The FCC just passed sweeping new rules to protect your online privacy

Federal regulators have approved unprecedented new rules to ensure broadband providers do not abuse their customers’ app usage and browsing history, mobile location data and other sensitive personal information generated while using the Internet.

The rules, passed Thursday in a 3-to-2 vote by the Federal Communications Commission, require Internet providers, such as Comcast and Verizon, to obtain their customers’ explicit consent before using or sharing that behavioral data with third parties, such as marketing firms.

Also covered by that requirement are health data, financial information, Social Security numbers and the content of emails and other digital messages. The measure allows the FCC to impose the opt-in rule on other types of information in the future, but certain types of data, such as a customer’s IP address and device identifier, are not subject to the opt-in requirement. The rules also force service providers to tell consumers clearly what data they collect and why, as well as to take steps to notify customers of data breaches.

“It’s the consumers’ information,” said FCC Chairman Tom Wheeler. “How it is used should be the consumers’ choice. Not the choice of some corporate algorithm.”

In the near term, what consumers see and experience on the Web is unlikely to change as a result of the rules; targeted advertising has become a staple of the Internet economy and will not be going away. But the regulations may lead to new ways in which consumers can control their Internet providers’ business practices. That could mean dialogue boxes, new websites with updated privacy policies or other means of interaction with companies.

The fresh regulations come as Internet providers race to turn their customers’ behavioral data into opportunities to sell targeted advertising. No longer content to be the conduits to websites, social media and online video, broadband companies increasingly view the information they collect on users as they traverse the Web as a source of revenue in itself.

With its move, the FCC is seeking to bring Internet providers’ conduct in line with that of traditional telephone companies that have historically obeyed strict prohibitions on the unauthorized use or sale of call data.

But the Internet era has brought new challenges, in some cases creating different categories of personal information — and ways to use it — that did not exist in the telephone era. And as the line increasingly blurs between traditional network operators and online content companies, regulators have struggled to keep pace.

For example, Verizon’s acquisition of AOL and potential purchase of Yahoo are both aimed at monetizing Internet usage beyond the straightforward sale of broadband access.

With greater insights into customer behavior, the company could market additional services or content to its wireless subscribers as part of a bundle, policy analysts say. That arrangement could allow Verizon to effectively earn money twice from the same subscriber — once for the data plan, and then again when the customer consumes Verizon-affiliated content.

Although Thursday’s vote by the FCC requires companies, such as Verizon, to obtain explicit permission from consumers when it shares sensitive personal data with outside firms, it does not require broadband providers to ask permission before using the data themselves in certain ways — such as providing broadband service.

For instance, Verizon would be able to use a wireless subscriber’s usage history to recommend purchasing a larger mobile data plan. It could also use the customer’s information to market its home Internet service, Verizon FiOS, even though FiOS is a separate product operated by a different part of the company. In neither case would Verizon have to ask for the subscriber’s affirmative consent.

But Verizon would have to allow consumers the chance to opt out of having their usage history shared with other Verizon businesses that do not sell communications services, such as AOL or Yahoo, according to the rules.

Consumer advocates say it’s a step in the right direction, even if they would have preferred stricter requirements.

“It’s not so far off the mark that it guts the provision,” said Harold Feld, a senior vice president at the consumer advocacy group Public Knowledge. “It still provides sufficient protections for consumers to regard this as a positive step.”

A trade association for the cable industry criticized the regulations Thursday as “profoundly disappointing.”

“Today’s result speaks more to regulatory opportunism than reasoned policy,” said the NCTA — The Internet & Television Association.

The FCC measure also received pushback from Internet providers in the run-up to the vote, over complaints that telecom companies would now be treated differently from websites, such as Google and Facebook, which also use personal data for advertising purposes on a tremendous scale.

“There is no sound reason to subject broadband providers to a different set of rules than other Internet companies,” wrote AT&T in a regulatory filing last week. “This would … deny broadband providers the same opportunity other Internet companies have to participate in the fast-growing digital advertising market.”

But the FCC may have little jurisdiction — or appetite — for regulating the data practices of individual Web companies; Wheeler has repeatedly declined to extend new regulations to the sector.

Republican officials at the FCC opposed the new privacy rules, saying the different expectations for Internet providers and websites will create confusion among consumers.

“If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set,” said FCC Commissioner Ajit Pai, who suggested that the Federal Trade Commission could accomplish the task.

Opponents of the rules have called it an unlawful use of FCC power, setting the stage for a potential lawsuit by the broadband industry to overturn the privacy regulations. Michael O’Rielly, a Republican FCC commissioner, said Thursday that he expects “extensive” legal challenges to the rules.

He also added the rules may have “unintended consequences.” For example, he said, it is unclear how the FCC’s privacy regulations will address a burgeoning Internet of Things — the name for a growing class of connected devices such as thermostats, refrigerators and even automobiles. How Internet providers can use and share the data generated by those appliances will remain an open question, O’Rielly said.

Brian Fung covers technology for The Washington Post

Advertisements

About Censys

 

 

 

 

Censys is a search engine that enables researchers to ask questions about the hosts and networks that compose the Internet. Censys collects data on hosts and websites through daily ZMap and ZGrab scans of the IPv4 address space, in turn maintaining a database of how hosts and websites are configured. Researchers can interact with this data through a search interface, report builder, and SQL engine. Details on the Censys architecture and functionality are available in our research paper.

https://www.censys.io/

 

 

Don’t count on STARTTLS to automatically encrypt your sensitive e-mails TLS stripping and DNS attacks allow eavesdropping on protected messages

ars

Researchers have some good and bad news about the availability of secure e-mail. Use ofSTARTTLS and three other security extensions has surged in recent months, but their failure rate remains high, in large part because of active attacks that downgrade encrypted connections to unencrypted ones.

