Big Brother

VICE: ‘State of Surveillance’ with Edward Snowden

 

**********

No Warrant Required for Phone Location Records, Court Rules

A federal appeals court said no warrant is required for cell phone records showing a criminal suspect's movements.
A federal appeals court said no warrant is required for cell phone records showing a criminal suspect’s movements. Photo: GETTY IMAGES

Federal agents can obtain cellphone records that reveal a caller’s location without a warrant, a Cincinnati-based federal appeals court said on Wednesday in the latest ruling to tackle the scope of privacy protections for data transmitted by personal devices.

The records obtained by the Federal Bureau of Investigation from wireless carriers in 2011 showed that two Detroit men were near the scene of several robberies at the time they were committed. Timothy Carpenter and Timothy Sanders, who were ultimately convicted of participation in nine armed robberies, sought to exclude the records, saying they were protected by the Fourth Amendment.

A 2-1 panel of the Sixth U.S. Circuit Court of Appeals ruled that location records created when a mobile phone connects to a nearby cell tower were the equivalent of the writing on the outside of an envelope, rather than the letter inside.

“Cell-site data—like mailing addresses, phone numbers, and IP addresses—are information that facilitate personal communications, rather than part of the content of those communications themselves,” wrote Judge Raymond Kethledge. “The government’s collection of business records containing these data therefore is not a search.”

Judge Jane Branstetter Stranch joined the ruling in part but was skeptical of lumping location records together with bank and credit card records that law enforcement officers can retrieve from financial firms without a warrant.

“This case involves tracking physical location through cell towers and a personal phone, a device routinely carried on the individual’s person,” she wrote. “I am not convinced that the situation before us can be addressed appropriately with a test primarily used to obtain business records such as credit card purchases.”

Harold Gurewitz, a lawyer for Mr. Carpenter, said he and his client were considering their next move. They could ask the Sixth Circuit to rehear the case or petition the U.S. Supreme Court to review it. Until the high court steps in, Mr. Gurewitz said, “I think the issue is just going to be unclear.”

A spokeswoman for the U.S. attorney’s office in Detroit, which prosecuted the case, declined to comment.

The ruling aligns the Sixth Circuit with two other regional appeals courts and means that law enforcement officers in Kentucky, Michigan, Ohio and Tennessee can obtain a court order for location data by showing merely that the records are relevant to an ongoing investigation. A warrant requires a showing of probable cause.

A three-judge panel of a fourth federal appeals court ruled in August that police need a warrant to obtain such records. That ruling is under review by the full court.

In recent years, the U.S. Supreme Court has erred on the side of privacy in disputes over whether the Fourth Amendment protects against the installation of a global positioning system tracker on a suspect’s vehicle or a search of his phone during an arrest.

But Judge Kethledge said he was bound a 1979 ruling in Smith v. Maryland in which the U.S. Supreme Court held that the numbers dialed by a caller on a landline aren’t protected by the Fourth Amendment, because the caller knowingly gives that information to phone companies.

“The same things are true as to the locational information here,” he wrote. “Any cellphone user who has seen her phone’s signal strength fluctuate must know that, when she places or receives a call, her phone ‘exposes’ its location to the nearest cell tower and thus to the company that operates the tower.”

The cell records obtained by the FBI showed that Mr. Carpenter and his half brother, Mr. Sanders, were nearby the scene of four robberies in Warren, Ohio, and Detroit in 2010 and 2011.

Mr. Carpenter was sentenced to more than 116 years in prison, while Mr. Sanders was sentenced to about 14 years.

Nathan Freed Wessler, a lawyer for the American Civil Liberties Union, which filed a brief on behalf of Messrs. Carpenter and Sanders, said the ruling failed to account for the privacy violations made possible by devices that “we all need to carry around to live our lives normally.”

He went on, “When police obtain months’ worth of cell phone data comprising thousands of individual locations, like they did in this case, they should have to get a search warrant from a judge,” he said.

