Entrepreneur, Law & Policy Analyst helping clients w/ strategic planning, communications interoperability, Software Developer, Scotch Enthusiast.
2813 stories
·
11 followers

Further Down the Trello Rabbit Hole

1 Comment and 2 Shares

Last month’s story about organizations exposing passwords and other sensitive data via collaborative online spaces at Trello.com only scratched the surface of the problem. A deeper dive suggests a large number of government agencies, marketing firms, healthcare organizations and IT support companies are publishing credentials via public Trello boards that quickly get indexed by the major search engines.

By default, Trello boards for both enterprise and personal use are set to either private (requires a password to view the content) or team-visible only (approved members of the collaboration team can view).

But individual users may be able to manually share personal boards that include personal or proprietary employer data, information that gets cataloged by Internet search engines and available to anyone with a Web browser.

David Shear is an analyst at Flashpoint, a New York City based threat intelligence company. Shear spent several weeks last month exploring the depths of sensitive data exposed on Trello. Amid his digging, Shear documented hundreds of public Trello boards that were exposing passwords and other sensitive information. KrebsOnSecurity worked with Shear to document and report these boards to Trello.

Shear said he’s amazed at the number of companies selling IT support services that are using Trello not only to store their own passwords, but even credentials to manage customer assets online.

“There’s a bunch of different IT shops using it to troubleshoot client requests, and to do updates to infrastructure,” Shear said. “We also found a Web development team that’s done a lot of work for various dental offices. You could see who all their clients were and see credentials for clients to log into their own sites. These are IT companies doing this. And they tracked it all via [public] Trello pages.”

One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.

Credentials shared on Trello by an employee of Seceon, a cybersecurity firm.

Shear also found that a senior software engineer working for Red Hat Linux in October 2017 posted administrative credentials to two different servers apparently used to test new builds.

Credentials posted by a senior software engineer at Red Hat.

The Maricopa County Department of Public Health (MCDPH) in California used public Trello boards to document a host of internal resources that are typically found behind corporate intranets, such as this board that aggregated information for new hires (including information about how to navigate the MCDPH’s payroll system):

The (now defunct) Trello page for the Maricopa County Department of Public Health.

Even federal health regulators have made privacy missteps with Trello. Shear’s sleuthing uncovered a public Trello page maintained by HealthIT.gov — the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. Department of Health and Human Services (HHS) — that was leaking credentials.

There appear to be a great many marketers and realtors who are using public Trello boards as their personal password notepads. One of my favorites is a Trello page maintained by a “virtual assistant” who specializes in helping realtors find new clients and sales leads. Apparently, this person re-used her Trello account password somewhere else (and/or perhaps re-used it from a list of passwords available on her Trello page), and as a result someone added a “You hacked” card to the assistant’s Trello board, urging her to change the password.

One realtor from Austin, Texas who posted numerous passwords to her public Trello board apparently had her Twitter profile hijacked and defaced with a photo featuring a giant Nazi flag and assorted Nazi memorabilia. It’s not clear how the hijacker obtained her password, but it appears to have been on Trello for some time.

Other entities that inadvertently shared passwords for private resources via public Trello boards included a Chinese aviation authority; the International AIDS Society; and the global technology consulting and research firm Analysis Mason, which also exposed its Twitter account credentials on Trello until very recently.

Trello responded to this report by making private many of the boards referenced above; other reported boards appear to remain public, minus the sensitive information. Trello said it was working with Google and other search engine providers to have any cached copies of the exposed boards removed.

“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board,” a Trello spokesperson told KrebsOnSecurity in response to this research. “With regard to the search-engine indexing, we are currently sending the correct HTTP response code to Google after a board is made private. This is an automated, immediate action that happens upon users making the change. But we are trying to see if we can speed up the time it takes Google to realize that some of the URLs are no longer available.”

If a Trello board is Team Visible it means any members of that team can view, join, and edit cards. If a board is Private, only members of that specific board can see it. If a board is Public, anyone with the link to the board can see it.