That conclusion, reached in a recently published research paper, means that a significant chunk of e-mail continues to be transmitted in plaintext and with no mechanism for verifying that a message hasn’t been tampered with while it travels from sender to receiver. The downgrades are largely made possible by the simple mail transfer protocol used by many e-mail services. Because it wasn’t originally designed to provide message confidentiality or integrity, it relies on later-developed extensions including STARTTLS, domainkeys Identified Mail, sender policy framework, and domain-based message authentication that often don’t work as intended.

The researchers wrote:

This security patchwork—paired with opportunistic encryption that favors failing open and transmitting messages in cleartext, so as to allow incremental adoption—enables network attackers to intercept and surveil mail. In one such attack, network appliances corrupt STARTTLS connection attempts and downgrade messages to non-encrypted channels. We identify 41,405 SMTP servers in 4,714 ASes and 193 countries that cannot protect mail from passive eavesdroppers due to STARTTLS corruption on the network. We analyze the mail sent to Gmail from these hosts and find that in seven countries, more than 20% of all messages are actively prevented from being encrypted. In the most severe case, 96% of messages sent from Tunisia to Gmail are downgraded to cleartext.

The findings are based on Gmail SMTP connection logs spanning from January 2014 to April 2015 and a snapshot of SMTP server configurations from April 2015 from the Alexa top million domains. The Gmail data showed that incoming messages protected by transport layer security encryption grew 82 percent in one year, peaking to 60 percent of all inbound mail by the end of the study. Outgoing messages increased 54 percent, with 80 percent of messages protected. The improvement was largely the result of Yahoo, Outlook, and a small number of other large e-mail providers updating their servers to use STARTTLS.

Offsetting that progress was a finding that about 770,000 SMTP servers associated with the Alexa top million list still failed to properly secure their systems. Only 82 percent of them supported TLS, and of those, only 35 percent were properly configured to allow one server to cryptographically authenticate itself to another.

STARTTLS corruption

The researchers also found evidence of widespread corruption that prevents STARTTLS from working as intended. Like many security mechanisms, STARTTLS is designed to “fail open” rather than “fail closed,” meaning that when certain errors happen, servers will simply send e-mail in unencrypted form rather than failing to send the message at all. Network actors can exploit this design by sending certain types of packets that trigger a fail open error. The overall fraction of Gmail messages that were downgraded was relatively small, but in Tunisia, TLS was stripped out of 96 percent of e-mail. Other countries with high rates included Iraq, Papua New Guinea, and Nepal.

“It is important to note that the devices that are stripping TLS from SMTP connections are not inherently malicious, and many of these devices may be deployed to facilitation legitimate filtering,” the paper states. “Regardless of intent, this technique results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks.”

The researchers also found evidence that domain name system records are routinely spoofed in a way that redirects e-mail to servers controlled by attackers rather than to the intended destination. The evidence included more than 178,000 publicly available DNS servers that provided invalid IP addresses or mail records for either gmail.com, yahoo.com, outlook.com, qq.com, or mail.ru.

The findings suggest that even as e-mail providers continue to deploy STARTTLS, there’s no guarantee that e-mail will be encrypted as it travels from one server to another on its way to the receiver. That leaves the truly paranoid with no other option than GPG or MIME to ensure the confidentiality of the messages they send.

DMCA Ruling Ensures You Can’t Be Sued For Hacking Your Car, Your Games Or Your iPhone

“This ‘access control’ rule is supposed to protect against unlawful copying,” said EFF staff attorney Kit Walsh. “But as we’ve seen in the recent Volkswagen scandal – where VW was caught manipulating smog tests – it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers.”

Walsh expressed disappointment the exemption would not come into force for another year. There may also be a limitation on what tinkerers can do, as the exemption does not allow for modification of “computer programs primarily designed for the control of telematics or entertainment systems for such vehicle”, though security researchers should still be allowed to poke holes in them.

“This is a significant step forward for security research and acknowledges the value research plays in protecting consumers from risk of harm. There is still more work to be done – for example the exemption is limited in its application, and the Computer Fraud and Abuse Act still presents many challenges – but this represents an important shift in the discussion around security research at the Government level,” added Jen Ellis, vice president of community and public affairs at Rapid7, and one of the campaigners for the exemption.

“We look forward to continuing to collaborate with both Congress and the administration to build even greater understanding of, and protections for, security research.”

Tuesday, October 27, 2015

New zero-day exploit hits fully patched Adobe Flash

Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers, security researchers warned Tuesday.

So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available. The researchers wrote:

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Pawn Storm has zeroed in on foreign affairs ministries in recent months. In the past, the group hastargeted politicians, artists, and journalists in Russia, and it has infected the iOS devices of Western governments and news organizations. Some researchers have linked the espionage campaign to the Russian government, but the usual disclaimers about attribution of hacks apply.

An Adobe spokeswoman said that company researchers received a proof-of-concept exploit on Tuesday morning and are in the process of investigating. If confirmed, it wouldn’t be surprising to see Adobe publish an emergency update in the next few days. As always, readers should consider disabling Flash on as many sites as possible, since it’s not unusual for attackers to compromise trusted sites and use them to attack the people who visit them. Most browsers by default provide a click-to-play mechanism that blocks Flash-based content for each site visited unless explicitly approved by the end user. A more thorough approach is to uninstall Flash altogether.

by