Equifax CEO Richard Smith steps down in aftermath of massive breach

Equifax Chairman and CEO Richard Smith stepped down Tuesday in the wake of a massive cybersecurity breach that exposed the birth dates, social security numbers, and other personal information of 143 million Equifax customers, The New York Times reports.

Paulino do Rego Barros Jr. will vacate his post as the company’s president of the Asia-Pacific region to assume the CEO duties in an interim capacity, the Times says. Equifax will consider candidates from both inside and outside the company as permanent replacements.

According to the Times, Mark Feidler will become chairman of the board.

“Speaking for everyone on the board, I sincerely apologize [for failing to protect the seized data],” Feidler said in a statement, per the Times. Feidler said, per the Times, that the board has formed a special committee to handle the breach.

Lawmakers, as well as the general public, have taken issue with Equifax’s failure to secure the data, and some have cast aspersions upon the company’s handling of the fallout that followed the breach.

Equifax set up a special-purpose website to provide information about the attack, and to help customers contain the damage. Among the website’s primary offerings was a tool by which a customer could enter his information and find out whether the breach had affected him. But the tool ran into a number of problems. Moreover, the company struggled to field the myriad calls that flooded its customer support lines.

The Times reports that three Equifax executives sold a combined $1.8 million worth of stock in the company in the days after the breach had been discovered but before it had been disclosed. Equifax said, per the Times, that the executives mentioned were unaware of the breach when they offloaded the shares.

Smith is the third prominent Equifax executive to vacate his post in response to the breach. The company’s chief information officer and chief security officer both stepped down September 14.

“Mr. Smith has been very cooperative and supportive of this approach,” Equifax spokesman Wyatt Jefferies said per the Times.

Smith had served as CEO since 2005. In his 12 years with the company, he more than doubled its annual revenue, the Times notes. He was renowned amongst Wall Street experts for his ability to develop innovative products, and for his sales acumen.

As of now, Equifax has not terminated Mr. Smith, but the terms reached prior to his departure allow the board to retroactively fire him for cause, the Times says. The company will provide neither severance nor accelerated vesting of stock options to Smith, and he will not receive a bonus for 2017 (Equifax awarded him $3-million bonuses in 2015 and 2016).

Smith will retain $18.4 million in pension benefits.

Smith is scheduled to appear at congressional meetings regarding the breach in the coming weeks: one held by the House Energy and Commerce Committee on October 3, the other by the Senate Banking, Housing and Urban Affairs Committee the following day.

Senator Brian Schatz of Hawaii, a leading member of the latter committee, issued a statement ordering Smith to appear for the appointment and admonishing the former executive for shirking his responsibility for the breach.

“A CEO walking out the door just days before he is to appear before Congress is an abdication of his responsibility,” Schatz said, according to the Times.

But, Jefferies, the Equifax spokesman, has indicated that Smith intends to comply with Congress’ demands. “If Congress asks him, he will go,” said Jefferies of Smith.

Schatz is one of the several senators who have, in the wake of the Equifax incident, advocated legislation that would give consumers more latitude to protect their credit information.

The FBI is currently leading a criminal investigation into the breach, the Times says, and attorneys general in 30 states have launched their own probes into the matter. On September 19, the Massachusetts Attorney General sued Equifax seeking civil damages and more compensation.

Featured image via Vimeo

Cryptocurrency mining program Coinhive sparks controversy

Coinhive, a Javascript application that uses website visitors’ computing power to mine cryptocurrency, launched on September 14. Since, the program has generated controversy, as website owners and hackers alike insert it into a number of high-profile websites.

Coinhive markets itself as a legitimate way for websites to make money, but does not endorse the use of the script without user consent.

On September 16, The Pirate Bay, a popular torrent-downloading website, began using the program to mine Monero, a cryptocurrency similar to Bitcoin. Visitors to the site noticed spikes in their CPU usage and complained.

Later that day, The Pirate Bay issued a statement explaining that it was testing the program as an alternative to advertisements on the site.

“This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running,” reads the statement.

Though all content on The Pirate Bay is free, the site needs to generate revenue to cover operating costs. Many of the ads that run on Pirate Bay are unseemly and/or contain malware.

