Microsoft increasing encryption, security measures after Snowden leaks
On December 4, Microsoft General Counsel and Executive Vice President of Legal & Corporate Affairs, Brad Smith, announced on The Official Microsoft Blog that the company will be “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” Microsoft’s efforts follow the myriad of revelations by former NSA analyst Edward Snowden, which include allegations that the NSA has circumvented technical measures to obtain consumer information outside of traditional legal processes. According to Smith, the company has “decided to take immediate and coordinated action in three areas:” (1) Expanding encryption across Microsoft services; (2) Reinforcing legal protections for customer data, and (3) Enhancing the transparency of Microsoft software code (intended to “mak[e] it easier for customers to reassure themselves that [Microsoft] products do not contain back doors”). Additional reports on this story can be found by Brad Chacos at PCWorld, Doug Gross at CNN, and Brian Fung at The Washington Post.
Malware created that can “jump ‘air gap’” through computer audio equipment
Recently, Dan Goodin from ArsTechnica reported that “computer scientists have proposed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.” The creation comes from Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics, and would mean that “engineers in military organizations, nuclear power plants, and other truly high-security environments should no longer assume that computers isolated from an Ethernet or Wi-Fi connection are off limits” to malicious cyber attacks. The proof-of-concept, published in the Journal of Communications, states that “a covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via nearfield audio communications,” and “different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops.” Steven Musil also reports on the story at CNet News.
LabMD fighting FTC cybersecurity oversight
An Atlanta-based organization, LabMD, has recently joined the ranks of other companies, such as hotelier Wyndham Worldwide, in challenging the Federal Trade Commission’s authority to regulate unfair and deceptive information security practices. According to an FTC Press Release, LabMD “conducts laboratory tests on samples that physicians obtain from consumers and then provide to the company for testing.” The FTC complaint alleges that “a LabMD spreadsheet containing insurance billing information was found on a P2P network.” The FTC has been known to use its Section 5 authority, which authorizes the Commission to regulate unfair and deceptive trade practices, to target companies with unfair and deceptive privacy and security practices that harm consumers. After a complaint was filed by the FTC, LabMD decided to challenge the FTC’s authority. According to Rachel Louise Ensign with The Wall Street Journal, LabMD is claiming that “its data-security practices are covered by other laws, including the Health insurance Portability and Accountability Act of 1996 or HIPAA, with which the firm said it was in compliance.” A similar lawsuit, FTC v. Wyndham, is pending in the District Court of New Jersey and recently conducted oral argument. Additional reporting of the LabMD case can be found by Zach Warren at Inside Counsel.
New Snowden revelations detail mass cellphone location tracking
Barton Gellman and Ashkan Soltani at The Washington Post recently disclosed additional documents leaked by former NSA analyst Edward Snowden that show the “National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world . . . enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.” According to Gellman and Slotani, the records are stored in a database that maintains the location of at least “hundreds of millions of devices.” Included in the report is a discussion on “powerful analytic tools,” collectively known as CO-TRAVELER, that allow the NSA to “look for unknown associates of known intelligence targets by tracking people whose movements intersect.” Additional reporting on this story can be found by Paul Lewis at The Guardian.