Bank Security Act

The Bank Security Act, also known as the Currency and Foreign Transaction Reporting Act was passed in 1970 to help the United States Government monitor and prevent possible money laundering schemes. Under the BSA, all financial institutions must keep records about customer transactions and submit reports to the Federal Government for certain types of transactions

A Currency Transaction Report (CTR) must be filed for:

• Any cash financial transactions (deposit/withdrawal/exchange) made by an individual in an amount greater than $10,000
• Any cash transactions made by or for one individual in a single business day in which the aggregate total is greater than $10,000

A Currency and Monetary Instrument Report (CMIR) must be filed for:

• Any person or entity that transports an individual or aggregate amount greater than $10,000 into or outside of the United States in the form of currency, traveler’s checks, bank notes or other monetary instruments.

A Suspicious Activity Report (SAR) must be filed for:

• Abuse by an employee of the financial institution
• Violations in which a suspect can be identified and the aggregate amount is $5,000 or more.
• Violations in which no suspect can be identified and the aggregate amount is $25,000 or more.
• A transaction through a bank in which the teller has reason to believe may be designed to avoid BSA regulations
• A transaction through a bank in which the teller has reason to believe may involve potential money laundering or criminal activity

Many banks use automated records systems that keep customer information on file and generate the relevant reports when such transactions occur. The creation of multiple reports for a single person or entity signals law enforcement agencies to look closer for fraudulent activity.

The Foreign Intelligence Surveillance Act was passed in 1978 and amended in 2007 in order to monitor communications between “foreign powers” outside the United States and “agents of foreign powers” within the United States in order to maintain national security.

The Act allows electronic surveillance or the physical search of “premises, information, material or property used exclusively by” a foreign power or agent of a foreign power for the collection of foreign intelligence information:

• Without a court order for the period of one year
• Without a court order for 15 days after a declaration of war by Congress
• With a court order approved by the FISA court after reasonable cause has been determined.
  • A warrant also expands the types of entities that may fall under surveillance to include international terrorist groups, political organizations and other organizations not backed by a foreign government.

The Right to Financial Privacy Act

The Right to Financial Privacy Act was passed by Congress in response to the 1976 Supreme Court ruling United States v. Miller in which the court held that bank customers have no legal expectation of privacy. Under the ruling, the Federal Government could request individual financial records without restriction.

The Right to Financial Privacy Act attempted to reassert individual rights by requiring:

• Customers to receive notice of the disclosure to the government prior to the release of their records
• The creation of a mechanism for customers to challenge the disclosure of their information.
• Government agencies to keep an audit trail of all disclosures of customer information to the agency and any interagency transfers.

In order for a government agency to obtain customer financial records, they must meet one of the following requirements:

• Receive customer consent for their release
• Provide an administrative subpoena or summons
• Provide a search warrant
• Provide a judicial subpoena
• Provide an appropriate written authorization from a government agency

It is important to note that the act only applies to disclosures to the Federal Government. It does not pertain to state and local governments. While the Right to Financial Privacy Act was designed to protect customer financial privacy, it is considered an “anti-privacy law” because it’s protections are weaker than those granted under the fourth amendment. The US Patriot act further weakened the law’s protection by allowing disclosure when terrorism is suspected.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act was passed in 1986 to expand government restrictions on wiretaps to include electronic communications. It is an extension of the original wiretap law the Omnibus Crime Control and Safe Streets Act which protects oral communications. Furthermore, the ECPA expanded the types of crimes that allow law enforcement in intercept communications. It also allows the use of pen registers and trap and trace orders that record the telephone numbers that have been dialed and the calls that have been received. Though the ECPA was passed to protect electronic privacy, it has been criticized for being too weak to adequately protect personal privacy.

USA Patriot Act

The Uniting and Strengthening of America by Providing the Appropriate Tolls Required to Intercept and Obstruct Terrorism Act was passed in 2001 after the September 11th terrorist attacks. The Patriot Act introduced wide changes across several sectors and amended several laws already in effect. Due to its strong focus on security, the US Patriot Act has been criticized for the limits it places on personal privacy.

The Patriot Act introduced the following changes to privacy laws:

• Expanded the type of information the U.S. may receive by subpoenaing Internet Service Providers to include not only personally identifiable information but also session durations and times, services used, IP addresses and payment information. Disclosure may also take place if the service provider suspects danger to “life and limb”
• Title II expanded surveillance procedures:
  • Allows “Sneak and Peek” warrants to allow delayed notice of search warrants
  • Roving wiretaps that do not require the specification of carrier or third parties
  • Amended the Foreign Intelligence Surveillance Act by expanding the duration of search and surveillance orders and removing the requirement to prove reasonable cause to monitor non U.S. citizens.
  • Expanded wiretapping capabilities under the Electronic Communications Privacy Act to allow surveillance of packet switched networks.
  • Allows the U.S. Government to obtain any “books, records, papers, documents and other items” that may aid in investigations to protect against terrorism.

Many Title II regulations were set to expire on Dec. 31, 2005 but were reauthorized until December 31, 2009. The USA Patriot Extension Act of 2009 seeks to extend those regulations even further.

• Title III attempts to prevents money laundering to deter terrorism by amending the Bank Security Act and the Money Laundering Control Act of 1986.
  • Subtitle I placed strong regulations on financial institutions, especially with regard to transactions with foreign countries. It expanded record keeping requirements, prohibited transactions with banks not subject to a banking authority and expanded the definition of money laundering.
  • Subtitle II allows suspicious activity reports to be sent to U.S. Intelligence agencies and made it illegal to structure transactions in such a way as to avoid BSA regulations.
  • Subtitle III made the evasion of currency reporting a criminal offense. It also made further provisions to deter money laundering

The Patriot Act contained several other regulations that affected immigration law, criminal law, created funding for necessary defenses and provided funds for victims of terrorist attacks.