The Pirate Bay’s statement says Coinhive “can be blocked by a normal ad-blocker”—AdBlock Plus and AdGuard now combat Coinhive, BleepingComputer notes. A typo in the embedded code originally caused the program to use more of visitors’ processing power than intended.

The Pirate Bay invited users to comment as to whether they would prefer advertisements or mining programs like Coinhive.

The majority of users who responded accepted mining as a viable way for the site to generate revenue, but many took issue with the site’s failure to inform users of the change.

“I think this is an interesting idea,” one user responded. “Keeping users informed is essential though. Giving registered users possibility of choosing between ads and mining might be also viable (though most of them probably block ads). Having more options how to contribute is a great idea! I will gladly contribute by providing part of my CPU when visiting TPB (as opposed to ads, I don’t like these especially due to privacy concerns).”

Other respondents acknowledged that those who downloaded free content had to pay in some way or another.

The Pirate Bay has removed the mining program from its site and has yet to say whether it plans to employ Coinhive in the future.

BleepingComputer reported Monday that it had detected the program in websites run by Showtime, a media company owned by CBS. Showtime’s main site, showtime.com, as well as its streaming domain, showtimeanytime.com, contained the Coinhive script.

It is not known whether a hacker implemented the script on the Showtime sites, or whether the company itself was testing the program. But BleepingComputer notes that the script had been set to “remain dormant” for 97 percent of the time. A hacker, that publication points out, would likely set the script to run far more often, so as to co-opt much processing power as possible before his scam was discovered.

Showtime declined to comment on the matter. The script disappeared from the sites early Monday afternoon.

Using victims’ CPU processing power to mine for cryptocurrency has long been a common practice amongst malware designers, but prior to the inception of programs like Coinhive, hackers had to download an application onto a victim’s hard drive in order to use his computer. Now, hackers can seize the processing power of any user running a Javascript-enabled browser (most browsers enable Javascript by default).

Malware developers have already embraced Coinhive. One embedded it in a Google Chrome extension, so that it ran in the background of the browser. Others have breached WordPress and Magneto sites and inserted the code there.

Some have registered commonly mistyped URLs, such as “twitter.com.com,” as domains, and run Coinhive on those sites. The program only runs until the user realizes he has input the wrong URL and leaves the page, but with enough traffic and enough domains, the engineers of the scam could generate a considerable profit.

EITest, one of the world’s most prominent malware operations, has also employed Coinhive for nefarious purposes.

Coinhive is not the first program of its kind. In 2013, Vice reports, MIT researchers developed a similar script called TidBit. But a court order shut the project down, ruling that using a person’s CPU processing power without his consent was unlawful.

Featured image via Wikimedia Commons

Equifax could have prevented breach with a simple patch, experts say

Last Thursday, credit-monitoring firm Equifax announced that hackers had breached its computer systems and compromised the data of as many as 143 million Americans. Thursday, the company confirmed that the perpetrators of the attack did, as rumored, exploit a weakness in Apache STRUTS.

Equifax identified the exploited vulnerability as Apache Struts CVE-2017-5638.

In March, industry experts pinpointed the CVE-2017-5368 vulnerability. That same month, Apache released a patch to correct it, the New York Times notes. Apache also published instructions describing how to implement the patch.

Three days after the Apache STRUTS weakness was discovered, reports surfaced indicating that hackers had begun taking advantage of it. At that point, it was clear that the Apache vulnerability presented a considerable security threat.

Therefore, many are scratching their heads as to why Equifax neglected to install the patch before hackers accessed the company’s systems in mid-May. Ars Technica notes that implementing the update would have been labor-intensive because after downloading the patch, one would need to rebuild all applications built with older, vulnerable versions of the software.

Still, Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm, points out, it is Equifax’s responsibility to take the measures necessary to protect its customers’ data.

“This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly,” says per WIRED. “The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.”

But, Avivah Litan, a security analyst with the research firm Gartner, told the Times a high-profile company like Equifax needs a multi-faceted security system so that if one aspect fails, others provide reinforcement.

“You have to have layered security controls,” she said. “You have to assume that your prevention methods are going to fail.”

Apache STRUTS is an open-source web development framework used to create Java applications that run Web servers, Ars Technica explains. The software is free, and about 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime, use it, per the New York Post. Banks and government agencies—including the IRS—also use the software.

