Tuesday, 4 March 2014

Police Contract With Spy Tool Maker Prohibits Talking About Device’s Use

Photo: Hal Bergman/Getty
A non-disclosure agreement that police departments around the country have been signing for years with the maker of a cell-phone spy tool explicitly prohibits the law enforcement agencies from telling anyone, including other government bodies, about their use of the secretive equipment, according to one of the agreements obtained by an Arizona journalist.
The NDA includes an exception for “judicially mandated disclosures,” but no mechanisms for judges to learn that the equipment was used. In at least one case in Florida, a police department revealed that it had decided not to seek a warrant to use the technology explicitly to avoid telling a judge about the equipment. It subsequently kept the information hidden from the defendant as well.
A copy of the contract was obtained from a police department in Tucson, Arizona, which signed the agreement in 2010 with the Harris Corporation, a Florida-based maker of the equipment used by the department. The police department cited the agreement as one of the reasons it withheld information from a journalist who filed a public records request seeking information about the department’s use of the equipment.
“[The Tucson Police Department] and the City of Tucson have allowed Harris Corporation to dictate the City of Tucson’s and TPD’s compliance with Arizona public records law in regards to products and services purchased from Harris Corporation,” notes the ACLU of Arizona in a lawsuit demanding that the police department comply (.pdf) with the journalist’s records request.
The non-disclosure agreement signed by the Tucson Police Department, which went into effect June 7, 2010, not only bars the police department from discussing their use of the surveillance tool with any government entity, it requires the law enforcement agency to notify Harris any time journalists or anyone else files a public records request to obtain information about their use of the tools and also states that the police department will “assist” Harris in deciding what information to release.
The non-disclosure agreement in Arizona states specifically:
The City of Tucson shall not discuss, publish, release or disclose any information pertaining to the Products covered under this NDA to any third party individual, corporation, or other entity, including any affiliated or unaffiliated State, County, City, Town or Village, or other governmental entity without the prior written consent of Harris …
The City of Tucson is subject to the Arizona Public Records Law. A.R.S. sec 39-121, et seq. While the City will not voluntarily disclose any Protected Product, in the event that the city receives a Public Records request from a third party relating to any Protected Product, or other information Harris deems confidential, the City will notify Harris of such a request and allow Harris to challenge any such request in court. The City will not take a position with respect to the release of such material, beyond its contractual duties, but will assist Harris in any such challenge.
The agreement is believed to be the same one that led police in Tallahassee, Florida, to withhold from judges and defendants information about their own use of the spy tool in a 2008 case and at least 200 other times in investigations conducted since 2010. In the 2008 case in Tallahassee, authorities cited the non-disclosure agreement with the maker of their equipment as the reason they did not seek a warrant from a judge to use the equipment.
They later refused to tell the suspect’s attorney how they had tracked his client to the apartment where he was arrested. A judge finally forced the government to disclose the surveillance technique they had used, but only after the government insisted the court be closed and assurances that the proceedings would be sealed to prevent the information from leaking to the public. The truth came out only after the defendant appealed his conviction.
The Harris Corporation, a Florida-based company, is the leading maker of stingrays in the U.S. The secretive technology is generically known as a stingray or IMSI catcher, but Harris sells models of stingrays it specifically calls the Stingray and Stingray II. Stingrays are designed to emit a signal that is stronger than nearby cell phone towers in order to force phones in the vicinity to connect to them.
When mobile phones — and other wireless communication devices like air cards — connect to the stingray, it can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location. By moving the stingray around, authorities can then triangulate the device’s location with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.
Some stingrays have the ability to collect content as well. But U.S. authorities have asserted in the past that they don’t need to obtain a probable-cause warrant to use the devices because the ones they use don’t collect the content of phone calls and text messages but rather operate like pen-registers and trap-and-traces, collecting the equivalent of header information.
The ACLU has long suspected that Harris has been loaning stingrays and other surveillance equipment to police departments for product testing and promotional purposes on the ground that they not disclose their use to courts and the public. The Tucson Police Department purchased its equipment — according to the court record, the department bought at least $400,000 worth of equipment from Harris.
The disclosure agreement signed by the Tucson police came to light after Mohamad Ali Hodai filed a public records request seeking information about the department’s use of the equipment. Hodai, who works as a freelance researcher for the Center for Media and Democracy, filed his records request last October, seeking all records related to the department’s use of the equipment, including emails.
The department withheld many documents from its response, but among the few documents Hodai did receive was a copy of the non-disclosure agreement the department signed with Harris, a redacted purchasing order, and an email dated October 24, 2013 between Dawn Wheeler, contracts manager for Harris, and Sargent Kevin Hall with the Tucson Police Department discussing Hodai’s records request.
Partial email that Harris sent to Tucson Police Department advising what information the police should withhold from a journalist.
Partial email that Harris sent to Tucson Police Department advising what information the police should withhold from a journalist.
In the email, Wheeler advised the officer on what records the police department should redact or withhold from Hodai’s request, in some cases feeding the department the proper laws to cite in its response to the journalist. Accompanying the email, Wheeler helpfully appended the non-disclosure agreement the police department had signed with the company.
The NDA states not only that the department will not disclose certain information about equipment the company makes, but also will not release any information “about the operations, missions … or investigation results, methods or any other information related to or arising out of the use, deployment or application of the Products … that would be deemed a release of technical data….”
It also requires police to tell Harris if a court orders them to disclose information and then to “provide maximum protection of the information” when they do disclose information to the court.
In their response to Hodai, the Arizona police department told him that some of the information he requested was redacted or withheld at the behest and direction of Harris Corporation, while other information was withheld under Federal FOIA exemption laws. An attorney for the police department told Hodai that the police department was obligated to redact any information Harris deemed confidential.
In its lawsuit against the police department on Hodai’s behalf, the ACLU of Arizona accused the department of violating its legal requirement to respond to public records requests.
“The records provided in reply to Mr. Hodai’s initial public records request, and the many that were not provided, demonstrate that the response by Defendants the City of Tucson and the Tucson Police Department were inadequate and failed to satisfy the duties of a public body under Arizona Public Records Law.”

Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking

Image: rmuser/Flickr
Police in Florida have offered a startling excuse for having used a controversial “stingray” cellphone tracking gadget 200 times without ever telling a judge: the device’s manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts.
The shocking revelation came during an appeal over a 2008 sexual battery case in Tallahassee in which the suspect also stole the victim’s cellphone. Using the stingray — which simulates a cellphone tower in order to trick nearby mobile devices into connecting to it and revealing their location — police were able to track him to an apartment.
During recent proceedings in the case, authorities revealed that they had used the equipment at least 200 additional times since 2010 without disclosing this to courts and obtaining a warrant.
Although the specific device and manufacturer are identified in neither the one court document available for the 2008 case, nor in a video of a court proceeding, the ACLU says in a blog post today that the device is “likely a stingray made by the Florida-based Harris Corporation.”
Harris is the leading maker of stingrays in the U.S., and the ACLU has long suspected that the company has been loaning the devices to police departments throughout the state for product testing and promotional purposes. As the court document notes in the 2008 case, “the Tallahassee Police Department is not the owner of the equipment.”
The ACLU now suspects these police departments may have all signed non-disclosure agreements with the vendor and used the agreement to avoid disclosing their use of the equipment to courts.
“The police seem to have interpreted the agreement to bar them even from revealing their use of Stingrays to judges, who we usually rely on to provide oversight of police investigations,” the ACLU writes.
Harris refused to comment, instead redirecting questions to law enforcement.
The secretive technology is generically known as a stingray or IMSI catcher, but the Harris device is also specifically called the Stingray. When mobile phones — and other wireless communication devices like air cards — connect to the stingray, it can see and record their unique ID numbers and traffic data, as well as information that points to the device’s location. By moving the stingray around, authorities can triangulate the device’s location with much more precision than they can get through data obtained from a mobile network provider’s fixed tower location.
The government has long asserted that it doesn’t need to obtain a probable-cause warrant to use the devices because they don’t collect the content of phone calls and text messages but rather operate like pen-registers and trap-and-traces, collecting the equivalent of header information.
This is the first time, however, that a contract with the vendor has been cited as a reason for not obtaining a warrant. The discovery of this hidden detail was made by CNET reporter Declan McCullagh earlier this year.
The 2008 Florida case — State v. Thomas (.pdf) — is currently sealed, though the ACLU has filed a motion to unseal the records.
The case involves James L. Thomas who was convicted of sexual battery and petit theft.
According to the appellate court judges, after a young woman reported on September 13, 2008 that she had been raped and that her purse, containing a cellphone, had been stolen, police tracked the location of her phone about 24 hours later to the apartment of Thomas’ girlfriend.
“The investigators settled on a specific apartment ‘shortly after midnight’ or ‘approximately 1:00 to 2:00 a.m.’ on September 14, 2008,” the court wrote. “For the next few hours, six or seven police officers milled around outside the apartment, but made no effort to obtain a search warrant.”
They did not want to obtain a search warrant to enter the apartment “because they did not want to reveal information [to a judge] about the technology they used to track the cellphone signal,” the appellate judges note.
Around 5 a.m., police knocked on the apartment door, but the suspect’s girlfriend refused to let them in without a warrant. They forced their way in, ordered her and Thomas to exit, then searched the apartment. After they found the victim’s purse and cellphone, they arrested Thomas.
