Tag Archive for: abuse

Supreme Limits The Scope Of Computer Fraud And Abuse Act – Technology

/in



United States:

Supreme Limits The Scope Of Computer Fraud And Abuse Act

21 June 2021


Ballard Spahr LLP


To print this article, all you need is to be registered or login on Mondaq.com.

In a long awaited opinion, the Supreme Court recently resolved a
circuit split regarding the proper interpretation of a statute
implicated in many post-employment disputes. Since its enactment,
federal courts of appeal have been divided over the proper
interpretation of the phrase “exceeds authorized access”
under the Computer Fraud and Abuse Act (“CFAA”), a
primarily criminal statute that also includes a civil cause of
action where an individual accesses a protected computer without
authorization or exceeds authorized access. Some courts have held
that the “exceeds authorized access” requirement only
applies where the individual was authorized to access the computer
itself but not the particular files or information that are the
subject of the dispute.Conversely, the
majority of federal appellate courts have interpreted the phrase to
mean that an individual exceeds authorized access where they are
permitted to access the files or information but only for specified
purposes, typically business purposes. For example, many employers
have instituted computer usage policies that limit an
employee’s authorized access to company documents for the
purpose of performing their employment duties. As a result, a
common CFAA fact pattern involves a so-called disloyal employee
exceeding their authorized access by…

Source…

Internet Security Apps Called Out for Personal Data Abuse

/in


When you download a mobile app designed to keep you safe online, you probably don’t expect it to abuse your personal data.

But that’s exactly what many of China’s most popular mobile security apps are doing, according to a new announcement (link in Chinese) by the country’s internet regulator.

Some 36 security apps, including those developed by internet titans Tencent Holdings Ltd., Baidu Inc. and Qihoo 360 Technology Co. Ltd., are guilty of illegally obtaining data without users’ consent, collecting more information than they need to operate, and demanding excessive numbers of permissions, according to the notice, which was published Monday.

The document singled out a further 48 online lending apps for similar violations, including those developed by the personal finance arms of ride-hailing giant Didi Chuxing, Alibaba Group Holding Ltd.’s e-commerce site Taobao, Ping An Insurance Group Co. of China Ltd. and several national banks.

Data privacy is a long-running problem in China, which lacks robust laws and regulations governing the collection and use of personal information.

A flagship data protection law is in the works, but remains in the draft stage amid debate over how it would affect both businesses and individuals.

For now, Chinese authorities largely content themselves with naming and shaming — and sometimes removing (link in Chinese) — apps that violate user privacy.

The companies on the latest naughty list have 15 working days to clean up their act or face legal punishment, the regulator said, without being specific.

Contact reporter Matthew Walsh ([email protected])

Related: China Mulls Severe Penalties in New Data Protection Law

 

Source…

DDoS booters now abuse DTLS servers to amplify attacks

/in


DDoS booters now abuse DTLS servers to amplify attacks

DDoS-for-hire services are now actively abusing misconfigured or out-of-date Datagram Transport Layer Security (D/TLS) servers to amplify Distributed Denial of Service (DDoS) attacks.

DTLS is a UDP-based version of the Transport Layer Security (TLS) protocol that prevents eavesdropping and tampering in delay-sensitive apps and services.

Already abused in single and multi-vector DDoS attacks

According to reports that surfaced in December, a DDOS attack used DTLS to amplify traffic from vulnerable Citrix ADC devices that used DTLS configurations without a ‘HelloClientVerify’ anti-spoofing mechanism designed to block such abuse.

DDoS attacks using DTLS can reach an amplification factor of 35 according to German DDoS protection vendor Link11 or an amplification ratio of 37.34:1 based on info from DDoS mitigation firm Netscout.

Citrix released a fix to remove the amplification vector on affected NetScaler ADC devices in January, adding a ‘HelloVerifyRequest’ setting to remove the attack vector.

However, two months later, Netscout said that more than 4,200 DTLS servers are still reachable over the Internet and ripe for abuse in reflection/amplification DDoS attacks.

Netscout has observed single-vector DTLS amplification DDoS attacks up to roughly 44.6 Gbps and multi-vector attacks of up to ~206.9 Gbps.

Adopted by DDoS booter services

DDoS-for-hire platforms, also known as stressers or booters, are now also using DTLS as an amplification vector which puts it in the hands of less sophisticated attackers.

Booter services are used by threat actors, pranksters, or hacktivists without the time to invest or skills to build their own DDoS infrastructure.

They rent stresser services to launch DDoS attacks triggering a denial of service that commonly brings down targeted servers or sites or causes various levels of disruption.

“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, D/TLS reflection/amplification has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general…

Source…

CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

/in

From WarGames, to Aaron Swartz, to bug bounties, to Van Buren, here’s what cybersecurity researchers should know about the US’s primary anti-hacking law before it gets its day in the Supreme Court.
computer security – read more