Tag Archive for: DOJ

DOJ Announces It Will Not Charge CFAA Violations for Good-Faith Security Research | Seyfarth Shaw LLP

/in


The Department of Justice recently announced a revision of its policy concerning charging violations of the Computer Fraud and Abuse Act (the “CFAA”). Following recent decision from the Supreme Court and appellate courts that seemingly narrow the scope of civil liability under the CFAA, the DOJ’s new policy may likewise limit criminal prosecutions under the law.

As regular readers of this blog are well aware, the CFAA provides that “[w]hoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment.” The DOJ’s announced policy, however, now directs that “good-faith security research” should not be charged. “Good faith security research” means “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The new policy highlights the DOJ’s goal to promote privacy and cybersecurity by upholding the legal rights of individuals and network owners to ensure confidentiality and availability of information stored in their information systems. Thus, the DOJ will consider several factors in determining whether CFAA prosecution should be pursued, including

  1. the sensitivity of the affected computer system and harm associated with unauthorized access;
  2. concerns pertaining to national security, critical infrastructure, public self and safety, market integrity, international relations, or other considerations having broad impact on national economic interests;
  3. if the activity was in furtherance of a larger criminal endeavor or posed risk of bodily harm or a threat to national security;
  4. the impact of the crime and prosecution on third parties;
  5. the deterrent value of an investigation or…

Source…

How DOJ took the malware fight into your computer

/in


“We have gotten more comfortable, as a government, taking that step,” Adam Hickey, a deputy assistant attorney general for national security, said in an interview at the RSA cybersecurity conference in San Francisco.

The latest example of this approach came in April, when U.S. authorities wiped malware off of hacked servers used to control a Russian intelligence agency’s botnet, preventing the botnet’s operators from sending instructions to the thousands of devices they had infected. A year earlier, the Justice Department used an even more expansive version of the same technique to send commands to hundreds of computers across the country that were running Microsoft’s Exchange email software, removing malware planted by Chinese government agents and other hackers.

In both cases, federal prosecutors obtained court orders allowing them to access the infected devices and execute code that erased the malware. In their applications for these orders, prosecutors noted that government warnings to affected users had failed to fix the problems, thus necessitating more direct intervention.

Unlike in years past, when botnet takedowns prompted extensive debates about the propriety of such direct intervention, the backlash to these recent operations was limited. One prominent digital privacy advocate, Alan Butler of the Electronic Privacy Information Center, said malware removals required close judicial scrutiny but acknowledged that there was often good reason for them.

Still, DOJ officials said they see surreptitiously taking control of American computers as a last resort.

“You can understand why we should be appropriately cautious before we touch any private computer system, much less the system of an innocent third party,” Hickey said.

Bryan Vorndran, who leads the FBI’s Cyber Division, said in an interview at RSA that the government’s approach is to “move from least intrusive to most intrusive.”

In the early days of action against botnets, beginning with a 2011 takedown of a network called Coreflood, senior government officials were reluctant to push the limits of their powers.

“With Coreflood, it was, ‘Okay, you can stop the malware, but we’re not going to…

Source…

DOJ Clarifies Policy on Charging Computer Fraud and Abuse Act

/in


On May 19, 2022, the Department of Justice (“DOJ”) announced significant clarifications to its policy on charging Computer Fraud and Abuse Act (“CFAA”) violations that give some comfort to cyber security consultants who engage in network testing and related operations.  Such activity has long been a gray area for “white hat” hackers.

The CFAA, 18 U.S.C., §1030, provides the government with the authority to prosecute cyber-based crimes by making it a crime to “intentionally access[ ] a computer without authorization or exceed[ ] authorized access and thereby obtain[ ] (A) information contained in a financial record of a financial institution…(B) information from any department or agency of the United States; or, (C) information from any protected computer.”  Most computers have the potential to fall under Section 1030’s definition of a “protected computer,” which includes any computer “used in or affecting interstate or foreign commerce or communication.” The new guidance demonstrates an evolving view of how the statute should be enforced with the ultimate aim of leaving the public safer as an overall result of government action.  In this regard, the DOJ directive expressly states that good faith security research should not be prosecuted.

Good faith security research is defined by the DOJ as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The update further clarifies that “such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The updated policy further explains that, generally speaking, security research is not per se conducted in good faith. For example, research conducted for the purposes of identifying security flaws in devices and then profiting from the owners of such devices, does not constitute security research in good faith.  This…

Source…

DOJ Says Cardiologist Created, Distributed Ransomware

/in


Heart doctor and self-taught cybercriminal created and distributed ransomware.

According to the U.S. Department of Justice (DOJ), 55-year-old cardiologist Dr. Moises Luis Zagala Gonzalez MD, of New York, has been charged with creating and distributing ransomware equipped with a “doomsday clock” and sharing in profits from attacks.  Zagala also goes by the names “Nosophoros,” “Aesculapius,” and “Nebuchadnezzar.”  He is a citizen of France and Venezuela and currently lives in Ciudad Bolivar, Venezuela.

U.S. authorities have alleged that in 2019 the cardiologist began marketing a new online tool he created, a “Private Ransomware Builder” named “Thanos.”  He likely named the ransomware after the fictional character Thanos, who is responsible for destroying half of all life in the universe, as well as “Thanatos” from Greek mythology, who is associated with death.  Users of the illicit software can access “Recovery Information,” which allows them to build a customized ransom note, distribute it to victims and set up an account to receive Bitcoin payments.  They can also use the “data stealer” which allows them to steal certain files from victims once a computer is infected, or an “anti-VM” option to defeat security protocols. The software also allows users to create their own versions for personal use or to rent to other cybercriminals.

DOJ Says Cardiologist Created, Distributed Ransomware
Photo by Tima Miroshnichenko from Pexels

Moreover, Zagala created a ransomware tool, called “Jigsaw v. 2,” which included a doomsday counter which kept track of how many times a victim tried to remove the ransomware from a PC.   “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” Zagala wrote to his customers.  The program comes with a self-delete option to do just this.  The name “Jigsaw” may refer to the mastermind behind the sadistic games in the Saw movies.

Breon Peace, U.S. attorney for the Eastern District of New York, said, “As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for…

Source…