Flashpoint’s Shear said Trello should be making a more concerted effort to proactively find sensitive data exposed by its users. For example, Shear said Trello’s platform could perform some type of automated analysis that looks for specific keywords (like “password”) and if the page is public display a reminder to the board’s author about how to make the page private.

“They could easily do input validation on things like passwords if they’re not going to proactively search their own network for this stuff,” Shear said.

Trello co-founder Michael Pryor said the company was grateful for the suggestion and would consider it.

“We are looking at other cloud apps of our size and how they balance the vast majority of useful sharing of public info with helping people not make a mistake,” Pryor said. “We’ll continue to explore the topic and potential solutions, and appreciate the work you put into the list you shared with us.”

Shear said he doubts his finds even come close to revealing the true extent of the sensitive data organizations are exposing via misconfigured Trello boards. He added that even in cases where public Trello boards don’t expose passwords or financial data, the information that countless organizations publish to these boards can provide plenty of ammunition for phishers and cybercriminals looking to target specific entities.

“I don’t think we’ve even uncovered the real depth of what’s probably there,” he said. “I’d be surprised if someone isn’t at least trying to collect a bunch of user passwords and configuration files off lots of Trello accounts for bad guy operations.”

Read the whole story
kazriko
40 days ago
reply
Ergh. Lastpass or Dashlane are for password sharing. Trello is not.
Colorado Plateau
christophersw
41 days ago
reply
Baltimore, MD
Share this story
Delete

Morning News

4 Comments and 12 Shares
Support your local paper, unless it's just been bought by some sinister hedge fund or something, which it probably has.
Read the whole story
christophersw
54 days ago
reply
Baltimore, MD
popular
55 days ago
reply
Share this story
Delete
4 public comments
Covarr
56 days ago
reply
I work for a small town newspaper. I never cease to be amazed at how interested the locals here are in utility district meetings and groundwater rights.
Moses Lake, WA
infogulch
57 days ago
reply
Independent news agencies are a rare gem these days.
Missouri
alt_text_bot
57 days ago
reply
Support your local paper, unless it's just been bought by some sinister hedge fund or something, which it probably has.
jepler
56 days ago
ouch
alt_text_at_your_service
57 days ago
reply
Support your local paper, unless it's just been bought by some sinister hedge fund or something, which it probably has.

Fixing financial aid

1 Share
A simpler student aid application would help more kids realize their dream of going to college.
Read the whole story
christophersw
54 days ago
reply
Baltimore, MD
Share this story
Delete

Tech Fix: Getting a Flood of Privacy Policy Updates? Read Them.

1 Share
To comply with Europe’s General Data Protection Regulation, which goes into effect on May 25, internet companies have been updating their data policies. Here’s how you can benefit.

Read the whole story
christophersw
54 days ago
reply
Baltimore, MD
Share this story
Delete

[Orin Kerr] Eleventh Circuit Creates Circuit Split on Cell Phone Border Searches

1 Share

The Eleventh Circuit has handed down an important new ruling on cell phone searches at the border, United States v. Touset. In an opinion by Judge William Pryor, the court disagrees with the Fourth Circuit and Ninth Circuit caselaw requiring suspicion to conduct a forensic search at the border.

The basic issue in these cases is this: When the government seizes a computer or cell phone at the border, and they want to search it using forensic equipment, do they need some sort of suspicion that evidence or contraband is on the device? Or does the traditional border search exception (which ordinarily permits searches of prioperty crossing the border without suspicion) apply? Regular readers of this blog have heard a lot about this question over the years. Just two weeks ago, I wrote a long post on the Fourth Circuit's May 9th ruling in United States v. Kolsuz, by Judge Pamela Harris, which required some kind of suspicion to conduct such a search. And I've blogged extensively about the Ninth Circuit's en banc ruling from 2013 in United States v. Cotterman, authored by Judge Margaret McKeown, which required reasonable suspicion for forensic searches at the border. The new Eleventh Circuit decision disagrees with Kolsuz and Cotterman, arguing that no suspicion should be required for a forensic border search.