Generally speaking, though, open-source software is particularly vulnerable to hacks.

Developers use Apache STRUTS to develop applications for front-end as well as back-end servers. Front-end servers contain code that translates the website’s content into something the user can see, while back-end ones contain the building blocks of a website and are only accessible to site administrators.

Equifax has not said whether the hackers exploited the company’s back-end or its front-end servers. Accessing the back-end would have required access to the company’s private network, the Times notes.

Several hacking experts have already noted the sophistication of the attack—the sheer amount of data stolen is sufficient to indicate the intricacy of the operation.

Investigators have yet to identify the perpetrators of the attack. A group calling itself the PastHole Hacking Team has claimed responsibility and threatened to release the seized data Friday unless a 600-bitcoin ($2.5-million) ransom is paid.

Several people have concluded that PastHole’s claiming responsibility was a hoax. The leading theory among investigators, the Times says, holds that a nation-state, or a group of hackers sponsored by a nation-state, carried out the attack. A government holding animosity toward the U.S. could cull the stolen data in search of information that could be used for espionage or blackmail.

Investigators note that the amount of data stolen casts further doubt on the notion that a small, financially motivated group of hackers perpetrated the attack.

Such a group would likely sell the information on the Dark Web. While there is a market amongst cyber-criminals for sensitive data, particularly permanent information, like birth dates and social security numbers one can use to access a victim’s bank account, medical records, etc., the market likely would not support such a massive amount of data.

“Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response, per the Times. “Are there standard cybercriminals out there with the purchasing power for that type of data?”

Equifax said in a statement Wednesday: “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Featured image via Pexels

Equifax stares down almost two dozen class actions after cyberattack

Credit reporting and monitoring company Equifax is facing at least 23 proposed class action lawsuits in the wake of its announcement Thursday that a cyber attack compromised the personal information of up to 143 million Equifax customers, USA Today reports.

Various law firms have filed suits in 14 different states as well as D.C., according to USA Today. More suits will likely come. Victimized customers may receive a pretrial settlement from Equifax, and/or may be entitled to some portion of any financially pejorative judgment levied against the firm.

“Equifax probably injured 143 million people, which is kind of a record…with 143 million people it doesn’t surprise me there are already 23 suits,” said John Coffee, who directs the Center on Corporate Governance at Columbia Law School.

USA Today notes that the number of people the breach potentially victimized represents 44 percent of the U.S. population.

“Assume that if you’re an American with a credit card or a mortgage, your data has been leaked,” Zach Whittaker, security editor for CBS’s ZDNet, tweeted.

Hackers carried out the attack from mid-May through July, seizing customers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Equifax says it became aware of the breach in late July. The company alerted the public of the incident on September 7. In the interim, Equifax hired third-party consultants to investigate the crime and provide suggestions as to how the company might bolster its cyber-defenses.

Many of the lawsuits take issue with the lag time between Equifax’s discovery of the attack and the firm’s notification of the public. USA Today says one suit calls the delayed disclosure “willful, or at least negligent.” Another argues that the delay “deprived [consumers] of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information.”

The company would presumably argue that it was justified in assessing the nature and extent of the attack before alarming the public.

A third suit notes that Equifax fell victim to similar attacks earlier this year, as well as in 2013 and 2016. Therefore, said suit argues, Equifax “knew and should have known of the inadequacy of its own data security.”

Other filings take aim at TrustedID, an Equifax service that provides identity theft protection and credit monitoring. One document says the company “failed to disclose to consumers that it owned TrustedID,” and baited customers into signing up for the service.

To help customers identify whether their information was compromised by the attack, Equifax is offering free TrustedID service to all U.S. customers

New York Attorney General Eric Schneiderman, who is investigating the Equifax case, took issue with a clause in the agreement Equifax requires TrustedID members sign. The clause in question says that in signing up for TrustedID, a user waives his/her “right to bring or participate in any class action…or to share in any class action awards.”

“This language is unacceptable and unenforceable,” Schneiderman tweeted Friday. “My staff has already contacted @Equifax to demand that they remove it.”

Equifax subsequently explained that the waiver does not prohibit TouchID members from participating in class actions regarding the cyber security incident.

