Tag Archive for: abuse

Security Experts Ask UK Government To Roll Back Old Computer Abuse Law That Harms Security Research

/in


from the thirty-years-is-several-lifetimes-ago-in-computer-years dept

The US government passed the Computer Fraud and Abuse Act in 1986, years before computers became something everyone had at home and carried around in their pockets every day. The CFAA had a purpose, but its value declined as computing advanced. The abuse it was written to address tended to take a backseat to abuses of the law by prosecutors and private companies to punish people for discovering security flaws or using technology in ways some people never expected.

The law has done more harm than good, criminalizing security research and providing a handy weapon for private companies to deploy against those who point out their security holes.

The same thing has been happening in the UK, thanks to a law that is only four years younger than the justifiably despised CFAA. As Matthew Field and Gareth Corfield report for The Telegraph, security experts are asking the incoming prime minister to put this ancient computer abuse law out of everyone’s misery.

Companies representing Britain’s £10bn cyber defence sector have asked Rishi Sunak and Liz Truss to rewrite the 30-year-old Computer Misuse Act, which they said is no longer fit for purpose.

The signatories include the Internet Services Providers’ Association, which represents BT, Virgin Media and Sky, London-listed cyber security company NCC Group and Ciaran Martin, the former head of Britain’s cyber security agency.  

Passed in 1990, the Computer Misuse Act was written to address misuse of an early digital voicemail system. Like the CFAA, it was broadly written, presumably in hopes of addressing unforeseen computer crimes. Instead, it managed to criminalize research (both of the regular and the security variety) by making it illegal to engage in “unauthorized access to computer materials.” Something that people do all the time (like, say, sharing passwords to a streaming account or, you know, probing for security flaws) is something that can be punished with up to ten years in prison.

The law needs to go. It’s incapable of addressing the current computer climate and its ability to criminalize any “unauthorized access” continues to harm…

Source…

Orange Park Man Pleads Guilty To Receipt Of Child Sex Abuse Images Over The Internet | USAO-MDFL

/in


Jacksonville, Florida – United States Attorney Roger B. Handberg announces that Charles Lelande Boston (32, Orange Park) today pleaded guilty to receiving materials over the internet depicting the sexual abuse of children. Boston faces a minimum mandatory term of 5 years, and up to 20 years, in federal prison. Boston was arrested on August 12, 2021, and remains in custody. A sentencing hearing has not yet been scheduled.

According to the plea agreement, the Clay County Sheriff’s Office (CCSO) conducted an online investigation on a file-sharing network for files containing materials depicting the sexual abuse of children. In January, March, and April 2021, a CCSO detective connected with a computer that had files depicting the sexual abuse of children available online for sharing. Homeland Security Investigations and CCSO later executed a search warrant at the residence associated with that computer and Boston was determined to be the owner of the computer. An examination of Boston’s computer revealed a folder of downloaded files containing approximately 80 files depicting the sexual abuse of children.

This case was investigated by the Clay County Sheriff’s Office and Homeland Security Investigations. It is being prosecuted by Assistant United States Attorney Ashley Washington.

It is another case brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse.  Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims.  For more information about Project Safe Childhood, please visit www.justice.gov/psc.

Source…

Government Databases Invite Privacy Abuse in China and the U.S.

/in


As snoop-tastic as China’s regime is, it’s tempting to gloat a bit when the country suffers a massive data breach of its own that dwarfs the leaks it inflicts on other countries. But regular Chinese citizens have been compromised, not just the government officials who spy on their own people and hack into foreign databases. More remarkably, this is only one of many incidents that illustrate the dangers of the surveillance state’s appetite for gathering and hoarding sensitive information under any flag.

“A massive online database apparently containing the personal information of up to one billion Chinese citizens was left unsecured and publicly accessible for more than a year – until an anonymous user in a hacker forum offered to sell the data and brought it to wider attention last week,” CNN reported July 5.

That a massive treasure trove of personal details was placed online with minimal protection, reportedly by Shanghai’s police, makes an awful sort of sense. China’s regime has little regard for anybody’s privacy and is imposing an increasingly sophisticated surveillance-and-control state. Why wouldn’t officials prioritize their own ease of access over concerns about identity theft and the personal fallout from sticking data that includes criminal records online?

Then again, you’d think China’s officialdom might be a little more security-conscious given how much effort they expend on stealing other people’s data.

In May 2014, the U.S. Justice Department charged Chinese military hackers with spying on American corporations. Months later, news reports revealed that hackers working for the Chinese government penetrated U.S. government servers looking for information on federal employees.

In July 2020, the feds indicted more Chinese government hackers for their part in “a hacking campaign lasting more than 10 years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.” In September of the same year, the U.S. Cybersecurity and Infrastructure Security Agency announced that hackers…

Source…

DOJ Clarifies Policy on Charging Computer Fraud and Abuse Act

/in


On May 19, 2022, the Department of Justice (“DOJ”) announced significant clarifications to its policy on charging Computer Fraud and Abuse Act (“CFAA”) violations that give some comfort to cyber security consultants who engage in network testing and related operations.  Such activity has long been a gray area for “white hat” hackers.

The CFAA, 18 U.S.C., §1030, provides the government with the authority to prosecute cyber-based crimes by making it a crime to “intentionally access[ ] a computer without authorization or exceed[ ] authorized access and thereby obtain[ ] (A) information contained in a financial record of a financial institution…(B) information from any department or agency of the United States; or, (C) information from any protected computer.”  Most computers have the potential to fall under Section 1030’s definition of a “protected computer,” which includes any computer “used in or affecting interstate or foreign commerce or communication.” The new guidance demonstrates an evolving view of how the statute should be enforced with the ultimate aim of leaving the public safer as an overall result of government action.  In this regard, the DOJ directive expressly states that good faith security research should not be prosecuted.

Good faith security research is defined by the DOJ as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The update further clarifies that “such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The updated policy further explains that, generally speaking, security research is not per se conducted in good faith. For example, research conducted for the purposes of identifying security flaws in devices and then profiting from the owners of such devices, does not constitute security research in good faith.  This…

Source…