Tag Archive for: reading

Making Sense of RFCs: Reading List

/in


If you’re looking for resources to help you learn about the world of cybersecurity, here are the 7 RFCs Roxy, Hurricane Labs’ Director of Compliance, recommends you start with. Looking for more details? Check out their webinar, Making Sense of RFCs!

The List

1. RFC 2196 Site Security Handbook

RFC 2196 (Site Security Handbook) “is a guide to developing computer security policies and procedures for sites that have systems on the Internet.” It goes over, in detail, such topics as why you’d want a security policy and how to handle incident response.

DevOps/Cloud-Native Live! Boston

2. RFC 2504 Users’ Security Handbook

Even though it was written in 1999, RFC 2504 (Users’ Security Handbook) has advice that still hasn’t aged much, such as “How to Prepare for the Worst in Advance” and “Encrypt Everything… Shred Everything Else.”

3. RFC 6274 Security Assessment of [IPv4]

Written in 2011, RFC 6274 (Security Assessment of IPv4) uses several RFCs as sources and fully describes IPv4 and considers the security of its features. It includes known issues that have not previously been addressed by other RFCs.

4. RFC 6454 The Web Origin Concept

RFC 6454 mentions security implications of the same-origin policy. Web Origin is, according to Mozilla, “defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Two objects have the same origin only when the scheme, hostname, and port all match.”

5. RFCs 9110 HTTP Semantics

Just released this week, RFC 9110 (HTTP Semantics) obsoletes most of the HTTP RFCs mentioned in our webinar. It explains the “Core Semantics” of HTTP, regardless of version, which are important to understand when observing and working with HTTP traffic. There are also new RFCs for HTTP 1.1 (9112), HTTP 2 (9113), and HTTP 3 (9114).

Table 1 from RFC 9110 shows all the RFCs it obsoletes:

Source…

SCOTUS Favors Narrower Reading of CFAA

/in


A significant opinion concerning computer security was one of those the United States Supreme Court (“SCOTUS”) issued during its end-of-term flurry this year.  Employers and others who permit computer access to sensitive information for business or other defined purposes may want to take note. Spoiler alert:  the opinion undercuts use of the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. §1030 et seq., to obtain federal jurisdiction in employer-employee disputes. (As a practical matter, the Defend Trade Secrets Act of 2016 had already filled the gap for many circumstances).

As we reported here last December shortly after the oral argument, SCOTUS accepted certiorari for Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit requiring interpretation of a specific part of the CFAA, a federal anti-hacking statute which generally prohibits obtaining or altering computer information without authorization, or by exceeding authorized access. SCOTUS has now reversed the Eleventh Circuit judgment, holding that the CFAA “covers those who obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend.  It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”  Van Buren v. United States, 593 U.S.        , [at 1] (2021).

In other words, SCOTUS settled upon the narrower of the proffered readings of the CFAA, such that a smaller sphere of behaviors will be found to violate the statute. The decision suggests that, in order to maintain the possibility of a CFAA action, which confers federal jurisdiction, as part of its available arsenal to protect confidential information, a wise employer will review its computer use policies with special attention to which computer databases, files, and folders employees and other users are entitled, or permitted, to access for any purpose.

The critical question before SCOTUS in Van Buren was how to interpret the phrase “exceeds authorized access” in the statute, which provides for criminal penalties…

Source…

Supreme Court Issues Radical New Reading of Anti-Hacking Law

/in


Morning commuters walk by The U.S. Supreme Court building May 24, 2021 in Washington, DC.

Morning commuters walk by The U.S. Supreme Court building May 24, 2021 in Washington, DC.
Photo: Anna Moneymaker (Getty Images)

The U.S. Supreme Court on Thursday said a Georgia police officer had not violated the country’s main anti-hacking law by improperly accessing a government database for financial gain, a decision likely to curtail prosecutions under the Computer Fraud and Abuse Act (CFAA) of individuals who misuse computer systems to which they have legal access.

The police officer, Nathan Van Buren, was arrested and charged under the 1986 law after accepting payment from an FBI informant to search a law enforcement database of license plate information. The government charged Van Buren with violating the CFAA, which prohibits people from knowingly “exceeding” their “authorized access” to a computer system.

The ruling is widely viewed as a win for criminal defense lawyers who’ve long criticized the statute as overly ambiguous and who’ve accused prosecutors of employing an overly expansive interpretation. The government has previously brought charges under the CFAA against people accused of violating corporate computer policies and website terms of service.

The ruling is “an important victory for civil liberties and civil rights enforcement in the digital age,” the American Civil Liberties Union said.

In its 6-3 decision, the Supreme Court found Van Buren’s use of the license plate database—however improper—was not “unauthorized,” insofar as the CFAA is concerned.

G/O Media may get a commission

“In sum, an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him,” the court’s opinion, delivered by Justice Amy Coney Barrett, says.

Barrett went on to note the government has never argued that Van Buren was prohibited from accessing the database, even if his motives for doing so, in this case, were immoral. “The only question is whether Van Buren could use the system to retrieve license-plate information. Both sides agree that he could,” she wrote.

Justices Clarence Thomas,…

Source…

Why You Should Stop Apple ‘Secretly’ Reading Your iMessages

/in


So, what’s going on with iMessage? How come its end-to-end encryption can be compromised by Apple to access user content? Surely, messages are either end-to-end encrypted or they’re not—is that not the entire point?

But Apple can access iMessage content despite those messages being protected by the company’s end-to-end encrypted architecture. As Forbes reported earlier this year, Apple can decrypt and provide iMessages to law enforcement when required.

While many argue that breaking end-to-end encryption to support law enforcement is justifiable, the problem is that any spare key or a backdoor is a security weakness. Content is either end-to-end encrypted or it’s not. It really is that simple. This is the debate now raging between governments and tech on the future of encryption.

“iMessage users may wrongly believe that their communication is private,” ESET’s Jake Moore warns, “but with access granted from just with a backup created, it somehow defeats its success in protection.” And he should know, as a former digital forensics police investigator. “Messaging platforms often mention privacy at the core of their design, but backdoor access can come from a small number of directions.”

In contrast to iMessage, Signal cannot provider user content, however forcibly it’s requested by governments or agencies. Even WhatsApp cannot break its own encryption, albeit cloud backups of WhatsApp chats can be accessed.

“Who polices those with the access to the backdoor?” Immersive Labs’ Sean Wright asks. “How do we ensure it’s not misused? Is it the process going to be transparent?”

When it comes to Apple, the situation is complex. Because with just a simple setting change on your phone, you make it impossible for Apple to access your iMessages, you vastly improve the security of all that private information.

The problem is cloud backups, of course. With WhatsApp, users can enable or disable a cloud backup to restore their chat histories if they lose or change their phones. Those backups are outside the platform’s end-to-end encryption. And while it seems that this may be fixed in some future release, right now the only option is to…

Source…