 

**********

 

A proposed ‘textalyzer’ bill might give cops the right to access your cellphone

A New York bill that would allow police to use a “textalyzer” device to determine whether drivers have been using their phone at the scene of a car accident is causing concern among some civil liberties groups, who say that it could interfere with people’s cellphone privacy.The proposed bill, which would make New York the first state to use the textalyzer, according to CBS New York, is heavily supported by the Distracted Operators Risk Casualties (DORCs) group, an advocacy organization that promotes preventative legal action for texting-related car accidents.The textalyzer, which gets its name from the breathalyzer that determines a driver’s blood alcohol content, is a roadside device introduced by Cellebrite, an Israeli technology company that specializes in data extraction. The device is a scaled-back version of a more intensive phone-scraping technology created by the company, which promises that the device doesn’t give access to personal conversations or apps. Instead, the textalyzer only determines if the phone was in use at the time of the accident, with the option for a more in-depth crawl should the police officer obtain a warrant to search the driver’s phone.”I have often heard there is no such thing as a breathalyzer for distracted driving — so we created one,” said DORC co-founder Ben Lieberman in a press statement. “Respecting drivers’ personal privacy, however, is also important, and we are taking meticulous steps to not violate those rights.”The bill includes language that gives law enforcement “implied consent” to having one’s phone tested at the scene of the crash. Fourth Amendment rights are not violated, they claim, because no actual phone data is being mined by the technology, as reported by Ars Technica.But some civil liberties groups are skeptical that in practice, use of the textalyzer will be as un-invasive as DORC claims.”Distracted driving is a serious public safety concern. But this solution is not tailored to the problem,” said Donna Lieberman (no relation to DORC’s Ben Lieberman), executive director of the New York Civil Liberties Union (NYCLU). “The technology may in fact be scanning through the content of people’s phones and collecting data, even if that is not apparent. And even if you finely tune the technology, there are many cases where people will be fined for lawful activity. There are several ways someone could be using a phone in line with distracted driving laws that could run afoul of this test.”Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF), agrees that the technology is ripe for misuse.
“I think a law that essentially requires you to hand over your phone to a cop in a roadside situation without a warrant is a non-starter. I know that the supporters of this law talk about how it is designed to keep police away from these sensitive areas of your life. But really, that’s ridiculous.  They’re human and they stray or make errors in judgment,” he said.Both Lieberman and Tien also mentioned that police officers looking to investigate a driver’s phone use can obtain call and texting records with time stamps from phone companies.”There are existing legal channels for law enforcement to access a phone or phone records if they have grounds to suspect distracted driving has occurred, rather than field-testing every fender bender,” said Donna Lieberman.But textalyzer advocate Ben Lieberman says that in practice, most phone records are never investigated after a car crash. He would know, he said. He got involved with DORC and supporting distracted driving laws after the death of his 19-year-old son in a texting-while-driving incident. After the crash, law enforcement officials did not attempt to obtain phone records until Lieberman himself pursued a search warrant through a civil suit.  “It’s unrealistic to think that you can get a warrant for every crash,” said Ben Lieberman, adding that a warrant is required in order to get records from a phone company.He emphasized that the bill, which has been dubbed “Evan’s Law” after his son, takes careful consideration not to violate privacy rights and that the textalyzer can be used right in front of the driver. “The technology and protocol will protect rights or else it won’t work. The last thing I want to do is be responsible for violating anybody’s rights. I also don’t want to bury another child,” he said.
 **********
What does Google Know about me

For all the hoopla surrounding NSA surveillance activities, it’s shockingly easy to forget that Google often knows an awful a lot about more than 1 billion users across the globe. Google knows what you search for, what videos you watch, what music you listen to, and even the places you travel to. Of course, Google having access to this information doesn’t quite shock the system given that Google users are typically all too happy and willing to sacrifice a bit of their privacy in exchange for a wide array of free and useful services.

Still, even for those of us who don’t mind Google accumulating and processing our personalized information, there’s something jarring and eerie about seeing, in precise detail, everything Google knows about us. Highlighting this interesting dynamic, The Telegraph recently put together a quick and dirty primer which demonstrates how users can quickly and easily take a gander at all of the information Google has about them.

First things first, make sure you’re signed into your Google account. Following that, go to http://history.google.com/history and you’ll be able to see a breakdown of how many searches you’ve done throughout your Google career. The site will also provide you with a breakdown of which days during the week you happen to use Google most. What’s more, you can even see which domains you tend to click on the most following a Google search. Lastly, Google’s web activity profile lets you breakdown your search history across time, with “all time”, “last month” and “last week” being three options users can filter by.

Second, if you go to the google.com/history page listed above, you’ll note the presence of three vertical dots towards the upper right of the screen. If you select that, this opens up the “Activity controls” pane. Next, select “Show More Controls”, after which you can access a list of all the places you’ve been, the voice searches and commands you’ve given, along with videos you’ve both watched and viewed on YouTube. Notably, if you’re wary about Google storing this information, you can toggle the tracking settings for each metric on and off.