REAL ID Act of 2005

The Rearing and Empowering America for Longevity Against Acts of International Destruction Act was passed in 2005 to standardize security, authentication and issuance procedures for state identification cards and driver’s licenses so that they may be used by the Federal Government for “official purposes.”

The issuing of ID cards, is a state privilege, and as such, the REAL ID Act has been opposed by many states. Enforcement of the law has been postponed until 2011 in the hopes of gaining more support among the States. When enforced, individuals carrying a non-compliant ID card will not be allowed entrance to Federally controlled buildings or areas such as Federal Government buildings and airport security. Furthermore the act requires all states to share Department of Motor Vehicle data with other states.

A REAL ID card must:

• Include a person’s legal name; signature; date of birth; gender; identification number; photograph of their face; address of residence
• Include security features to prevent duplication, tampering and counterfeiting
• Make use of machine readable technology to be set by the Secretary of Homeland Security, the Secretary of Transportation and the States.

The REAL ID Act has been widely criticized as being comparable to the issuing of a National Identification card, to which many proponents of privacy object. It is believed that a National Identification card would quickly become the default method of identification and allow for the tracking of the activity of U.S. citizens. A further privacy risk would be the storing of large amounts of personal information electronically on a national level, increasing the risk of unauthorized access.

Summary

There is no easy answer to resolve the conflict between privacy and security. While the “anti-privacy laws” were not developed as a deliberate attempt to restrict personal privacy, privacy has nonetheless suffered in the interest of providing more effective monitoring and violence prevention. Privacy proponents must continue to advocate the creation of adequate privacy regulations to prevent the further imposition on individual privacy in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Laws compelling the disclosure of personal data (I.B.b.i-vi.)

Several years ago, using software engineering methods, University of California San Diego researchers demonstrated SSH is provably secure.  And SSH has shown itself to be nearly as good as claimed, posting only 31 bugs since 1998, most of which were minor.  Until now…  Three researchers from the Royal Holloway Information Security Group (ISG) at the University of London, Martin Albrecht, Kenny Paterson and Gaven Watson, found flaws in the proof.  They’ve shown that SSH is vulnerable to a “Man-in-the-middle” attack, where someone inserts themselves between a sender and receiver, grabs information, changes it and sends it along.

The Problem

There are actually three problems that account for the ISG discovered flaw:

1. The first lies in the manner the original security models used for the proof were constructed. The original proof pre-supposes garbled information may simply be reset as a failure and will not impact the security of the encryption used to protect the data.  The model never distinguished between the various kinds of failure, but the failure information turns out to be accessible to an adversary.  
2. The second is an implementation decision made by the original software developers for SSH.  The developers had two choices: send how big the transmitted information is (packet length field) unencrypted, which gives a small amount of information that tells an attacker how much data they had to crack, or encrypt hacker detectable information in the packet length field, possibly creating a “known plaintext” attack and thereby decreasing the keyspace.  SSH’s developers chose the unknown.  
3. The last problem has to deal with encryption modes and feedback loops.  In order to efficiently create and keep an encrypted tunnel between two computers hard to break, information from the current set of mathematical operations is used to incrementally change the next set, preventing various encryption attacks.  What data are taken from the current packet and fed into the next depend on the “cryptographic mode” chosen.  By default, SSH uses cipher-block chaining (CBC) mode instead of counter (CTR) mode.

Exploiting the ssh flaws

The ISG researchers took the error information reported that the proof never accounted for, and the design decision made by SSH developers, and began tinkering.  They eventually found a method of reducing the security in the default settings of SSH.  They reduced the overall security by creating a guessing game where an attacker has a one in 262,144 chance of success versus a brute force attempt at 1 in 4.2 billion  (2^18 vs 2^32).  You’ll only recover a very small amount of information using this method (14 or 32 bits), but it is enough to be useful.  The researchers’ vulnerability was first announced in November 2008, when the UK Centre for the Protection of National Infrastructure (CNPI) simply could not ignore the problem and, working with the ISG, issued a CPNI advisory.  Full details of the flaw were not announced until this month, when the researchers presented at an IEEE Symposium in California.

Vulnerability mitigation strategies

Even though the attack will work “with probability 1″ in some circumstances, it’s somewhat difficult to pull-off in general, and is about as stealthy as a freight train.  OpenSSH v 5.2 and above should not be susceptible to this particular exploit.  According to the CPNI advisory, the SSH flaw may be mitigated in current SSH versions by using CTR mode instead of the default CBC mode.  

Takeaway

This same technology reliance problem shows up repeatedly.  Use new equipment and products to increase efficiency, but do not over-rely on automation and technology.  Someone somewhere will notice of something unexpected, even with proven secure products.  Audit system results and write policies to take into account that the technology eventually will fail, not just from hackers or even questionable coding decisions – hurricanes, fires and employee clumsiness can all accomplish the same thing.  If your systems fail, any private information exposed will cost money – in breach notifications, time resetting the systems and general reputation.   The ISG researchers summed up the situation succintly in their paper: 

Unfortunately, it seems that real world cryptographic implementations are more complex than the current security models for SSH handle.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management, Compliance
• Information Security (Foundations: II.C) including: Encryption (data-in-motion) and Threats & Vulnerabilities