Here's the heart of Judge Pryor's reasoning:

The Supreme Court has never required reasonable suspicion for a search of property at the border, however non-routine and intrusive, and neither have we. Although in one decision the Supreme Court required reasonable suspicion for the prolonged detention of a person until she excreted the contraband that she was suspected of "smuggling . . . in her alimentary canal" or submitted to an x-ray or rectal examination, Montoya de Hernandez, 473 U.S. at 541; see also id. at 534– 35, it has never applied this requirement to property. Nor has it "been willing to distinguish . . . between different types of property." Cotterman, 709 F.3d at 975 (Callahan, J., concurring in part, dissenting in part, and concurring in the judgment). Indeed, it held in United States v. Flores-Montano that the government may "remove, disassemble, and reassemble a vehicle's fuel tank" at the border without any suspicion. 541 U.S. 149, 155 (2004). It explained that "the reasons that might support a requirement of some level of suspicion in the case of highly intrusive searches of the person—dignity and privacy interests of the person being searched—simply do not carry over to vehicles." Id. at 152. And it rejected a judicial attempt to distinguish between "routine" and "nonroutine" searches and to craft "[c]omplex balancing tests to determine what [constitutes] a 'routine' search of a vehicle, as opposed to a more 'intrusive' search of a person." Id. We have been similarly unwilling to distinguish between different kinds of property. For example, we have upheld "a search without reasonable suspicion of a crew member's living quarters on a foreign cargo vessel that [wa]s entering this country," Alfaro-Moncada, 607 F.3d at 727, even though "[a] cabin is a crew member's home—and a home 'receives the greatest Fourth Amendment protection,'" id. at 729 (quoting United States v. McGough, 412 F.3d 1232, 1236 (11th Cir. 2005)); accord id. at 732.

We see no reason why the Fourth Amendment would require suspicion for a forensic search of an electronic device when it imposes no such requirement for a search of other personal property. Just as the United States is entitled to search a fuel tank for drugs, see Flores-Montano, 541 U.S. at 155, it is entitled to search a flash drive for child pornography. And it does not make sense to say that electronic devices should receive special treatment because so many people now own them or because they can store vast quantities of records or effects. The same could be said for a recreational vehicle filled with personal effects or a tractor-trailer loaded with boxes of documents. Border agents bear the same responsibility for preventing the importation of contraband in a traveler's possession regardless of advances in technology. Indeed, inspection of a traveler's property at the border "is an old practice and is intimately associated with excluding illegal articles from the country." Thirty-Seven Photographs, 402 U.S. at 376 (plurality opinion)

In contrast with searches of property, we have required reasonable suspicion at the border only "for highly intrusive searches of a person's body." AlfaroMoncada, 607 F.3d at 729. Even though the Supreme Court has declined to decide "what level of suspicion, if any, is required for [such] nonroutine border searches [of a person]," Montoya de Hernandez, 473 U.S. at 541 n.4, we have required reasonable suspicion for "a strip search or an x-ray examination," Alfaro-Moncada, 607 F.3d at 729. We have defined the "intrusiveness" of a search of a person's body that requires reasonable suspicion "in terms of the indignity that will be suffered by the person being searched," in contrast with "whether one search will reveal more than another." United States v. Vega-Barvo, 729 F.2d 1341, 1345 (11th Cir. 1984); accord id. at 1346. And "we have isolated three factors which contribute to the personal indignity endured by the person searched: (1) physical contact between the searcher and the person searched; (2) exposure of intimate body parts; and (3) use of force." Id. at 1346.

These factors are irrelevant to searches of electronic devices. A forensic search of an electronic device is not like a strip search or an x-ray; it does not require border agents to touch a traveler's body, to expose intimate body parts, or to use any physical force against him. Although it may intrude on the privacy of the owner, a forensic search of an electronic device is a search of property. And our precedents do not require suspicion for intrusive searches of any property at the border. See Alfaro-Moncada, 607 F.3d at 728–29, 732.