Authorities opted not to get a warrant either for the use of the Stingray or the search of the apartment, simply because they didn’t want to tell the judge what they were using to locate the suspect, a matter the ACLU finds troubling.
“Potentially unconstitutional government surveillance on this scale should not remain hidden from the public just because a private corporation desires secrecy. And it certainly should not be concealed from judges,” the ACLU noted.
Authorities even refused to tell Thomas’s attorney how they had tracked his client to the apartment. A judge finally forced the government to disclose the surveillance technique they had used, but only after the government insisted the court be closed. The proceedings were also sealed to prevent the information from leaking to the public.
The truth came out only after Thomas appealed his conviction, asserting that the police violated his Fourth Amendment right in seizing evidence.
It was in the unsealed appellate opinion that the ACLU discovered the reason for the secrecy.
The judges revealed that the reason authorities didn’t obtain a search warrant and didn’t want to disclose their surveillance technique in an open court was because of the NDA. But that wasn’t all. A video of oral arguments before the appellate judges revealed more.
When the government attorney tried to argue in court that the police had planned to obtain a warrant to enter the apartment, one of the judges interrupted.
“No, no, no, no, no,” he said. “I think this record makes it very clear they were not going to get a search warrant because they had never gotten a search warrant for this technology.”
His fellow judge then interjected loudly, “Two-hundred times they have not.”
The ACLU was surprised by the admission.
“[Wh]en police use invasive surveillance equipment to surreptitiously sweep up information about the locations and communications of large numbers of people, court oversight and public debate are essential,” the group noted in its post.
But the possibility that an NDA may have been the excuse for not disclosing the technology was an even greater concern. [A video of the oral arguments is available on the court's web site. Discussion of the technology begins at 9:15; mention of the 200 times they used the technology without a warrant occurs around 18:00.]
The ACLU has filed a Freedom of Information Act request with 30 police and sheriff departments in Florida to determine how widespread the use of the stingray is and how often its use has been concealed from courts.
Use of stingray technology goes back at least 20 years. In a 2009 Utah case, an FBI agent described using a cell site emulator more than 300 times over a decade and indicated that they were used on a daily basis by U.S. Marshals, the Secret Service, and other federal agencies.
The systems are not cheap. According to a 2008 price list obtained by Public Intelligence, the Harris Stingray was priced at $75,000 for the basic device, plus an additional $22,000 – $5,000 for various software packages for use with it. But the police in Florida appear to have obtained the devices for free or on lease from the maker.
While the government has argued in other cases that it does not need a warrant to use the devices, it conceded in one case in Arizona that it did need a warrant to use the device in that particular case because it involved locating a Verizon air card being used inside the suspect’s apartment.
In the Thomas case in Florida, however, the appellate judges noted that they were considering the suspect’s appeal only on grounds that police did not obtain a search warrant for his apartment, not on grounds that they did not obtain a search warrant for the use of the surveillance device.
“For purposes of decision, however, we assume the police acted lawfully up to the point that they forcibly entered the apartment,” they wrote in their November opinion. “It is not clear that there was ever a ruling on the legality of the cellphone tracking methods used below.”
The trial court initially ruled that the apartment search was legal, due to exigent circumstances, and therefore evidence obtained in the search was legal, but the appellate court reversed this and found that the girlfriend had only given her consent after she was forced to leave the apartment and stand outside in her night clothes, and after police had already begun to search the apartment.

