Imagery Majestic - Fotolia

FBI surveillance access with National Security Letter unchanged, for now

U.S. Senate fails to pass National Security Letter regulation to enhance warrantless FBI surveillance access to metadata, including email headers and browser history.

An expansion of FBI surveillance powers failed to pass in the Senate by two votes. The legislation, attached as an amendment to a criminal justice funding bill, would have given the FBI access to more types of data under National Security Letters.

The FBI is able to use a National Security Letter to access data without judicial review, and those providing data under an NSL are often required to keep the existence of the NSL secret. Under the proposed amendment, the FBI could demand email address header information, internet browsing history, social media login data and more metadata that it did not previously have access to under a National Security Letter.

"In the wake of the tragic massacre in Orlando, it is important our law enforcement have the tools they need to conduct counterterrorism investigations and track 'lone wolves,' or ISIL-inspired terrorists who do not have direct connections to foreign terrorist organizations, but who seek to harm Americans," said Sen. John McCain (R-Ariz.) in a statement released prior to the vote.

The measure, which needed 60 votes to continue, fell in the Senate by a vote of 58 to 38. McCain introduced the amendment to the Commerce, Justice, Science and Related Agencies Appropriations Act, and the amendment can be resubmitted because Sen. Mitch McConnell (R-Ky.) changed his vote from yes to no, TheHill reported.

McCain said his amendment "would allow the FBI to obtain noncontent electronic communication transaction records to investigate suspected terrorists, and by allowing our law enforcement to combat 'lone wolves.'"

"To be clear, this amendment would not allow the FBI access to the content of private messages, but will only allow law enforcement to look at noncontent electronic communication transactional records in the course of a national security investigation, such as how much time a suspicious individual spends on a website."

"Senate Republicans are pushing fake, knee-jerk solutions that will do nothing to prevent mass shootings or terrorist attacks," said Sen. Ron Wyden (D-Ore.) in a statement prior to the vote. "Like so many other proposals, this amendment is a lose-lose: It won't make our country safer, but it will take away crucial checks and balances that protect our freedom."

"If this proposal passes, FBI agents will be able to demand the records of what websites you look at online, who you email and chat with, and your text message logs, with no judicial oversight whatsoever. The reality is the FBI already has the power to demand these electronic records with a court order under the Patriot Act. In emergencies, the FBI can even obtain the records right away and go to a judge after the fact. This isn't about giving law enforcement new tools, it's about the FBI not wanting to do paperwork."

Tor hardening efforts continue with Selfrando

The Tor Project is testing out Selfrando, a new way to defend against deanonymization exploits -- like the one used by the FBI against Tor users -- using a new technique for load-time randomization in the Tor browser. A group of nine researchers from University of California, Irvine, Technische Universität Darmstadt in Germany and the Tor Project contributed to the development of the new technique, which is currently being field tested in hardened releases of the Tor browser, according to the paper describing the work.

The researchers noted that because "many government organizations are actively trying to compromise Tor not only in regions with repressive regimes, but also in the free world, as the recent FBI incidents clearly demonstrate," Selfrando provides a practical way to do load-time randomization to defend against exploits like the one the FBI used.

"Our solution significantly improves security over standard address space layout randomization techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that Selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing."

The Selfrando code is available in a GitHub repository. According to the developers, it "varies the attack surface -- i.e., the code layout -- by randomizing each function separately. This makes exploit writing harder and increases resilience to information leakage relative to traditional address space layout randomization techniques."

The developers wrote that Selfrando "has an imperceptible effect on program initialization and runtime performance." They claimed less than 1% overhead on the benchmarks they've run. Because it does code randomization at load time, binaries built with Selfrando are identical on disk, meaning "protected programs can be distributed just like traditional programs and can use the same checksumming and signature tools."

In other news:

  • Three severe bugs were discovered in the widely used open source library, libarchive, by Cisco Talos security researcher Marcin Noga. Although the bugs have been patched, fallout from the vulnerabilities could still be severe. The library, which provides access to numerous file archive formats, is used widely in third-party products. "The root cause of these libarchive vulnerabilities is a failure to properly validate input -- data being read from a compressed file. Sadly, these types of programming errors occur over and over again," wrote Noga and Jaeson Schultz, technical leader for Talos Security Intelligence and Research Group. "When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on and bundle libarchive are affected. These are known as common mode failures, which enable attackers to use a single attack to compromise many different programs or systems. Users are encouraged to patch all relevant programs as quickly as possible."
  • Microsoft is readying its new Azure Information Protection service, which builds on last year's acquisition by Microsoft of Secure Islands, combined with Microsoft's Azure Rights Management (Azure RMS). Microsoft's engineering teams have made "progress in combining Secure Islands' industry-leading data classification and labeling technology with Azure RMS," wrote Dan Plastina, director of information protection at Microsoft, in a blog post announcing the integration of technology from the purchased Israeli startup. A public preview of Azure Information Protection is expected to be available next month.
  • Dell has agreed to sell its software business to private equity firm Francisco Partners and hedge-fund firm Elliott Management Corp. in a deal estimated to be worth $2 billion. Included in the deal is Dell's SonicWALL security software business, as well as software products for advanced analytics, database management, data protection, endpoint systems management, identity and access management, Microsoft platform management, network security and performance monitoring. The deal was seen as part of an effort to pay for Dell's purchase of EMC; earlier this year, Dell agreed to sell Dell Services to NTT Data, the services arm of Japanese telco NTT, for $3 billion.

Next Steps

Find out more about how businesses can fight a secret information surveillance request.

Read about how Microsoft challenged secret FBI surveillance under a National Security Letter, and won.

Learn more about the FBI's use of zero-day exploits.

Dig Deeper on Information security laws, investigations and ethics