Category Archives: Hacking

Corsairs and Cyber Pirates: Should We Consider Bringing Back Letters of Marque?

Posted on by

The Wall Street Journal recently published an article entitled A Maritime Solution for Cyber Piracy which grabbed my attention. The author, a lawyer who used to work for the Air Force, suggests we may want to look into the concept of letters of marque so as to shore-up the U.S.’s cyber-defences.

Such “letters of marque” (also called letters of permission or of commission) involved a license (permission) granted by the U.S. government empowering certain citizens or groups to participate directly to the defence of commerce or of the nation itself. Though common a few hundred years ago in Europe (and later around America), such permission largely disappeared in the 19th century, as countries acquired navies capable of policing sea lanes without having to resort of privateers to do so. For a time, though, the idea of “privateers” (or “corsairs”) sinking or capturing enemy (or pirate) ships in exchange for reward was fairly commonplace. Faced with security issues they could not deal with themselves, many countries compromised by asking private parties to do what they could not, often with the promise of a bounty or rewards to get the job done.

Recent high-profile cybersecurity incidents seem to indicate we may collectively be faced with a situation somewhat akin to that faced by the U.S. in the 19th century, at a time when the government was unable to itself deal with the nation’s security. Could it be that rampant cybercrime has brought about a similar situation? An argument to that effect can certainly be made.

Interestingly enough, the fact that the NSA is prohibited from watching domestic networks too closely may militate in favour of this idea, so as to fill the gap, so to speak. If the main watchdog cannot act once cyberpirates have penetrated targets in America, one might argue we need help that private parties may be especially well positioned to provide.

Given the growing threat of cyberpiracy, including to some important infrastructure (such as the pipeline recently shut down by a ransomware attack), the author argues that we may want to start looking at the concept of letters of marque. Given the apparent inability of the U.S. government to stop the threat, one might argue it may be time to try and incentive private citizens and businesses to report and go after cybercriminals.

Interesting idea, no doubt. One has to admit we definitely seem to be in need of a new set of solutions if we hope to manage to tackle the issues relating to cybersecurity in a proactive manner. Though I’m not sure how this may work in practice, I think it may indeed be time to start incentivizing private parties to help our collective efforts to thwart cybercriminals.

Alleged Flaws in Cellebrite UFED May Allow Throwing Out of Locked Smartphones Evidence

Posted on by

It is inevitable in today’s world that law enforcement is sometimes faced with mobile devices that a suspect locked prior to their seizure by authorities. Locking your devices is good common sense security: This goes for you and I, and, yes, for criminals. As a result, the police will sometimes need to break the encryption on such mobile devices in order to get to the data within, either for investigative or evidentiary purposes. That’s when tools such as Cellebrite UFED come into play. By using UFED, law enforcement can break into otherwise secure devices, such as iPhone smartphones, and get to the data within.

Unfortunately for the prosecution side, someone recently obtained access to UFED and analyzed its security features. These were found to be, shall we say, lacking. Indeed, according to Moxie Marlinspike (creator of the Signal app), ironically, cybersecurity isn’t exactly UFED’s strong suit. In fact, according to his report, after looking at the product, he believes this tool’s security is so weak that even scanning a booby-trapped device may result in an alteration of the data that was or is later extracted using UFED.

In short, in their efforts to secure some evidence, it seems that some police forces are using a tool whose reliability may be called into question. Indeed, if the tool at issue cannot be counted on to provide data that is a reliable record of what really was found in a particular device, should such evidence not be thrown out?

Legally, the fact that a tool used to extract information is prone to tampering may not bode well for convictions obtained on the basis of the resulting evidence, at least if the vulnerabilities reported by Moxie Marlinspike can be substantiated. Some American defense attorneys intend to argue against convictions secured by the authorities based on evidence extracted from locked smartphones. This could lead to the need for new trials in some cases.

UFED is apparently used by many law-enforcement agencies throughout the world. We don’t yet know how many convictions this inconvenient revelation may eventually allow defence attorneys to call into question.

This is yet another example of the perpetually problematic relationship between cybersecurity and the law.

Court Order Allows FBI to Close Backdoors on Hundreds of Third-Party Exchange Servers

Posted on by

The media reported yesterday that a Texas court recently allowed the FBI to access third-party email servers through the Internet, for the purpose of removing backdoors left by hackers over the past weeks. The goal: eliminate backdoors left in Exchange servers after hackers exploited recently discovered vulnerabilities. This is a first, as American authorities are dealing with cyberattacks that seem to grow more and more sophisticated, including because of state-sponsored hackers from abroad, in particular from China.

As you may remember, since March, criminal hackers have been using four vulnerabilities that allow them to penetrate email servers running Exchange, including to access emails, etc. The resulting intrusions also allowed hackers to obtain trade secrets and install ransomware on the computer systems of some companies.

Even though Microsoft has updated Exchange since, many businesses have yet to implement the updates. Worse yet, even companies that do patch their servers may still be exposed, as their networks may have been penetrated in a manner that allowed intruders to install backdoors that remain, even after the Exchange server is been updated to remove the four vulnerabilities at issue.

To help American businesses deal with this problem, the Justice Department recently obtained a court order allowing the FBI to access servers on which backdoors were so installed, through the Internet, so as to eliminate those backdoors. This is a good example of the perceived need, for law enforcement, to be allowed to start using legal means that go beyond simply enforcing the law, opting for a more proactive approach. To my knowledge, Canadian authorities have yet to go this far in their attempt to tackle cybersecurity issues.