To be sure, the Fourth and the Ninth Circuits have concluded—in divided decisions—that the Fourth Amendment requires at least reasonable suspicion for forensic searches of electronic devices at the border. United States v. Kolsuz, ___ F.3d ____, No. 16-4687, slip op. at 19 (4th Cir. May 9, 2018); Cotterman, 709 F.3d at 968. In Cotterman, the Ninth Circuit equated a forensic search to "a computer strip search," 709 F.3d at 966, and stated that "[s]uch a thorough and detailed search of the most intimate details of one's life is a substantial intrusion upon personal privacy and dignity," id. at 968. And it reasoned that "[i]ntrusiveness includes both the extent of a search as well as the degree of indignity that may accompany a search." Id. at 967 (quoting United States v. Ramos-Saenz, 36 F.3d 59, 61 n.3 (9th Cir. 1994)). The Fourth Circuit later explained that the intervening decision of the Supreme Court in Riley "confirmed" that reasoning. Kolsuz, slip op. at 21. And it revived the distinction between routine and nonroutine searches of property, see id. at 19–24, that the Supreme Court rejected in Flores-Montano, 541 U.S. at 152.

We are unpersuaded. Although the Supreme Court stressed in Riley that the search of a cell phone risks a significant intrusion on privacy, our decision in Vergara made clear that Riley, which involved the search-incident-to-arrest exception, does not apply to searches at the border. 884 F.3d at 1312 ("[T]he Supreme Court expressly limited its holding to the search-incident-to-arrest exception."). And our precedent considers only the "personal indignity" of a search, not its extensiveness. Vega-Barvo, 729 F.2d at 1346. Again, we fail to see how the personal nature of data stored on electronic devices could trigger this kind of indignity when our precedent establishes that a suspicionless search of a home at the border does not. See Alfaro-Moncada, 607 F.3d at 729, 732. Property and persons are different. See Flores-Montano, 541 U.S. at 152.

We are also unpersuaded that a traveler's privacy interest should be given greater weight than the "paramount interest [of the sovereign] in protecting . . . its territorial integrity." Id. at 153. The Ninth and Fourth Circuits stressed the former interest and asserted that travelers have no practical options to protect their privacy when traveling abroad. For example, the Ninth Circuit explained that it is "impractical, if not impossible, for individuals to make meaningful decisions regarding what digital content to expose to the scrutiny that accompanies international travel" and that "removing files unnecessary to an impending trip" is "a time-consuming task that may not even effectively erase the files." Cotterman, 709 F.3d at 965. The Fourth Circuit added that "it is neither 'realistic nor reasonable to expect the average traveler to leave his digital devices at home when traveling.'" Kolsuz, slip op. at 21 (quoting United States v. Saboonchi, 990 F. Supp. 2d 536, 556 (D. Md. 2014)). But a traveler's "expectation of privacy is less at the border," Flores-Montano, 541 U.S. at 154, and the Fourth Amendment does not guarantee the right to travel without great inconvenience, even within our borders, see Corbett v. Transp. Sec. Admin., 767 F.3d 1171, 1179 (11th Cir. 2014) (holding that airport screening "is a reasonable administrative search under the Fourth Amendment"); see also Kolsuz, slip op. at 34 (Wilkinson, J., concurring in the judgment) ("Our new world has brought inconvenience and intrusions on an indiscriminate basis, which none of us welcome, but which most of us undergo in the interest of assuring a larger common good."). Anyone who has recently taken a domestic flight likely experienced inconvenient screening procedures that require passengers to unpack electronic devices, separate and limit liquids, gels, and creams, remove their shoes, and walk through a full-body scanner. See Corbett, 767 F.3d at 1174 (explaining that a traveler must walk through a scanner or undergo a pat-down in airports). Travelers "crossing a border . . . [are] on notice that a search may be made," Alfaro-Moncada, 607 F.3d at 732 (quoting United States v. Hidalgo-Gato, 703 F.2d 1267, 1271 (11th Cir. 1983)), and they are free to leave any property they do not want searched—unlike their bodies—at home.

In contrast with the diminished privacy interests of travelers, "[t]he Government's interest in preventing the entry of unwanted persons and effects is at its zenith at the international border." Flores-Montano, 541 U.S. at 152. As we have explained, child pornography, no less than drugs or other kinds of contraband, is prohibited from "enter[ing] the country," Ramsey, 431 U.S. at 620, and the government interest in stopping contraband at the border does not depend on whether child pornography takes the form of digital files or physical photographs.

