Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Judge says collection of U.S. phone records is unconstitutional

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 16, 2013

Click here to order the best dedicated server and at a great price.

A top federal judge said today that he believes the U.S. government's once-secret collection of domestic phone records is unconstitutional, setting up likely appeals and further challenges to the data mining revealed by classified documents leaker Edward Snowden.

U.S. District Judge Richard Leon said the National Security Agency's bulk collection of metadata-- phone records of the time and numbers called without any disclosure of content violates privacy rights in the United States.

Leon's preliminary ruling favored five plaintiffs challenging the practice, but he limited his decision only to their case.

"I cannot imagine a more indiscriminate and arbitrary invasion of privacy than this systematic and high-tech collection and retention of personal data on virtually every citizen for purposes of querying and analyzing it without prior judicial approval," said Leon, an appointee of President George W. Bush.

"Surely such a program infringes on that degree of privacy that our own Founders enshrined in the Fourth Amendment," the judge added.

Leon's ruling said that the "plaintiffs in this case have also shown a strong likelihood of success on the merits of a Fourth Amendment claim," adding "as such, they too have adequately demonstrated irreparable injury."

Leon also noted that the government "does not cite a single instance in which analysis of the NSA's bulk metadata collection actually stopped an imminent attack, or otherwise aided the government in achieving any objective that was time-sensitve in nature."

But the judge put off enforcing his order barring the government from collecting the information, pending an appeal by the U.S. government.

The whole issue is highly controversial as both the White House and Congress have spent thousands of hours on this since the Snowden affair broke out in June 2013.

A Justice Department spokesman said Monday that "we believe the program is constitutional as previous judges have found," but said that the ruling is being studied nevertheless.

Democratic Senator Mark Udall of Colorado, a strong critic of the NSA data mining, said Leon's ruling showed that "the bulk collection of Americans' phone records conflicts directly with Americans' privacy rights under the U.S. Constitution and has failed to make us safer."

He called on Congress to pass legislation he proposed to "ensure that the NSA focuses on terrorists and spies and not innocent American civilians."

Explosive revelations earlier this year by Edward Snowden, a former NSA contractor, triggered new debate about national security and privacy interests in the aftermath of the September 11, 2001 terrorist attacks in New York and on the Pentagon.

In particular, Snowden's revelations led to more public disclosure about the secretive legal process that sets in motion the U.S. government's surveillance of its own people.

For its part, the NSA did admit that it received secret court approval to collect vast amounts of metadata from telecom giant Verizon and leading internet companies, including Microsoft, Apple, Google, Yahoo and Facebook.

The case before Leon involved approval for surveillance in April by a judge at the Foreign Intelligence Surveillance Court (FISC), a secret government body that handles individual requests for electronic surveillance for "foreign intelligence purposes."

As it is duly required, Verizon Business Network Services promptly turned over the metadata to the government. Leon's ruling comes as the Obama administration completes a review of NSA surveillance in the aftermath of the Snowden leaks.

Sources said that technology company executives would meet with President Barack Obama at the White House on Tuesday about the issue.

President Obama plans to sit down with Tim Cook of Apple and Eric Schmidt of Google, as well as executives from Microsoft, Facebook, Salesforce, Netflix and other companies.

In November, the U.S. Supreme Court refused to take up the issue when it denied a separate petition, which was filed by the Electronic Information Privacy Center. Prior lawsuits against the broader NSA program have also been unsuccessful to this date.

Just a few days after the Snowden disclosure in June, some Verizon customers filed legal challenges in the D.C. federal court. The left-leaning ACLU (American Civil Liberties Union) also filed a separate, pending suit in New York federal court.

Under the Foreign Intelligence Surveillance Act of the 1970s, the secret courts were set up to grant certain types of government requests-- wiretapping, data analysis, and other monitoring of possible terrorists and spies operating in the United States.

The Patriot Act that Congress passed after the 9/11 attacks on U.S. soil deeply broadened the government's ability to conduct anti-terrorism surveillance in the United States and abroad, eventually including the metadata collection.

In order to collect the information, the U.S. government has to demonstrate that it's "relevant" to an international terrorism investigation.