**********

As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter’s iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom.

There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple’s fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work.

The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?

The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge’s permission.

But some legal experts say there should be a higher bar for biometric data because providing a fingerprint to open a digital device gives the state access to a vast trove of personal information and could be a form of self-incrimination.

“It isn’t about fingerprints and the biometric readers,” said Susan Brenner, a law professor at the University of Dayton who studies the nexus of digital technology and criminal law, but rather, “the contents of that phone, much of which will be about her, and a lot of that could be incriminating.”

In the Glendale case, the FBI wanted the fingerprint of Paytsar Bkhchadzhyan, a 29-year-old woman from L.A. with a string of criminal convictions who pleaded no contest to a felony count of identity theft.
Paytsar Bkhchadzhyan

The FBI wanted the fingerprint of Paytsar Bkhchadzhyan, a 29-year-old woman from L.A. with a string of criminal convictions. (Handout)

She was sentenced in that case on Feb. 25 in a Van Nuys courtroom. Jail records and court documents show that about 45 minutes after Bkhchadzhyan was taken into custody, U.S. Magistrate Judge Alicia Rosenberg — sitting in a federal courtroom 17 miles away — signed off on the warrant for the defendant to press her finger on the phone.

By 1 p.m., an FBI agent specializing in cybercrimes took her print, according to court papers.

Why authorities wanted Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan’s boyfriend and a member of the Armenian Power gang with the moniker of “40.” Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.

Even with the limited outlines of the inquiry, Brenner said the act of compelling a person in custody to press her finger against a phone breached the 5th Amendment’s protection against self-incrimination. It forced Bkchadzhyan to testify —without uttering a word — because by moving her finger and unlocking the phone, she authenticated its contents.

“By showing you opened the phone, you showed that you have control over it,” Brenner said. “It’s the same as if she went home and pulled out paper documents — she’s produced it.”

But Albert Gidari, the director of privacy at Stanford Law School’s Center for Internet and Society, said the action might not violate the 5th Amendment prohibition of self-incrimination.

“Unlike disclosing passcodes, you are not compelled to speak or say what’s ‘in your mind’ to law enforcement,” Gidari said. “‘Put your finger here’ is not testimonial or self-incriminating.”
Unlike disclosing passcodes, you are not compelled to speak or say what’s ‘in your mind’ to law enforcement. ‘Put your finger here’ is not testimonial or self-incriminating. — Albert Gidari, director of privacy at Stanford Law School’s Center for Internet and Society

The issue partly revolves around the prevailing legal stance toward fingerprints.

Law enforcement routinely obtains search warrants to examine property or monitor telecommunications, even swab inside an inmate’s mouth for DNA. But fingerprints have long remained in the class of evidence that doesn’t require a warrant, along with providing handwriting samples or standing in a lineup. Courts have categorized fingerprints as “real or physical evidence” sourced from the body, unlike communications or knowledge, which cannot be compelled without violating the 5th Amendment.

George M. Dery III, a lawyer and criminal justice professor at California State University, Fullerton, likened the warrant to the government’s request for a key.

“Before cell phones, much of this information would be found in a person’s home,” Dery said, noting that search warrants commonly authorize police to march into a home and seize evidence. “This has a warrant. Even though it is a big deal having someone open up their phone, they’ve gone to a judge and it means there’s a likelihood of criminal activity.”

Apple’s fingerprint sensor, known as Touch ID, is installed on phones and tablets rolled out after 2013, and the optional feature has a narrow window during which it is viable for an investigator. The Touch ID biometric reader cannot be used if the phone has not been unlocked for 48 hours. If a phone is restarted, or goes beyond the 48-hour window, only a passcode can open it.

Few courts have taken up the issue of whether a defendant can be forced to unlock his or her iPhone, either with a password or fingerprint.

In a Virginia trial court, David Charles Baust was accused of trying to strangle a woman in his bedroom, which was equipped with a video recording device that the victim said could have been linked to Baust’s phone. Investigators seized the phone via search warrant, but it could only be opened with a passcode or fingerprint reader.

In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one’s mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.George Mgdesyan, an attorney who has previously represented both Bkhchadzhyan and Mesrobian, said he was unsure why authorities were trying to unlock her phone. He said he was not representing Bkhchadzhyan in any federal criminal matter and believed the probe included hacking and possibly “other issues.”

The attorney denied that the search of Bkhchadzhyan’s phone was connected to Mesrobian, who has been held in North Kern State Prison since Feb. 12.

