Bill Closing Email Privacy Loophole Clears Committee

A bill to protect email privacy cleared a key U.S. Senate committee last week, buoying the spirits of privacy advocates.

The proposed law would close a loophole in the 1986 Electronic Communications Privacy Act, which allows the government to peep on email more than 180 days old without a warrant.

“We’re very happy about it. It’s a very good first step,” Chris Calabrese, legislative counsel for the American Civil Liberties Union, told TechNewsWorld. “It does exactly what we wanted it to do: have full warrant protection for all private electronic content.”

The changes mean that “Congress is sending a strong message to the Department of Justice that our digital Fourth Amendment rights don’t expire after six months,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.

Outdated privacy laws are not only bad for citizens but for high-tech businesses as well, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center. “Companies and foreign governments are understandably reluctant to rely on US-based cloud service providers.”

The action by the Senate Judiciary committee may have been nudged by the swirling publicity around the resignation of CIA Director David Petraeus, after a warrantless search of his emails exposed an affair he was having with his biographer.

“It showed a spotlight on the issue at a welcome time,” Calabrese said. “We were pushing for this before the scandal broke, but it put a face on it. It showed that lots of innocent people can suffer if the government can expose your private communications.”

Spear Phishing Popular in Targeted Attacks

Government agencies and corporations are the most popular targets of Black Hats bent on stealing information from their victims over an extended period of time, according to a survey released last week by Trend Micro.

More than three-quarters of those attacks, known in the industry as Advanced Persistent Threats, are aimed at corporations or government agencies.

The most popular vehicle for advancing such attacks is a specially crafted message designed to gain the trust of its target. “Spear phishing continues to be a favorite means by APT attackers to infiltrate target networks,” Trend Micro said.

More than one-third — 38 percent — of infected attachments in spear phishing messages are RTF files, the report noted, with XLS files coming in a distant second at 15 percent.

One reason that spear phishing attachments can evade many organizations’ defenses is that they use file formats popularly exchanged in the workplace, according to Jon Clay, a threat marketing senior manager at Trend Micro. “You’re not going to see an executable file or a zip file because many companies will automatically strip those files from messages,” he told TechNewsWorld.

“In a targeted attack against an organization, the use of spear phishing is very successful at getting through traditional defenses,” he added. “So organizations need to alert their users to be on the lookout for this kind of attack.”

Cloud Security

A popular notion in some security circles is that data is safer in the cloud than it may be on local servers. Maybe, maybe not, contends Derek Tumulak, vice president for product management at Vormetric, a data encryption company.

“You can have a small cloud-service provider who may not be applying the same security measures as you would for yourself,” he told TechNewsWorld. “In that case, they wouldn’t be as secure.”

On the other hand, a large cloud provider, such as Amazon, could, with a caveat, secure an organization’s data as well as the organization could itself, Tumulak noted. That caveat requires an organization to supplement the security measures taken by the cloud provider.

“If you implement proper security measures,” he observed, “and you protect your data with authentication, encryption and proper key management, you can be as secure in the cloud as in your own existing infrastructure.”

Breach Diary

  • Nov. 26: Pinnacle Foods Group reports that personal information on 1,818 people may have been compromised when a laptop was stolen from an employee’s home. It was password-protected and the information on it encrypted, the company said. That data included names, Social Security numbers driver’s license numbers, credit card numbers and other personal information.
  • Nov. 27: Threat Post reports that the University of Arkansas for Medical Sciences has begun notifying some 1,500 patients whose medical information was exposed after a physician terminated by the school removed the data from the institution on her laptop without permission. The university learned that the physician shared the information on the laptop with her attorney at a wrongful termination hearing.
  • Nov. 28: A South Carolina legislative committee is told a $25,000 password upgrade at the state’s Revenue Department could have averted a data breach that could cost the government $14 million. Earlier this year, the department’s computers were breached and 3.8 million taxpayers’ Social Security numbers, 3.3 million bank account numbers and data on 700,000 businesses were compromised.
  • Nov. 28: Employees at the Jet Propulsion Laboratory called on Congress to investigate a data breach at NASA that compromised background information gathered by the Department of Homeland Security on an unspecified number of workers. The unencrypted information was on a laptop stolen from a parked car in Washington, D.C. on Halloween.
  • Nov. 28: Australian Federal Police, in conjunction with the Romanian National Police, arrest seven individuals who were allegedly the ringleaders of a syndicate dealing in stolen credit card numbers. The police estimate that the group compromised 500,000 Austrian credit cards and performed illegal transactions worth AU$30 million.
  • Nov. 29: Western Connecticut State University reveals that data breach of a server with 13 years of data stored on it compromised personal information of 235,000 people. The server was vulnerable from April 2009 to September 2012 and exposed information included names, addresses, social security numbers and financial account information.
  • Nov. 30: Voice of Russia reports data breach at the Japan Aerospace Exploration Agency. Spyware was discovered on a personal computer at the agency and that information on the country’s first Epsilon solid-fueled rocket was compromised, including rocket parameters, engine maintenance specifics and protocols for agency meetings.

Upcoming Security Events

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels