Search the Community
Showing results for tags 'goverment'.
Found 3 results
xhartom posted a topic in Security & Privacy NewsTwitter will not be able to reveal surveillance requests it received from the US government after a federal judge accepted government arguments that this was likely to harm national security after a near six-year long legal battle. The social media company had sued the US Department of Justice in 2014 to be allowed to reveal, as part of its "Draft Transparency Report", the surveillance requests it received. It argued its free-speech rights were being violated by not being allowed to reveal the details. US District Judge Yvonne Gonzalez Rogers granted the government's request to dismiss Twitter's lawsuit in an eleven page order filed in the US District Court for Northern California. The judge ruled on Friday that granting Twitter's request "would be likely to lead to grave or imminent harm to the national security." "The Government's motion for summary judgment is GRANTED and Twitter's motion for summary judgment is DENIED", the judge said in her order. Twitter had sued the Justice Department in its battle with federal agencies as the internet industry's self-described champion of free speech seeking the right to reveal the extent of US government surveillance. The lawsuit had followed months of fruitless negotiations with the government and had marked an escalation in the internet industry's battle over government gag orders on the nature and number of requests for private user information. Tech companies were seeking to clarify their relationships with US law enforcement and spying agencies in the wake of revelations by former National Security Agency contractor Edward Snowden that outlined the depth of U.S. spying capabilities. Twitter's legal battle spanned the tenures of four US attorneys general - Eric Holder, Loretta Lynch, Jeff Sessions and William Barr. Through the use of confidential declarations, the Justice Department was able to show that revealing the exact number of national security letters from 2014, as requested by Twitter, posed a risk to national security, Friday's order said. Twitter did not immediately respond to Reuters' request for comment. SOURCE
Reefa posted a topic in Security & Privacy NewsThe makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. The settlements with the FTC don’t include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs. “Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption,” said FTC Chairwoman Edith Ramirez. “Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.” The FTC complaint against Fandango alleges that the Fandango Movies app on iOS, which enables users to buy movie tickets, included an assertion during checkout telling users that their sensitive information was being sent over a secure connection. However, the app didn’t validate those connections, so users’ financial information was exposed during transmission. “Before March 2013, Fandango did not test the Fandango Movies application to ensure that the application was validating SSL certificates and securely transmitting consumers’ sensitive personal information. Although Fandango commissioned limited security audits of its applications starting in 2011, more than two years after the release of its iOS application, respondent limited the scope of these security audits to issues presented when the ‘code is decompiled or disassembled,’ i.e., threats arising only from attackers who had physical access to a device. As a result, these audits did not assess whether the iOS application’s transmission of information, including credit card information, was secure,” the FTC complaint says. The FTC also said that Fandango didn’t have a good process for responding to vulnerability reports from security researchers, leading to the company missing an advisory from a researcher who had discovered the SSL vulnerability. “In December 2012, a security researcher informed respondent through its Customer Service web form that its iOS application was vulnerable to man-in-the-middle attacks because it did not validate SSL certificates. Because the security researcher’s message included the term “password,” Fandango’s Customer Service system flagged the message as a password reset request and replied with an automated message providing the researcher with instructions on how to reset passwords. Fandango’s Customer Service system then marked the security researcher’s message as “resolved,” and did not escalate it for further review,” the complaint says. The problems with the Credit Karma app were similar, as it did not validate SSL certificates during supposedly secure connection attempts. The FTC alleges in its complaint that the company failed to validate SSL certificates on both its iOS and Android apps. “During the iOS application’s development, Credit Karma had authorized its service provider, the application development firm, to use code that disabled SSL certificate validation ‘in testing only,’ but failed to ensure this code’s removal from the production version of the application. As a result, the iOS application shipped to consumers with the SSL certificate validation vulnerability. Credit Karma could have identified and prevented this vulnerability by performing an adequate security review prior to the iOS application’s launch,” the complaint says. “In February 2013, one month after addressing the vulnerability in its iOS application, Credit Karma launched the Android version of its application, again without first performing an adequate security review or at least testing the application for previously identified vulnerabilities. As a result, like the iOS application before it, the Android application failed to validate SSL certificates, overriding the defaults provided by the Android APIs.” The FTC’s complaint against Credit Karma also alleges that the app was storing users’ authentication tokens and passcodes in the clear on users’ devices. Source
Reefa posted a topic in Security & Privacy NewsThe White House today unveiled a five-point plan to end the National Security Agency’s bulk collection of phone call metadata, preserving what it says is a balance between the intelligence community’s national security needs and the public’s desire to maintain its privacy. The proposal ends the government’s collection of phone records under Section 215 of the PATRIOT Act as it exists today, keeping that data with telecommunications providers who will store those records for 18 months as they are currently federally mandated to do. The government would have access to the records only under approval from the secret Foreign Intelligence Surveillance Court (FISC), which must approve the querying of a suspect phone number and only after judicial approval based on a national security concern. Currently, the NSA collects and stores call metadata, and maps connections between numbers belonging to individuals suspected of terrorism or threatening national security. As the Snowden leaks began last June, the depths of NSA surveillance, including dragnet capturing of all Americans’ phone calls without warrants, drew the ire of civil libertarians, mainstream media and politicians on both sides of the aisle. The new plan was ordered by President Obama during a Jan. 17 address to the nation on surveillance. During that speech, he ordered the Attorney General and the intelligence community to work together on an adequate solution that would alter the collection of data under Section 215. Obama imposed a March 28 deadline for the proposal, the day FISC is expected to renew the NSA program for another 90-day cycle, the final time it will do so. The White House proposal, hints of which were released two days ago in a New York Times report, also changes the number of hops the government will be able to collect between suspects from three to two. While apparently a concession, ACLU National Security advisor and attorney Brett Max Kaufman told Threatpost this remains a red flag for privacy advocates. “It’s unclear, if the government is able to satisfy FISC’s standard of a reasonable, articulable suspicion, why anyone connected to that person would also satisfy that same standard to get their call records?” Kaufman said. The president’s proposal was a bit more stringent than a similar House Intelligence Committee bill that was introduced on Tuesday, which did not require prior judicial approval; a judge would rule on a request only after the FBI submits it to a provider. Verizon general counsel Randal Milch said the provider supports the efforts to end bulk collection. “At this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes,” Milch said. “If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes.” The final two provisions of today’s official proposal say the court-approved numbers can only be used for a limited period of time without again requiring approval from FISC. “The production of records would be ongoing and prospective,” the proposal said. Also, under court order, the phone companies would be required to provide technical assistance to ensure the records can be accessed in a timely fashion and in an accessible format. The White House plan would need to be ratified by Congress in order to go into effect, and because of this, the Department of Justice will seek another 90-day renewal from FISC for the program, much to the chagrin of experts. “EPIC is encouraged by the President’s continued commitment to end the bulk collection program … however, the renewal of the FISC order on Friday would be a disappointing development,” said Alan Butler, appellate advocacy counsel for the Electronic Privacy Information Center (EPIC). “The bulk collection program will not end until the FISC order expires without the President seeking its renewal.” Source