 **********

Hackers Who Stole Millions Of User Data From Gmail, Yahoo Tried To Sell It For Only $1

May 6th

Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.

It is one of the biggest stashes of stolen credentials to be uncovered since cyber-attacks hit major US banks and retailers two years ago.

Holden was previously instrumental in uncovering some of the world’s biggest known data breaches, affecting tens of millions of users at Adobe Systems, JPMorgan and Target and exposing them to subsequent cyber crimes.

[IMG]

metrouk2

The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts – a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world’s three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden, the former chief security officer at US brokerage RW Baird. “These credentials can be abused multiple times,” he said.

[IMG]

financialexpress

Less than $1
Mysteriously, the hacker asked just 50 roubles — less than $1 — for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, Holden said. He said his company’s policy is to refuse to pay for stolen data.

Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.

Hackers know users cling to favourite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.

After being informed of the potential breach of email credentials, Mail.ru Mail.ru said in a statement emailed to Reuters: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active.

[IMG]

metrouk2

“As soon as we have enough information we will warn the users who might have been affected,” Mail.ru said in the email, adding that Mail.ru’s initial checks found no live combinations of usernames and passwords which match existing emails.

A Microsoft spokesman said stolen online credentials was an unfortunate reality. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.”

Yahoo and Google did not respond to requests for comment.

Yahoo Mail credentials numbered 40 million, or 15 per cent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 per cent, were Microsoft Hotmail accounts and 9 per cent, or nearly 24 million, were Gmail, according to Holden.

Thousands of other stolen username/password combinations appear to belong to employees of some of the largest US banking, manufacturing and retail companies, he said.

[IMG]

ste.india.

Stolen online account credentials are to blame for 22 per cent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.

In 2014, Holden, a Ukrainian-American who specializes in Eastern European cyber crime threats, uncovered a cache of 1.2 billion unique credentials that marked the world’s biggest-ever recovery of stolen accounts.

His firm studies cyber threats playing out in the forums and chatrooms that make up the criminal underground, speaking to hackers in their native languages while developing profiles of individual criminals.

Holden said efforts to identify the hacker spreading the current trove of data or the source or sources of the stolen accounts would have exposed the investigative methods of his researchers. Because the hacker vacuumed up data from many sources, researchers have dubbed him “The Collector”.

Ten days ago, Milwaukee-based Hold Security began informing organisations affected by the latest data breaches. The company’s policy is to return data it recovers at little or no cost to firms found to have been breached.

“This is stolen data, which is not ours to sell,” said Holden.

http://www.indiatimes.com/news/indi…ahoo-tried-to-sell-it-for-only-1_-254668.html

 **********

http://themerkle.com/category/news/security-news/

Using Tor Might Become “Illegal.”
[IMG]

Many consumers will argue that someone who has nothing to hide would have no need for anonymous software solutions such as Tor. However, given the limited number of privacy-centric options to browse the World Wide Web, Tor and consorts are becoming more and more popular every month.

Unfortunately that success has not gone by unnoticed, as the US Supreme Court has approved a rule change that will shake things up like never before. By granting every federal magistrate judge the right to issue a warrant for anyone using Tor, anonymity on the Internet may become a serious offense. Moreover, if the US Congress does not undertake action to fight this ruling, it will go into effect as soon as December 2016.

As a result, the FBI can then legally search computers running Tor remotely, even if they have no idea where the machine is located or what it is being used for. Simply having anonymity software installed on a computer would be reason enough for the FBI to investigate that user to “combat cyber crime.”

This ruling approval comes on the heels of media headlines detailing how over 1 million consumers use Tor to access Facebook. For every single illegal use case for anonymity software, there are hundreds, if not thousands legal ones. If this ruling gets approved, many innocent users will be spied upon by the FBI for no reason whatsoever.

Moreover, this would allow the FBI to spy on Bitcoin users all over the world if they use Tor software to anonymize their wallets as well. Ever since the shutdown of Silk Road, law enforcement agencies have been looking at ways to track Bitcoin users’ identities on the dark web. While nothing has been set in stone yet, this ruling is a grave concern for privacy in the US and beyond.

