California Amends Its Data Breach Law

You might think this is obvious, but just in case it is not, California wants to make this clear.  It used to be, in California, that if you had sensitive data encrypted and that data was stolen, you didn’t have to tell people because, after all, it was encrypted.

But there is a rub with that.  In most cases, when an authorized user accesses the data, that user does not have to enter the decryption key, right?  So where is the key?  In some cases, the key is hard coded into the program.  In other cases, the key is in a configuration file and in a relatively small number of cases, the key is stored in a device called a hardware security module or HSM.  But HSMs are expensive and add a degree of complexity, so most companies don’t use one.  Amazon and some other cloud services support HSMs, but you have to pay extra for them.

So what this means is that a lot of the time, when a hacker breaks into a system and the data is encrypted, the decryption key is right there for the hacker to take as well.  That is why sometimes you hear about a breach and they say “even if the data was encrypted it would not have solved the problem”.

So here is what CA AB 2828 says.

  1. If a system is breached and
  2. Encrypted personal information was or was reasonably be believed to have been taken and
  3. The encryption key or other decryption credentials was or was believed to have been taken and
  4. There is a reasonable belief that the encryption key or other credentials could make that data readable

Then you are required to make a breach notification.

This law goes into effect January 1, 2017.

Once this law goes into effect, even if the data is encrypted, you will need to be able to show, in case of a breach, that the hacker did not access the decryption keys.  This may require additional logging or auditing and you have to save that audit trail so that you can use it years later in case of a lawsuit.  Your operations team will likely need to make changes in order to do this.

Remember that with state breach notification laws, it matters where the person who’s data was breached lives, not where your office is, so if you are in Colorado but you have customers in California, California may come after you in the case of a breach.

Whether you are worried about the California law or not (and some other states have breach laws that require notification whether the data is encrypted or not), now would be a good time to consider whether your encryption will stop a hacker who breaks into your system from reading your data.  Dealing with a breach is expensive, hurts your reputation and may cost you customers.  Avoiding a reportable breach just makes good business sense, independent of the law.

Information for this post came from National Law Review.


Facebooktwitterredditlinkedinmailby feather

Gorilla Glue Cannot Stop Hackers

The hacker group The Dark Overlord claims to have hacked Gorilla Glue and has stolen, they claim, over 500 GB of intellectual property.

As I have said many times, the theft of intellectual property is a way bigger problem than the theft of credit cards.

If someone steals your credit card, you whine at the bank, they cancel your old one and overnight you a new one.  In the worst case, you are out $50 under federal law.  Maybe if your bank is cheap, you have to wait a few days for a new card.

If someone steals your intellectual property (IP) there is no putting that genie back in the bottle.  Once your product design or salary information or whatever is out, you cannot reel it back in.

In this case, The Dark Overlord claims to have stolen “everything they have ever created“.   They say it includes research and development information, IP, product designs, and access to dropbox and personal email accounts.  The personal email accounts are typically the place where password reset requests are directed, so that is particularly troublesome.  Plus it could include adult pictures, if the celebrity iPhone hacks from a couple of years ago are any indication.

The Dark Overlord sent Motherboard a cache of 200 MB worth of the data that was stolen (out of the 500 gig).  The information includes financial spreadsheets, invoices, strategy documents, presentations, contracts with banks and other material.  Motherboard says this material does not appear to be available anywhere on the Internet.

Motherboard contacted a number of people at Gorilla Glue and also the FBI, but no one is talking, which is not really a surprise if they are negotiating with the hackers.

Among the data in the small cache is pictures of Gorilla Glue executives’ family members.  If that isn’t scary, I am not sure what is.  Motherboard was able to find other pictures of some Gorilla Glue exec’s families to validate those pictures are real.

So what we have here is a family owned company that was apparently totally hacked.  All of their IP, financial info, R&D and likely customer information was all stolen.  Pictures of company executives families were also vacuumed up.

And, it appears, the hackers are negotiating a price to not release this information.  The hackers said that they have offered Gorilla Glue “a handsome business proposition”.

How many zeros are in that invoice are not clear, but I am sure this is not a $500 ransomware invoice.

This is the second item this week where hackers stole information and are now trying to extort the business in exchange for not releasing the information.

Of course, you have to trust the extortionists, so even if you do pay, what confidence do you have that they won’t release the information, use it themselves for nefarious purposes or sell it quietly to other hackers?  The answer is ZERO!

Do you have a plan of action if hackers stole every bit of digital information your company has?  I didn’t think so.  It is a worst case scenario for most companies.