Nothing in Riley undermines this interest. In Riley, the Supreme Court explained that the rationales that support the search-incident-to-arrest exception— namely the concerns of "harm to officers and destruction of evidence"—did not "ha[ve] much force with respect to digital content on cell phones," 134 S. Ct. at 2484, because "digital data" does not pose "comparable risks," id. at 2485. But "digital" child pornography poses the same exact "risk" of unlawful entry at the border as its physical counterpart. If anything, the advent of sophisticated technological means for concealing contraband only heightens the need of the government to search property at the border unencumbered by judicial secondguessing.

Indeed, if we were to require reasonable suspicion for searches of electronic devices, we would create special protection for the property most often used to store and disseminate child pornography. With the advent of the internet, child pornography offenses overwhelmingly involve the use of electronic devices for the receipt, storage, and distribution of unlawful images. See U.S. Sent'g Comm'n, Federal Child Pornography Offenses 5, 71 (2012); see also United States v. Williams, 553 U.S. 285, 307 (2008) ("Both the State and Federal Governments have sought to suppress [child pornography] for many years, only to find it proliferating through the new medium of the Internet."). And law enforcement officers routinely investigate child-pornography offenses by forensically searching an individual's electronic devices. See U.S. Sent'g Comm'n, supra, at 67–71. We see no reason why we would permit traditional, invasive searches of all other kinds of property, see Alfaro-Moncada, 607 F.3d at 724–25, 728, 732, but create a special rule that will benefit offenders who now conceal contraband in a new kind of property.

At this point Supreme Court lawyers are shouting, "A circuit split! A circuit split!" And yes, this is a clear split on an important question. With the Supreme Court about to hand down Carpenter, this new split on computer border searches may be the next computer search and seizure issue to go up to the Supremes (although I'm still waiting for the Court to resolve the 2-2 circuit split on applying the private search doctrine to computers).

One caveat is that I'm not sure this is the case to get there. That's true for two reasons.

First, the Eleventh Circuit added an alternative holding. Even if reasonable suspicion is required, the court held, rthere was reasonable suspicion in this case. That may make cert somewhat harder, as the Supreme Court could reason that the clear split on whether some suspicion is required may make no difference to the outcome of the case if that case-specific alternative holding is correct. With that said, the Supreme Court may not care about that. They granted cert in Carpenter without a split, and I assume everyone realizes that Carpenter will lose on remedies even if he wins on the right in light of the good-faith exception. And the reasonable suspicion finding is often an issue in these cases: Because the government usually won't conduct a forensic search unless they had some kind of suspicion, the cases that make it to court will often be the ones where there was suspicion whether or not it is required. That's what happened in Cotterman, for example. After ruling that reasonable suspicion was required, the en banc Ninth Circuit ruled for the government on the ground that reasonable suspicion existed. Given that Supreme Court litigation on the Fourth Amendment is increasingly about the broader stakes rather than who wins or loses that particular case, the alternative holding may make no difference. And of course the Court could just take the broad issue, too, reviewing whether reasonable suspicion was required and if so whether it existed.

Another reason the Supreme Court might want to stay away for now is the Kolsuz uncertainty. The Eleventh Circuit recently ruled in Vergara that probable cause or a warrant isn't required for computer border searches. That let Touset focus on the narrower question of whether any suspicion is required at all. But the Fourth Circuit in Kolsuz left open whether the standard of suspicion should be reasonable suspicion or probable cause. The Supreme Court may want more circuits that require suspicion to weigh in post-Riley on just how much cause is required before reviewing the broader question of how the Fourth Amendment applies to border searches of computers and cell phones.

As always, stay tuned.

Read the whole story
christophersw
54 days ago
reply
Baltimore, MD
Share this story
Delete

Hiding Information in Plain Text

1 Share


Subtle changes to letter shapes can embed messages
Read the whole story
christophersw
60 days ago
reply
Baltimore, MD
Share this story
Delete
Next Page of Stories