**********

Hackers are using remote-control software Teamviewer to hijack PCs and drain PayPal accounts

Great reddit post on it:
TeamViewer has been hacked. They are denying everything and pointing fingers at the users.http://bgr.com/2016/06/01/teamviewer-hack-security-break/
Teamviewer, a piece of software that people can use to remote-control PCs, appears to have been hacked. Numerous user reports have indicated that unknown third parties are taking control of PCs and trying to steal money, through services like PayPal or eBay. Needless to say, this looks bad.Teamviewer has denied the allegations, but something’s definitely going on. Dozens of Reddit users are flooding the /r/teamviewer forum looking for advice, and one of my personal friends asked my advice after reporting something very similar.The accounts on Reddit and from my friend all sound similar: someone takes remote access of a PC, and then signs into something like eBay, PayPal, or email services. It’s pretty obvious what is going on — Teamviewer isn’t a backdoor, but a remote control program, so the mouse moves around the screen like there’s an actual user controlling it.Teamviewer claims it isn’t a problem with its system, but rather with users’ individual credentials. It’s certainly possible — with the recent LinkedIn security breach, there’s millions of email/password combos in the wild, and people are notorious for re-using logins across different sites and services. :smh:

But there’s also mounting evidence that it’s some kind of flaw in Teamviewer’s software. My friend claimed he used a unique password, and other users with two-factor authentication enabled have said that they have been hacked, which is virtually impossible if it’s just username/password combos being tried.

In a statement issued today but attributed to a week ago, Teamviewer denied any breach of its systems:

TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side. Therefore TeamViewer underscores the following aspects:

  1. Neither was TeamViewer hacked nor is there a security hole
  2. TeamViewer is safe to use and has proper security measures in place
  3. Our evidence points to careless use as the cause of the reported issue
  4. A few easy steps will help prevent potential abuse

Something weird is going on, however: Teamviewer’s site was down for a few hours this morning, a problem the service attributed to a DNS problem.

While the breaches are being investigated, here’s a few things you can do to ensure any machine you’re running is safe.

  • Log out of your Teamviewer account on any machines running the service, so that access can’t be gained by a username/password combo.
  • Uninstall Teamviewer if you’re particularly paranoid (or, to be honest, if you’re not expressly using it right now).
  • Check the log, which can be found under Extras–>Open log files, and look for any unexpected incoming connections
  • Check your credit cards, PayPal and eBay accounts for suspicious activity
  • Change the password on your Teamviewer account, and check haveibeenpwned.com to see if your email has any known hacks that could reveal your password.

Whichever way you cut it, this doesn’t look good for Teamviewer. Remote-access software has to trade on the strength of unbreakable security; just the faintest hint that there’s a major security breach could kill the product.

**********
Google voice search records and keeps conversations people have around their phones – but the files can be deleted
Just talking is enough to activate the recordings – but thankfully there’s an easy way of hearing and deleting them[IMG]
Some of your most intimate conversations might be sitting in a Google data centre somewhereGoogle could have a record of everything you have said around it for years, and you can listen to it yourself.

The company quietly records many of the conversations that people have around its products.

The feature works as a way of letting people search with their voice, and storing those recordings presumably lets Google improve its language recognition tools as well as the results that it gives to people.

But it also comes with an easy way of listening to and deleting all of the information that it collects. That’s done through a special page that brings together the information that Google has on you.

It’s found by heading to Google’s history page and looking at the long list of recordings. The company has a specific audio page and another for activity on the web, which will show you everywhere Google has a record of you being on the internet.

The new portal was introduced in June 2015 and so has been active for the last year – meaning that it is now probably full of various things you have said, which you thought might have been in private.

The recordings can function as a kind of diary, reminding you of the various places and situations that you and your phone have been in. But it’s also a reminder of just how much information is collected about you, and how intimate that information can be.

You’ll see more if you’ve an Android phone, which can be activated at any time just by saying “OK, Google”. But you may well also have recordings on there whatever devices you’ve interacted with Google using.

On the page, you can listen through all of the recordings. You can also see information about how the sound was recorded – whether it was through the Google app or elsewhere – as well as any transcription of what was said if Google has turned it into text successfully.

But perhaps the most useful – and least cringe-inducing – reason to visit the page is to delete everything from there, should you so wish. That can be done either by selecting specific recordings or deleting everything in one go.

To delete particular files, you can click the check box on the left and then move back to the top of the page and select “delete”. To get rid of everything, you can press the “More” button, select “Delete options” and then “Advanced” and click through.

The easiest way to stop Google recording everything is to turn off the virtual assistant and never to use voice search. But that solution also gets at the central problem of much privacy and data use today – doing so cuts off one of the most useful things about having an Android phone or using Google search.

http://www.independent.co.uk/life-s…d-their-phones-but-files-can-be-a7059376.html

Leave a Reply

Your email address will not be published. Required fields are marked *