Diary

  • Feb. 29. Federal magistrate judge in New York denies request by U.S. government that Apple be ordered to extract information from an iPhone seized in a drug case.
  • Feb. 29. Snapchat announces data on current and former employees was compromised by employee who sent the information to an unauthorized third-party in response to a phishing scam.
  • Feb. 29. Jackson State University in Alabama announces second student has been arrested in connection with data breach resulting in personal information of 40,000 past and present students being posted to the Internet.
  • March 1. Illinois State University announces data breach resulted in some US$50,000 in direct pay payments of 13 faculty and staff being redirected into an unauthorized account.
  • March 1. Main Line Health in Philadelphia announces personal information of all its employees has been compromised after employee sent the data to an unauthorized source in response to a spearphishing attack.
  • March 1. IRS issues alert to payroll and human resources professionals about phishing schemes that appear to be requests from company executives for personal information on employees.
  • March 2. Krebs on Security reports that a number of credit unions said the level of debit card fraud they experienced from data breach at Wendy’s exceeded losses from breaches at Target and Home Depot.
  • March 2. U.S. Consumer Financial Protection Bureau fines online payments-transfer network Dwolla $100,000 and orders is to tighten up its security practices after it finds the company has been misleading consumers about its data security practices.
  • March 3. Motherboard reports that personal information of 40,000 Cox Communications employees is being sold on the Dark Web. Cox says it’s aware of the matter and is having a private forensics company and law enforcement investigate it.
  • March 3. Walmart announces personal information of some 5,000 online pharmacy customers was exposed on the Internet Feb. 15-18 due to a coding error.
  • March 3. Luzerne County Community College in Pennsylvania confirms it sent to more than 200 employees an email with an attachment containing personal information of all those employees.
  • March 3. Luzerne County Community College in Pennsylvania confirms it sent to more than 200 employees an email with an attachment containing personal information of all those employees.
  • March 4. The New York Post reports Mansueto Ventures, publisher of Inc. and Fast Company, suffered a massive data breach resulting in the theft of personal information of as many as 90 percent of its employees. Some of the data already has been used to file fraudulent state and federal tax returns, it reports.
  • March 4. UK supermarket chain Morrisons files court papers claiming it isn’t liable for data breach resulting in posting to Internet of personal information of nearly 100,000 employees.
  • March 4. Amazon announces it will include an option for full disk encryption in an update to its Fire OS operating system this spring. Earlier in the week it was widely reported that the company had quietly removed the option with version 5 of the OS released last fall.

Upcoming Security Events

  • March 10. Deterrence and Arms Control in Cyberspace. 5:30 p.m. Harvard Law School campus, Wasserstein Hall, Room 1010, 1st Floor. RVSP required. March 10. FFIEC & Anomaly Detection Done Right. 2 p.m. ET. Webinar sponsored by Praesidio. Free with registration.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
  • March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
  • March 15. Assessing Compliance and Cybersecurity Risk Across Partner and Supplier Networks. 2 p.m. ET. Webinar by Exostar. Free with registration.
  • March 16. The New EU-U.S. Privacy Shield. 12:30 ET. Webinar by ID Experts. Free with registration.
  • March 17. Crypto in 2016: The State of the Law. Webinar by Black Hat. Free with registration.
  • March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
  • March 22. Reconceptualizing the Right to Be Forgotten to Enable Transatlantic Data. Noon ET. Harvard Law School campus, Wasserstein Hall, Milstein East C, Room 2036 (second floor). RVSP required.
  • March 24. Massachusetts Attorney General’s Office Forum on Data Privacy. Ray and Maria Stata Center, Kirsch Auditorium, Room 32-123, 32 Vassar St., Cambridge, Massachusetts. RSVP required.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • March 30. Get a grip! Taking control of today’s identity and access management realities. 2 p.m. ET. Webinar by BrightTalk. Free with registration. March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
  • April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
  • April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • April 26. 3 Key Considerations for Securing your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston, Texas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits & open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Tech Law

Technewsworld Channels