But the 1978 FISA law lays out exactly what the special court must decide-- "A judge considering a petition to modify or set aside a nondisclosure order may grant such petition only if the judge finds that there is no reason to believe that disclosure may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person."

In defending the program, NSA Director General Keith Alexander told the Senate Judiciary Committee last week that "15 separate judges of the FISA Court have held on 35 occasions that Section 215 (of the Patriot Act) authorizes the collection of telephony metadata in bulk in support of counterterrorism investigations."

Initially, telecommunications companies such as Verizon, were the targets of legal action against Patriot Act provisions. Congress later gave retroactive immunity to those private businesses.

The revelations of the NSA program and the inner workings of the FISC court came after Snowden leaked documents to the Guardian newspaper. Snowden fled to Hong Kong and then Russia to escape U.S. prosecution.

In other internet security news

Despite all the turmoil and all the negative press in the media this year regarding the Edward Snowden affair, it appears that NSA Director General Keith Alexander and his successor will hold on to the additional role as head of U.S. cyberoperations.

The White House said Friday that a single military official will continue to head up both the U.S. National Security Agency and the U.S. Cyber Command.

"Following a thorough interagency review, President Barack Obama has decided that keeping the positions of NSA Director and Cyber Command Chief together as one, dual-hatted position is the most effective approach to accomplishing both agencies' missions," National Security Council spokeswoman Caitlin Hayden said.

"Given General Alexander's retirement this spring, it was the natural time to review the existing arrangement," Hayden added.

Overall, military officials were reportedly considering splitting the role and went so far as to draft a list of potential civilian candidates to lead the NSA.

Alexander, who is expected to resign in the spring, has been head of the NSA since 2005, and took on the role of head of Cyber Command in 2010.

The Obama administration said the dual role allows for "rapid response" to cybersecurity threats, and it added that splitting the position would mean instituting elaborate procedures to ensure coordination and avoid duplicate capabilities between the two agencies.

The White House's decision, which is part of a wider review of U.S. surveillance policy, comes just days before a presidential task force was expected to submit new recommendations that "constitute a sweeping overhaul of the NSA," reported The Wall Street Journal earlier Friday, citing "people familiar with the plans."

While the top spot at the NSA has managed to stay intact under increased scrutiny, The Hill reported Friday that NSA Deputy Director Chris Inglis, the top civilian at the agency, stepped down this week.

NSA Executive Director Fran Fleisch will now serve as acting deputy director. Inglis had previously said he would be stepping down, and an NSA spokeswoman told The Hill the plan had been "set for some time."

The plan was "first announced internally at the NSA this past summer, for Mr. Inglis to retire at year's end and General Alexander in the spring of 2014," NSA spokeswoman Vanee Vines said.

"In each case, their time in office represented a significant extension of service beyond their original tours," added Vines.

In other internet security news

By now, you shouldn't be too surprised to learn that the latest release of version 26 of the Firefox web browser now blocks Java software on all websites by default, unless the user has specifically authorized the Java plugin to run from the getgo.

After all, Java security issues have been around from Day One when the language was created by Sun Microsystems about 22 years ago.

The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin beginning with Firefox 24, but decided to delay the change after dismayed users raised a big fuss about it.

Beginning with the version of Firefox that shipped yesterday, whenever the browser encounters a Java applet or a Java Web Start launcher, it first displays a dialog box asking for full authorization before allowing the plugin to launch at all.

Users can also opt to click "Allow and Remember," which adds the current webpage to an internal whitelist so that Java code on it will run automatically in the future, without further human intervention.

Mozilla's move comes after a series of security exploits made the Java plugin one of the most popular vectors for web-based malware attacks over the past few years. In fact, so many zero-day exploits targeting the plugin have been discovered that the Firefox developers have opted to give all versions of Java the cold shoulder, including the most recent one.

Mozilla plans to activate click-to-run for all plugins by default, although the Adobe Flash Player plugin has been given a pass so far, owing to the prevalence of Flash content on the web, but Adobe's software is also screened closely, as its products have also been vulnerable a lot to security attacks in the past few years.

In addition to the changes to the default Java plugin behavior, Firefox 26 includes a number of security patches, bug fixes and minor new features.