In addition to Schneiderman, other government entities are pursuing the Equifax case. USA Today obtained a copy of a letter Senators Omin Hatch and Ron Wyden, both of whom hold key positions on the Senate Committee on Finance, sent to Equifax requesting details about the attack and the manner in which the company is handling it.

The letter requests a timeline of the breach and asks how Equifax is identifying affected customers and what measures the company is taking to limit consumer harm. The document also asks Equifax to clarify the amount of information that was compromised.

Legal arguments must take place before the proposed suits achieve class action status. If the court grants class action status, USA Today says, a “federal panel on multi district litigation” will likely consolidate the suits into a single case, then assign that case to a judge, who would, in turn, appoint one law firm or a group of law firms as plaintiff counsel.

At the market’s close Tuesday, Equifax stock has dipped 18.7 percent since the original announcement. 4.7 percent of the drop has come since Monday morning when news of the proposed class actions broke.

Featured image via Pixabay

Malicious code can now jump from DNA to computers

We now live in a time in which you can use DNA to hack computer systems.

The discovery was made by a group of researchers at the University of Washington made up of both computer science and molecular biology specialists. They focus on how information is encoded not only in computer systems, but also in biological systems, and particularly in the overlap between the two.

The team of researchers originally launched the project because they noticed possible security vulnerabilities in the computer systems used at their university for DNA sequencing and analysis. The lab treated DNA samples were treated as non-threatening input, but the researchers could imagine a way to sneak code into the computer system via DNA. So they decided to hack the DNA sequencing computer system to prove it.

In this particular case, the group of researchers encoded a malicious program onto a synthetic strand of DNA only 176 bases long — a very small amount. Then a computer read and transcribed the DNA into binary code, which could then be read and executed by a computer. The researchers had already purposefully inserted certain vulnerabilities into the computer’s security system so that the computer wasn’t protected against the malicious code. In this case, the malicious code gave the researchers remote control over the infected computer.

The researchers could have simply chosen to infect the system using malware or remote access tools. Instead, they wanted to infiltrate the system using a virus to prove that it is a real vulnerability which warrants consideration.

The group stresses that they don’t believe there is any cause for alarm, as there is little immediate danger. However, they urge us to begin thinking about such possible threats now, before they become immediate threats.

Security concerns aside, the discovery is interesting in scientific terms. This experiment shows us how fully biological and computer code can overlap, and it invites us to imagine a world of fluid boundaries between life and computer.

You can read the whole paper here.

Featured Image via Pixabay

Cybersecurity Hero Who Stopped WannaCry Ransomware Arrested on Malware-Related Charges

Marcus Hutchins, the cybersecurity researcher who disabled the WannaCry ransomware, was arrested in Las Vegas Wednesday, August 2 following a July 12 indictment on charges of creating, distributing, and profiting from a malware program that could seize credit card numbers and other banking information, Reuters reported Friday via nasdaq.com.

On Friday, Judge Nancy Koppe set Hutchins’ bail at $30,000 dollars. Though she dismissed prosecutors’ claims that the 23-year-old British citizen was a flight risk, she ordered him to surrender his passport. During his bail period, Hutchins will be denied computer use and internet access, and his location will be tracked via GPS.

Koppe’s ruling came just half an hour before the court clerk’s office was to close for the weekend, so Hutchins’ lawyers did not have enough time to prepare the paperwork necessary for his release. Hutchins remained in custody over the weekend, but his lawyer, Adrian Lobo, expects him to be released Monday.

According to Lobo (per Reuters), a “variety of sources” around the world are offering support to Hutchins, who she says was blindsided by the accusations. Reuters says many of Hutchins’ fellow cybersecurity researchers have “rallied to his defense,” saying they “[do] not believe he [has] ever engaged in cyber crime.”

Hutchins is credited with having discovered and implemented a “kill switch” that thwarted the WannaCry ransomware attack, which infected computer systems at a number of prominent businesses throughout the world in May. In less than a day, the malware infected 250,000 computers in more than 150 countries, according to a report by CNBC. Its victims included the National Health Services of England and Scotland, FedEx, Honda, the Chinese public security bureau, and a number of universities around the world.

“He’s dedicated his life to researching malware and not trying to harm people,” Lobo said of Hutchins, per The Telegraph. “Using the internet for good is what he’s done.”