Detroit employees' personal information may be at risk in computer security breach

About 1,700 current and former Detroit firefighters and emergency medical technicians will be offered free credit report monitoring and identity theft insurance after city officials discovered a security breach on a computer at city hall involving files with personal information about the employees and retirees.
The city’s new information technology chief, Beth Niblock, said today that it appeared a city employee clicked on a malware — or malicious software — link in an e-mail that released a code that froze access to numerous files. Two of the files included information such as the names, dates of birth and Social Security numbers for the current and former employees, but it did not appear that the malicious code accessed information that was in the files.
“We’re notifying the affected employees by letter,” Niblock said at a news conference today. “We take the security of our employees’ and former employees’ information seriously.”
The city’s top lawyer, Melvin (Butch) Hollowell, said it appeared that the malware originated from somewhere overseas, and that the city has notified authorities about the breach.
Niblock, now in her second week on the job as Mayor Mike Duggan’s IT leader, said such malware is commonly sent to corporate, government and personal e-mail accounts, often in an attempt to get e-mail users to provide personal information that can be used to access credit cards, bank accounts and the like.
Some malware programs freeze access to files and then demand payment before access is restored, but there was no such demand in this breach, Hollowell said.
Niblock is expected to oversee a transformation of Detroit’s antiquated computer technology systems as the city prepares to spend $150 million over the next decade to upgrade its IT networks under a bankruptcy plan proposed by emergency manager Kevyn Orr. But even the best computer systems are vulnerable to malware attacks, and the city is looking into additional training on computer security for city workers, she said.

Russia, Please Keep Hacking

Huffington post:  Once again I read that Russian hackers have broken into the Pentagon's and State Department's computer systems.
Why would anyone bother to do that?
Imagine the hacker being debriefed by Gen. Alexander Bortnikov, Director of the FSB (successor to the KGB).
Hacker: We have obtained the complete plans for the new Gerald R. Ford class aircraft carriers. We now could build one for $13 billion.
Bortnikov: You fool. $13 billion is what the Navy told Congress. It will actually cost $52 billion, four times that amount. We want the United States to build dozens of these. We can sink them with a set of drones purchased from Amazon with next day delivery for $78.95.
Hacker: We have also obtained complete working drawings for a $435 hammer and a $600 toilet seat.
Bortnikov: Take this man out and shoot him.
I doubt Russian hackers will do better with the State Department:
Hacker: We have hacked into State's top secret plans. If Russia invades western Ukraine the United States will unleash Operation Dither.
Bortnikov: What is Operation Dither.
Hacker: Obama will state that our actions are "objectionable" and "unacceptable." Further, he will warn us that if we invade any Latin American countries, he will invoke the Monroe Doctrine.
Bortnikov: Tass reported that four days ago. Take this man out and shoot him.
Let's hope Russia keeps hacking the Pentagon and State Department. If Russia wanted to cause real damage, they would tell their computer wizards to destroy the American software industry. Think of Microsoft trying to compete with software that actually worked. Surely the geniuses who hacked into the Pentagon and State Department could do better than Windows Mobile, Zune and Windows Vista.
Thank God, Putin and Bortnikov are unimaginative cold warriors.

Cyber battle apparently under way in Russia-Ukraine conflict

Ukraine's mobile phone infrastructure is under attack: with equipment installed in Russian-controlled Crimea interfering with the phones of members of parliament, a senior Ukrainian government official alleges.
The head of Ukraine's SBU security service told a press conference on Tuesday that the attack has been running for at least two days.
"I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row," Valentyn Nalivaichenko told the new conference, Reuters reports.
Equipment installed within Ukrtelecom networks in the Crimea is blocking the phones of Nalivaichenko and his deputies, he said.
"The security services are now seeking to restore at least the security of communications," according to the security chief. "All state information security systems were unprepared for such a brazen violation of the law."
AFP also reports that Russian forces have also severed internet connections between the Crimean peninsula and the rest of Ukraine. Unidentified individuals reportedly seized local offices of state-owned telecommunications service provider Ukrtelecom, before cutting phone and Internet cables. The actions have severely degraded communication links.
Ukrainian naval communications stations around the port city of Sevastopol and power lines there have been sabotaged, AFP added.
Two Crimean government web portals were also offline, although the reason for this outage remains unconfirmed.
It's not all one way traffic. The website of the Russia Today news service was defaced by hackers for a short time on Saturday with the headlines of news articles changed so that references to “Russia” and “Russians" were replaced with the words “Nazi” and “Nazis”.
Russian forces seized strategic locations on the Crimean peninsula last week after a popular uprising in Kiev ousted pro-Russian President Yanukovych. Local militia set up roadblocks between Crimea, which has an ethnic Russian majority, and the rest of the Ukraine.
The use by Russia of electronic warfare against the Ukraine in the midst of escalating tensions within the country follows the pattern of earlier conflicts between Russia and its immediate neighbours.
For example, the military conflicts on the ground between Georgia and Russia back in 2008 over break-away regions of South Ossetia and Abkhazia - which have since become Russian protectorates - was accompanied by denial of service attacks and website defacements.

