Security Weekly News Episode #63 - September 08, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Argentina Ransomware, WhatsApp Bugs, & Cisco Jabber RCE - 02:00 PM-02:30 PM
This week, Dr. Doug talks Security Weekly sold to Cyber Risk Alliance, Argentina and Newcastle ransomwared, Cisco Jabber, the NSA wants to educate you, and Jason Wood returns for Expert Commentary on how Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene!
- Cyber Risk Alliance Acquires Security Weekly in Landmark Deal.
- Gartner describes an increasing threat of physical harm from Cyberattacks and CEOs may be held accountable.
- Argentina closes borders due to ransomware attack. Data leaked.
- Newcastle University also down with ransomware attack.
- WhatsApp begins transparency with new site for security disclosures.
- Cisco Jabber flaw can allow RCE.
- OSINT social media threats are one of the biggest threat vectors.
- NSA and NCMF release design plans for education center and museum.
- What if all your secrets were leaked at once?
Doug White's Content:
Jason Wood's Content:
If you’ve been listening to SWN for a while, you know I’m interested in the collisions that occur between technology and the legal world. Doug has already mentioned one today that I wanted to cover, but he beat me to it. Instead I ran across this story about the usage of “geofence warrants” and I decided to check it out.
For those not familiar with the term “geofence warrant”, it’s a warrant filed with technology companies for any devices in a particular area at a given time. If a crime was committed at the corner of Main and Mulberry on Friday at 9:45pm, then law enforcement may make a request to Google (for example) for any devices that were in that area. To do so they must get a warrant from a judge before issuing the request. The data sent to law enforcement is anonymized, but allows them to do some analysis to determine which devices they are interested in following up on. At that point law enforcement can make a more detailed request for information.
There can be some problems with this though. Historically, warrants have been issued for a person of interest. Someone is a suspect first, then the court order is issued to enable searching for evidence. In this case, no one is a suspect at first. The court order is issued to find suspects via a search of electronic data gathered by companies such as Apple, Google, Facebook, etc. The Wired article that I have linked in the show notes gives an example of someone who was arrested in the effort to find a suspect. The police knew that this person’s phone was at the scene of a murder at the time it was committed. The problem was that the person had lent their phone to a friend who was later arrested for the murder. The phone owner was released after being held in jail for 6 days. Oops.
The fourth amendment of the US Constitution was written to put some limits on what government could do in gathering information about individuals. Obviously, something written over 200 years ago isn’t going to address things like geofencing data. It is up to sitting judges to make determinations on whether procedures by law enforcement meet or are pushing the limits of the protections provided by the fourth amendment. What these limits actually mean now are being tested constantly.
In this case, the Wired article cites decisions by two judges to deny requests for geofence warrants for law enforcement investigations. That’s probably a good thing. I’m more than a bit uncomfortable with the idea of suspects being gathered from a list of pseudo anonymized lists of devices. At the same time, I realize law enforcement has a difficult and necessary job to perform. They are looking for ways to use the information available to identify and investigate suspects. They know the data is out there and having it can make a huge difference in an investigation. Unfortunately, the data can also be abused and that abuse is exactly what the fourth amendment was written to curtail.
While I think the Wired article is worth reading to become a bit more familiar with this practice, I would add a caveat to it that the only sources cited in it were from critics of the practice. The article only presents one point of view and I think we’d be better served by hearing from both critics and law enforcement. I don’t know if law enforcement would be willing to comment on this practice, but it would seem useful of there was more information available in regards to when and how they would use it. Things like this are important issues to be made aware of and debate while we find a mostly acceptable set of ground rules to operate under. If this sounds interesting to you, take a look at the article in the show notes and start doing your research into the issues it describes.