The July 12 indictment, linked to in a report by Iain Thompson of Britain’s The Register, remained classified until Hutchins arrest at Vegas’ McCarran International Airport but was released to the public after Hutchins was in custody. Filed in the Eastern District Court of Wisconsin, it alleges six counts relating to the creation and distribution of the Kronos malware. 

Upon obtaining bail, Lobo told Reuters, Hutchins will fly to Wisconsin to deal with court proceedings relating to the indictment.

The indictment accuses a co-defendant, whose name has been redacted, along with Hutchins. Lobo denied knowledge of the co-defendant’s identity, Reuters says.

According to Thompson, the indictment alleges that the co-defendant posted an instructional video describing how to use the malware and has sold or offered to sell the program for prices ranging from $2,000 to $3,000. The document further charges that Hutchins himself willfully sold the malware code in the US on June 11, 2015.

Thompson cites a July 2015 report by The Register that indicates Kronos was fetching prices as high as $7,000 dollars, making it one of the more expensive malware products available.

The high price reflects the sophistication of Kronos: the virus could bypass antivirus software and encrypt the commands inputted by its users. Moreover, potential buyers were offered a trial period prior to purchase.

The malware, which was active between July 2014 and July 2015, according to Reuters, specifically targeted Windows machines, infiltrating Internet Explorer, Firefox, and Google Chrome to steal victims’ banking information.

Lobo, per Reuters, says Hutchins is “doing well, considering what’s gone on.” He will plead not guilty to all charges. Prosecutors say he has admitted to crafting and selling Kronos, and claim to have records of chat logs between him and the co-defendant in which Hutchins discusses a transaction concerning the malware, according to The Telegraph.

However, The Register’s Thompson points out that “grand juries are indictment-issuing machines,” and that “there appears to be nothing concrete [to link] Hutchins to the Russian-language forum posts that advertised Kronos back in 2014.”

On July 13, 2014, the same day that the aforementioned Kronos help video was posted, Hutchins requested a sample of Kronos via Twitter, perhaps so that he could work to combat the malware. One may wonder why Hutchins would ask for a sample of a program he himself developed.

Hutchins was relatively unknown prior to his widely publicized thwarting of WannaCry in May. That story rocketed him to global heroism. If he is convicted in connection with the Kronos charges, he could plummet to global notoriety.

Featured image via Pexels

Trump Hotels Customers’ Sensitive Information Breached

Trump Hotels announced Tuesday that data had been breached at 14 of its locations, including those in Las Vegas and Chicago, CNBC reports. Customers’ payment card numbers and security codes were seized by hackers who entered the systems of Sabre, a third party that manages reservations for Trump Hotels.

Lee Matthews of Forbes says hackers accessed Sabre’s SynXis Central Reservations system, which contains data pertaining to just 35,000 of Sabre’s 100,000 plus clients. A Sabre spokesperson told Matthews that “less than 15 percent of the average daily bookings on the Sabre Hospitality Solutions reservation system[…]were viewed””

Sabre learned of the attack in June, and disclosed it to Trump Hotels, whose systems the perpetrators accessed from August 10, 2016 to March 9, 2017, on June 5.

In Tuesday’s statement, Trump Hotels “recommends that affected individuals remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity.” If customers do detect unusual activity, the statement advises them to contact their financial institutions, law enforcement agencies, or the Federal Trade Commission.

Cybersecurity at Trump Hotels has been compromised at least three times in just over two years. According to a report by Jose Pagliery of CNN, Trump Hotels management acknowledged in September 2015 that computer systems at the hotel were infiltrated by a virus, which evidently monitored keystrokes and seized payment information, including credit card numbers, expiration dates, security codes, and cardholders’ names, as employees typed it into the computer. Trump Hotels was unsure whether that virus was able to access data stored on the computers, or merely intercept it as it was inputted.

The sensitive information of anyone who stayed at a Trump Hotels location between May 19, 2014 and June 2, 2015 may have been vulnerable, the company said, although “an independent forensic investigation has not conclusively determined [as of September 2015] that any particular customer’s payment card information was taken.”

A legal investigation spearheaded by New York Attorney General Eric Schneiderman found that Trump Hotels was aware of the 2015 breach as early as June of that year, when, Schneiderman’s report says, “a preliminary forensic investigation confirmed the existence of credit card targeting malware at multiple THC locations, including in the computer networks associated with New York, Las Vegas and Chicago hotels.” But the company failed to notify the public until September.