Security researchers uncover three-year-old 'RUSSIAN SPYware'

Security researchers have discovered a complex and sophisticated piece of data-stealing malware they suggest may well be the work of state-sponsored hackers in Russia.
The Uroburos rootkit, named after a mythical serpent or dragon that ate its own tail – and a sequence of characters concealed deep within the malware’s code (Ur0bUr()sGotyOu#) – may have been active for at least three years prior to its detection by security researchers at German antivirus firm.
Uroburos is designed to capture network traffic and steal files. It's a rootkit made up of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities, say the researchers.
The malware communicates over a peer-to-peer network. Providing it can find one computer with internet access within a compromised network, it's capable of stealing data from other infected computers on the same network – even if they don't have access to the interwebs. G Data says Uroburos uses two virtual file systems (one based on an NTFS file system and the other a FAT file system) to disguise its malign activities and to try to avoid detection.
These virtual file systems are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output.
G Data researchers reckon the complexity of the malware marks it out as much more likely to be the work of intelligence agencies than made by common or garden cybercrooks.
The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.
Similarities in techniques and technology point to links between Uroburos and a malware-based attack against the US around six years ago.
Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ. Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.
The spread of the Agent-BTZ worm back in 2008 resulted in a US Army ban against the use of USB and removable media devices, the main vector of the infection.
Uroburos is targeting high-profile enterprises, nation states, intelligence agencies and similar targets, G Data's security researchers conclude. One of the drivers identified in the Uroburos rootkit was compiled in 2011, evidence that the malware was created around three years ago. It's reasonable to assume it was released soon after it was created, implying the sophisticated malware has stayed under the radar of security firms for around three years. More details of the results of G Data's analysis thus far can be found in white paper here (PDF).
Analysis of the malicious code is at an early stage, so key pieces are missing from the jigsaw, not least how Uroburos manages to spread.
"No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen," writes independent security expert Graham Cluley in a blog post on the threat.

Government and Android threats boom as XP woes loom

Security padlock image
Cyber attacks against businesses are increasingly focusing on the Android platform, according to security firm F-Secure, which has also seen a growing number of state-sponsored attacks over the past year.
F-Secure highlighted Android as the largest-growing target for cyber attacks, with a massive 804 new families and variants of malware hitting the platform in 2013.
The figure marks an alarming increase in the number of attacks targeting Android. F-Secure detected a more modest 238 new Android threats during the same period in 2012. Its report stated that 97 percent of all mobile malware it found in 2013 was designed to target Android users.
But despite the alarming growth, F-Secure said that Android threats are still significantly less advanced than their PC counterparts. "By and large the majority of malicious apps we see targeting Android exploit the mechanics of the user's interactions with their device," read the report.
"The most common type of malware – Trojans – has malicious routines injected into the packages of clean, legitimate programs, which are then redistributed on various app stores, often with a new name that sounds reminiscent of the clean app. The repackaged app typically asks for more permissions than the un-Trojanised original, which is the weak point that allows it to carry out malicious routines."
F-Secure also reported detecting a spike in the number of web-based cyber attacks targeting internet users. The report said 26 percent of all cyber attacks in the second half of 2013 were web based, with the majority targeting Java-related exploits.
"Web-based attacks – which typically involve techniques or malware that redirects the web browser to malicious sites – doubled during this six-month period," read the report.
"The three most prominent exploit-related detections we observed in H2 [the second half of] 2013 were Majava and those that targeted CVE-2013-2471 and CVE-2013-1493 vulnerabilities. Not coincidentally, all three of these involved vulnerabilities in the Java development platform."
Interest in Apple's Mac OS from attackers thawed, with F-Secure detecting a modest 51 new families and variants targeting the platform during the period.
Disturbingly F-Secure says it also detected and blocked an unspecified number of state-sponsored hack campaigns targeting its customers during the period.
"The revelations of NSA spying activities throughout 2013 has led to a surge in privacy worries among the general population of netizens. Internet users are growing more alert to the possibility of prying eyes while they surf the internet, now adding governments (their own or others) alongside other parties who may be engaging in user surveillance," stated the report.
"We have detected governmental malware used by law enforcement (such as the R2D2 Trojan used by the German government)."
The NSA's PRISM spying campaign was revealed when ex-CIA analyst Edward Snowden leaked documents to the press showing that the intelligence agency was gathering web user data from numerous companies, including Google, Facebook, Microsoft and Apple.
The report further highlighted Microsoft's fast-approaching Windows XP support cut-off date as a key security issue on the horizon. Microsoft is due to stop providing security fixes for its ageing Windows XP operating system in April. F-Secure said the cut-off will put the onus on IT managers to find ways to secure the platform.
"When (not if) a powerful zero-day exploit makes its way to market – that's when the real concerns begin and important questions will be asked," the report stated.
"Some businesses will continue to use Windows XP throughout 2014, either due to contractual obligation, or because their customers do so and they need XP to provide support. In those situations, IT managers have their work cut out for them.
"Air gapping systems or isolation to separate networks from critical intellectual property is recommended. Businesses should already be making moves such as this for bring your own device (BYOD) users. XP is just another resource to manage."
F-Secure is one of many security firms to warn of the dangers companies will face if they continue to run Windows XP.
Senior security analyst at Sophos Paul Ducklin told V3 the cut-off will inevitably cause security issues, as future security patches to new Windows versions could alert hackers to previously undiscovered flaws in XP's security.

