Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

DoJ defines new rules for spying with the Stingray technology

The US Justice Department issued guidelines for StingRay Surveillance devices, new rules define aim to ensure privacy protection and transparency. Do you know what is a StingRay? If you want further details give a look to a post I wrote for the Infosec Institute on the StingRay Technology: “StingRay is an IMSI-catcher (International Mobile Subscriber […]

DoJ defines new rules for spying with the Stingray technology

The US Justice Department issued guidelines for StingRay Surveillance devices, new rules define aim to ensure privacy protection and transparency.

Do you know what is a StingRay? If you want further details give a look to a post I wrote for the Infosec Institute on the StingRay Technology:

“StingRay is an IMSI-catcher (International Mobile Subscriber Identity) designed and commercialized by the Harris Corporation. The cellular-surveillance system costs as much as $400,000 in the basic configuration, and its price varies with add-ons ordered by the agency.

The IMSI-catcher is a surveillance solution used by military and intelligence agencies for telephone eavesdropping. It allows for intercepting mobile phone traffic and tracking movements of mobile phone users. Essentially, an IMSI catcher operates as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers. The IMSI catcher runs a Man In the Middle (MITM) attack that could not be detected by the users without using specific products that secure communication on mobile devices.

The use of the IMSI-catcher is raising a heated debate in the United States because devices like StingRay and other similar cellphone tracking solutions are being widely adopted by law enforcement agencies across the country.” I wrote in a blog post

Stingray work

The Stingray devices are used by law enforcement to track criminals, in the majority of cases without obtaining court orders.

But things are changing, the Federal law agencies will have to be more transparent about the use of Stingray devices for their investigations. The US Department of Justice has issued a new policy this week on the use of Stingray to spy on the cell phone of suspects, track and record their locations, and in some cases even intercept Internet traffic and phone calls or serve a spyware on mobile phones.

The new policy requires law enforcement and intelligence agencies to obtain a court authorization or warrant to use the StingRay technology in their operations to ensure the respectful of individual’s privacy.

“This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties,” explained the Deputy Attorney General Sally Quillian Yates in an official statement.

Another novelty introduced by the policy is the duty for the Feds to completely destroy the data acquired by the Stingray during the investigations.

“To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators.  This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy.  For example, when the equipment is used to locate a known cellular device, all data must be deleted as soon as that device is located, and no less than once daily.”

Moreover, the agencies will have to present an annual report on the use of the StingRay Technology.

“While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator.  There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. “

The new policy is a great step forward in the defense of the citizen privacy and transparency as explained by the Staff Attorney at the American Civil Liberties Union, Nate Freed Wessler.

“The new policy is a step forward in the “right direction” as well as “a win for privacy and transparency.”” said Wessler.

Wessler highlighted that the policy still has a gray parts when dealing with local and regional authorities.

StingRay Tec

“The Justice Department must close these loopholes, and Congress should act to pass more comprehensive legislation to ensure that Americans’ privacy is protected from these devices and other location tracking technologies.”  states the ACLU.

Local and regional law enforcement also use Stingray devices to track suspects, but the new policy doesn’t cover their activities. 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – StingRay, law enforcement)