The official release notes are available on Firefox's website. As usual, current Firefox installations can be upgraded to version 26 using the internal update mechanism, and installers for the latest release are available from the Firefox homepage.

In other internet security news

Enthusiastic users of the CyanogenMod alternative Android firmware gained additional security yesterday, thanks to the integration of Open Whisper Systems' TextSecure protocol. This is still very new for now, but it bodes well for the near-term future of the technology.

Founded by internet security researchers Moxie Marlinspike and Stuart Anderson, Open Whisper Systems develops security software that can encrypt voice-over-IP (VoIP) phone calls and SMS/MMS messages, so the technology is far-reaching in today's business world.

Android device owners can install the company's TextSecure SMS security software by downloading it from the Google Play store. However, the company announced yesterday that the CyanogenMod project is also shipping the technology integrated into its firmwares by default, beginning with current nightly builds of version 10.2.

With TextSecure as part of the default CyanogenMod SMS software, users can choose any SMS application they want and enjoy secure messaging to other TextSecure-enabled devices automatically, whether they are running the software on Android or iOS.

"If an outgoing SMS message is addressed to another CyanogenMod or TextSecure user, it will be transparently encrypted and sent over the data channel as a push message to the receiving device," Marlinspike explained in a blog post.

"That device will then decrypt the message and deliver it to the system as a normal incoming SMS," he added.

However, in the event that the device doesn't support TextSecure, the messaging layer will fall back to an ordinary, unencrypted SMS channel.

To be sure, the in-firmware version of the technology supports all of the features of the standalone TextSecure app, including its key exchange protocol and support for multiple cryptographic algorithms.

According to the CyanogenMod team, the code is being integrated with the version 10.2 nightly builds as a trial balloon, but if it all goes well, it will be integrated into all future builds of CyanogenMod 11 as well.

Marlinspike praised the firmware team's willingness to include the technology yesterday, saying that doing so took a substantial commitment of time and resources.

"Their genuine resolve to protect their users from large-scale dragnet surveillance is truly remarkable in a world where most companies are instead angling to collect as much information about their users as possible," Marlinspike wrote.

Versions of the CyanogenMod firmware with TextSecure built in are available for a variety of devices via the project's download site.

In other internet security news

A massive hacker attack from many parts of the world has resulted in the theft of usernames and passwords for about 2.1 million accounts at Facebook, Gmail, Twitter, Yahoo and a few others, according to a report released this week by cybersecurity firm Trustwave.

The huge data breach was a result of keylogging software maliciously installed on an untold number of computers around the globe, Trustwave said.

The worm virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers, and located in the Netherlands.

On November 24, Trustwave researchers tracked that server, and they discovered compromised credentials for more than 93,000 websites, including:

  • 318,000 Facebook accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo accounts
  • 22,000 Twitter accounts
  • 9,000 Odnoklassniki accounts (a Russian social network)
  • 8,000 ADP accounts
  • 8,000 LinkedIn accounts
  • Trustwave immediately notified these companies of the security breach. They posted their findings publicly on Tuesday.

    "We don't have evidence they logged into these accounts, but they probably did," said John Miller, a security research manager at Trustwave.

    Facebook, LinkedIn and Twitter say they have notified and reset passwords for compromised users. Google declined to comment. Yahoo and ADP did not provide immediate responses as of 4.00 PM EST today.

    Miller added that his team doesn't yet know how the virus got onto so many personal computers. The hackers set up the keylogging software to route information through a proxy server, so it's impossible to track down which computers are infected.

    Among the compromised data are 41,000 credentials used to connect to File Transfer Protocol (FTP, the standard protocol used when sending files to the internet) and 6,000 remote log-ins.

    The hacking campaign started secretly collecting passwords on October 21, and it might be ongoing. Although Trustwave discovered the Netherlands proxy server, Miller said there are several other similar servers they haven't yet tracked down as of today.

    There could be a lot more Miller warned. If you need to know whether your computer is infected, just searching for programs and files won't be enough, because the virus running in the background is hidden, Miller said.

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.

    Source: The U.S. Justice Dept.

    Click here to order the best dedicated server and at a great price.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order our special clearance dedicated servers.

    Get your Linux or Windows dedicated server today.

    Click here to order our special clearance dedicated servers.