The EFF, Geek Squad and The U.S. Constitution

This week the Electronic Freedom Foundation #EFF announced that it was suing the Geek Squad of Best Buy computer service fame. The EFF is suing to obtain records of what it believes detail how Geek Squad employees were used as paid informants of the FBI. I know what you are already thinking; the government is already spying on computer users. So what is the big deal about this?

Well, I’m glad you asked! The fourth amendment to the U.S. Constitution spells out that the government must obtain a warrant before conducting a search of your person, or belongings. Of course, it also goes on the list items needed before a warrant can be granted, things like probable cause, sworn statements and a neutral judge to oversee the whole thing.

Well, in this case the EFF claims that the FBI gave 8 or so Geek Squad employees training and software to search customer computers for child porn when the computer was brought in for service. The problem would be if your actions are being directed by law enforcement, you become an agent (in the legal sense, not with a gun or badge) and must obtain a search warrant before conducting a search for evidence of a crime.

According to the EFF, Geek Squad was helping FBI agents bypass warrants requirements to obtain evidence. There are plenty of cases where tech employees uncover evidence of a crime and forward it to law enforcement, even cases where hackers illegally obtained information and law enforcement officers were still able to use the data in prosecution.

I don’t always take the same side as the EFF, but in this case I think they have a point. It will be interesting to see where this goes.

What makes me #wannacry

By now most of you have heard of the #wannacry variant of ransomware, or at the very least you have heard of ransomware? Ransomware is a malicious computer program that encrypts a user’s computer and then offers to restore your files if you pay a ransom. Generally, the ransom is to an off-shore email account and payment is preferred in bitcoins. The solution to ransomware in general is to keep your anti-virus software up to date and be careful about downloading or opening random files that are emailed to you.

This post is not about ransomware, but about something that really makes a security professional “want to cry.” Those of us in the profession know that user education can stop most potential attacks, but user education is also one of the hardest items to make happen, even in a small organization.

Today’s topic is: DO NOT USE THE SAME PASSWORD FOR MULTIPLE SITES!

I have a current investigation on my desk with 47 victims, multiple stolen credit cards used to make online purchases of electronics. I will change the names and some of the data, because sharing information during an investigation is really, really frowned upon. Just ask James Comey.

The fraud was perpetrated by foreign nationals using all the regular hacker methods, but the one common item… victim after victim admitted to using the same password across multiple shopping sites and then compounding the problem by saving the credit card information online to make purchasing easier in the future.

Problem… It allows bad guys to make fraudulent purchases with your information much easier too and the take away from this particular case?

Don’t reuse passwords across sites and if you are feeling particularly security minded don’t save card information either.