EU justice commissioner moves to stop companies holding user data hostage

EU justice commissioner Viviane Reding speaking in Brussels
European Union (EU) justice commissioner Viviane Reding has called for fresh legislation to ensure web service providers, such as Microsoft, Facebook, Apple and Google, cannot hold their customers' data ransom.
Reding – who is also a vice president of the European Commission (EC) – called for new data protection regulation during a speech to the Justice Council. She argued that service providers should not be allowed to forcibly tie users to their platforms by locking their data to them.
"The right to the portability of personal data in the private sector is an essential element of the proposal. Citizens should be able to transfer their data from one service provider, such as a social network, to another – just as they are able to keep their mobile number when changing telecoms operators," she said.
She said the legislation would benefit the European economy and herald a new boom in innovation within the web services industry.
"Choice drives competition. Data portability empowers citizens to decide what happens to their data and grants them tangible rights vis-à-vis businesses. It gives them real control over their personal data. This approach integrates the development of the online environment without encroaching on the technological neutrality of the Regulation," she said.
Reding's calls come during a heated debate about the way technology companies collect and use customer data. This began in June 2013 when whistleblower Edward Snowden leaked documents to the press proving that the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) were siphoning vast amounts of customer data from numerous internet companies.
Aside from this, the companies generally use data to create profiles of their customers and push targeted advertising to them, or spot emerging trends in the market. The tactic has proven so successful that IBM CEO Virginia Rometty listed customer data as the "natural resource" of the 21st century, during a keynote speech at Mobile World Congress in Barcelona in February.
Reding supported the creation of fresh legislation to help control how companies store and use their customers' data, outlined by the Commission in 2013.
"The Commission has already proposed to expand the scope of the protection. Individuals will not only be protected against formal ‘decisions' but also against 'measures' producing legal effects or significantly affecting them," she said.
"The Regulation strikes an appropriate balance between the rights of citizens and the need to encourage the emergence of innovative business models. Regulating the manner in which such profiles are created and used adds red tape for businesses and interferes with their research and innovation abilities."
Reding has been a constant supporter of reforms designed to protect citizens' privacy in the digital age. She announced plans in January to reform Europe's data protection laws to increase the amount that authorities can fine companies that fall foul of the regulation.