On April 4, 2016, the hotel chain said its computer systems had been compromised again, Pagliery reported on April 5 of that yearPagliery quoted Eric Trump as saying that Trump Hotels, “like virtually every other company these days, [is] routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses.”

But apparently, Trump Hotels had taken no steps to reduce the size of the target on its own back: the company “never implemented the cybersecurity plan they were given to prevent a second attack,” The Huffington Post’s Christina Wilkie reported in September 2016.

Following Schneiderman’s investigation, Trump Hotels was ordered to pay $50,000 in a legal settlement due to the hotel chain’s failure to promptly notify the public of the 2015 hack and to shore up its cybersecurity in that attack’s aftermath

This most recent incident, of course, is not a direct breach of Trump Hotels security, but a result of vulnerabilities in the computer systems of a contractor with which Trump Hotels works closely. Still, Trump Hotels will no doubt be held responsible by customers whose information was stolen.

The hotel chain has indicated no intention of cutting ties with Sabre, but wary potential customers would presumably feel more confident about staying in Trump hotels if the company took some action to bolster its cybersecurity.

Sony Music Executives Could be Preparing to get Hacked

While Sony Pictures was the main target of the hacking that occurred back in December, Sony Music Executives are stressing because they feel that their emails may be the next target.

While the music executives who have signed artists like, Beyoncé, David Bowie, Barbra Streisand, Adele and Bruce Springsteen, are worried about their emails detailing artists, contracts, live performance riders, and other confidential information, including a “secret project,” which may reveal the selling of divisions in Sony Music, could be released to the public.

Sony/ATV. Lynton and Sony/ATV head Martin Bandier have both denied Sony Music is for sale, but Page Six has allegedly reported that Lynton has called numerous department heads. It is unclear what they have to hide, but, “Lynton called a number of department heads within Sony, including Marty and [Sony Music CEO] Doug Morris to give a blanket apology in advance for whatever else comes out,” a source told Page Six.

The artist’s personal emails may also be attacked because of communication between the two parties.

Sony has denied the reports made by Page Six to Business Insider, and have so far given no comment about the issue.

It is unaware if the “Guardians of Peace,” the group who was behind the hacking in December will actually follow through with the hacking of Sony Music, but it appears that there is strong rumor to believe that some information out their points to signs that it may be coming. This could potentially lead to a string of events that could undo a lot of privacy that business and corporations like Sony has set up. If they know that people can access their email and files, then there may not be much more that they can do to protect that information.

 

 

Obama’s New Hacking Legislation Could Make Anyone a Criminal

ab785554dedbd626982530e1bc1ce1abe9f34d31

Photo by: White House

In Obama’s State of the Union Address he outlined several new legislations he intends to set in motion. One of those new policies is set to change federal hacking laws, which could potentially put a lot of computer-security researchers out of their jobs.

The new policy could potentially make computers less safe, and even make the average citizen a criminal, who could end up in jail. Nate Cardozo, an attorney with the Electronic Frontier Foundation, told researchers and IT pros at ShmooCon 2015, a security conference held annually in Washington, D.C, that, “Under the new proposal, sharing your HBO GO password with a friend would be a felony.”

The Computer Fraud and Abuse Act, originally enacted in 1984, could make security-research practices and media reporting on those practices a federal crime. Even if you are not practicing these hacking techniques, if you are even assisting those who are you could face charges.

Robert Graham, CEO of Errata Security in Atlanta, wrote on an online blog that, “Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Hanging out in an IRC chat room giving advice to people now makes you a member of a ‘criminal enterprise,’ allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”

Even “intercepting devices” in the same category as terrorist weapons training and chemical weapons. These types of devices are being considered as “spying devices,” and anything from a laptop to a cell phone could be considered as a terroristic weapon.

Even in somebody clicks on a link they should not have they could potentially be traced and be accused on acting as a hacker. Our lives are essentially all online these days, with that being said many people are unaware of what constitutes as hacking, and the potential risks all those different sites out there could bring them.

Many have always been skeptical about hacking and their freedom online, but Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology states, “Believe what you’ve heard,” meaning Obama is serious about this upcoming legislation.