Hackers spreading Zbot malware using cat and sunset pictures

Apple iPad Mini 2 with Retina display-camera PJ the cat photo
Hackers are issuing commands to machines infected with the Zbot malware using popular images of sunsets and cats, according to security firm Trend Micro.
Trend Micro threat response engineer Jennifer Gumban reported the hack campaign in a blog post, warning it is targeting several European bank customers. "We encountered an image of a sunset, but other security researchers reported encountering a cat image," read the post.
"Using steganography, a list of banks and financial institutions that will be monitored is hidden inside the image. The list includes institutions from across the globe, particularly in Europe and the Middle East."
The images can spread in a variety of ways. They can be shared as standalone malicious files that send out commands to infected machines, or inserted into web pages and set to automatically target visitors to the site.
Trend Micro vice president of security research, Rik Ferguson told V3 by hiding the malware's configuration files in this way, the hackers could bypass many traditional security features.
"There are a couple of good reasons for delivering them in this format; first the file the itself is often excluded from scanning by traditional security solutions, obviously to the naked eye they look entirely innocent and also to network monitoring software," he said.
Gumban said the campaign is atypical as it targets systems infected with the financially focused Zbot malware.
"This particular attack has another unusual routine: it downloads onto the system other malware, namely TROJ_FOIDAN.AX. This Trojan removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame," the post continued.
"Zbot has not traditionally been linked to clickjacking in the past. However, it has been linked to other threats, such as ransomware and file infectors."
Zbot is an old version of the notorious Zeus Trojan and is designed to steal financial information from its victims. The Zbot malware was thought to be close to extinct as criminals had upgraded their campaigns to run using newer versions of Zeus until May 2013, when Trend Micro researchers detected a resurgence in its use.
Ferguson said the discovery of the new Zbot attack is troubling as it shows common cyber criminals are beginning learn from more advanced hack campaigns.
"The most concerning aspect is that this is a real illustration that targeted attack expertise is already ‘filtering down' and becoming a commoditised playbook for traditional cybercrime."
The Zbot campaign comes during a turbulent time within the cybercrime community. Researchers from security firm FireEye reported that hackers are dropping financially focused malware, such as Zbot, in favour of more dangerous remote access Trojans (RATs) in February.

Hackers hijack 300,000 SOHO routers with man-in-the-middle attacks

cyber-security-man
Researchers at the security firm Team Cymru have traced a campaign that has successfully compromised 300,000 small office and home office (SOHO) routers using man-in-the-middle attacks to two UK IP addresses.
The research team reported the campaign in its SOHO Pharming white paper, confirming that the majority of the victims were in Europe and Asia.
"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS [domain name system] settings in central Europe," the paper noted.
"To date, we have identified 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one of which dates back to at least mid-December 2013."
In man-in-the-middle attacks, hackers hijack control of data while it is in transit and redirect it to their own site or server. The tactic is used to force victims to visit malicious sites, siphon data or target them with bogus advertising networks owned by the hackers.
Team Cymru said it did not detect any evidence to suggest the two IP addresses were being used for any of these purposes, leaving the criminals' end goal a mystery.
"In our tests, the SOHO pharming servers appeared to forward our DNS requests onto legitimate authoritative servers," read the paper.
"Attempts to log in to local banking websites in affected countries, and to download software updates from Adobe and others all appeared to function normally, though many requests resolved noticeably slowly or failed to complete. Websites tested also appeared to display normal advertising using these DNS servers."
F-Secure security analyst Sean Sullivan told V3 it could be the first sign of a hacktivist botnet. "Until a clear business model comes to light, nothing's off the table. Is this some type of hacktivist botnet? It seems like a possible fit," he said.
Sullivan said a botnet could be useful for hacktivist collectives as it could be used to help mount distributed denial-of-service (DDoS) attacks.
"Traditional botnets are limited in usefulness as far as DDoS goes. I've read compelling research on the topic of servers being targeted and it seems probable that routers would also be useful," he said.
The paper named D-Link, Micronet, Tenda and TP-Link SOHO servers as being vulnerable to the attack, but said an unspecified number of others were also exploitable. At the time of publishing, Team Cymru had not responded to V3's request for more details.
The attackers reportedly leveraged multiple known vulnerabilities in the routers to launch the man-in-the-middle attacks, forcing them to redirect to two IP addresses hosted in the UK.
"Our research of this campaign did not uncover any new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," read the paper.
The SOHO router campaign is one of many targeting known vulnerabilities in recent years. Hackers' tendency to exploit known vulnerabilities has led to concerns that Microsoft's fast-approaching Windows XP support cut-off on 8 April could lead to a fresh security pandemic.
Senior security analyst at Sophos, Paul Ducklin, told V3 that Microsoft's XP support cut-off will inevitably cause security issues, as future security patches to new Windows versions could alert hackers to previously undiscovered flaws in XP's security.