That doesn’t mean that you should not have a plan.  In fact, you should.  This should be a scenario that you test in your incident response annual exercise.

Information for this post came from Motherboard.


Facebooktwitterredditlinkedinmailby feather

Hackers Extort Atlanta Medical Clinic

Peachtree Orthopaedic Clinic, announced a breach last month.  Now the hackers behind the attack, the Dark Overlord, say that the clinic owner has not paid the ransom – 83 bitcoins or around $60k – and they are threatening to release more records.  Last month they released names, birth dates, addresses, prescription info and socials of a group of patients.

They claim to have taken more than a half million records, including the prescription history for a number of professional athletes.

The hackers say that Michael Butler, the CEO of Peachtree, promised to pay 83 bitcoins, but has not done that.

The hackers say that they will release more and more records in an effort to get the clinic to pay the ransom.  One would think that with pro athletes in the mix, paying $60k to keep your drug habits out of public scrutiny, even if everything you are taking is legal,  Of course, we don’t know if the $60k is a down payment or whether the hackers will be happy with that much money.

For any organizations storing sensitive customer data, this should be a warning.  How would you deal with an event like this, going on for more than a month with no resolution.

Some hackers have figured out that an easier way to monetize stealing your data may be to extort you instead of selling your data.  It is not at all clear what the end game with be with Peachtree Orthopaedic, but it is clear that it will be messy no matter how it turns out.  Not only have they been dealing with hackers for a month, but they have been dealing with the FBI trying to figure out who the hackers are.

If your company had to deal with the same situation as Peachtree has been dealing with for a month or more, how well prepared are you?  What do you tell your clients?  What are your employees supposed to do?  It has to be a huge distraction.

At this point, Peachtree is likely unclear as to exactly what data the hacker has and whether the hacker will release the private data on your most privacy sensitive clients – pro athletes.  They may have a half million records.  Or they may not.  This is dragging on beyond what seems reasonable.  One guess could be that they don’t really have the data, but that is a dicey bet if you guess wrong.

Stay tuned!

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

LinkedIn is Becoming LinkedOut

LinkedIn is becoming LinkedOut, at least in Russia.

Our friend Vladimir Putin passed a law in 2014 that said that any company that operates in Russia needs to store it’s user’s data in country.  Most U.S. companies protested against it, although it is believed that a few have an architecture that allows them to do that.

LinkedOut is not one of those companies, apparently.

Yesterday a Russian court ruled that LinkedIn violated this law and today Russian Internet providers have begun blocking LinkedIn.

Putin claims the reason for doing this is to protect their citizen’s privacy.  After all, Russia and Putin are known to have a keen concern for their citizens and, especially, for their citizen’s privacy.

An alternative reason might be to make it easier for the KGB to spy on and to hack into dissident’s conversations.  However, that would be at odds with Putin’s desire to protect his citizen’s privacy, so that can’t be the real reason.

In any case, LinkedIn is quickly becoming LinkedOut.

From a revenue standpoint, these social networks do not want to lose any users, so I am sure that are trying to figure out a way to deal with it.  Surely, the Kremblin hopes these companies come on their hands and knees, begging for another chance.

Some companies thought that Putin was just kidding, but maybe not.

The other thing that Putin is requiring is that anyone using encryption turn over his or her encryption keys to the government.  I am sure that is not sitting well with LinkedIn either.

On the other hand, LinkedIn only has around 6 million users in Russia so they might decide to tell Putin to Stick it.  It’s not clear.

This small size may have actually made linked in a target.  If other social media sites – ones that have tens or hundreds of millions of users – that might create a bit of a tense situation, but by taking down LinkedIn, they can pretend that they are actually implementing the law.

We have not heard anything from President Elect Trump.  Since he and Putin are best buds, I assume that he will fix this problem for LinkedIn as soon as he moves in to the White House.  Or maybe sooner.

Information for this post came from The Washington Post.

Facebooktwitterredditlinkedinmailby feather

FBI Can Unlock Most Devices That It Receives

FBI Director Comey has talked a lot about the “going dark” problem but we now have some statistics on the problem.

So far this fiscal year, the FBI has received 6,814 devices – phones or computers – to forensically examine.

Of those devices, only 2,095 of them had any form of password on the device.  That means that roughly 70 percent of the devices that bad guys used did not have a password on it.  If you assume that this statistic mirrors the general population – and it may not – then only 30 percent of people protect their devices with a password.

Of the 2.095 devices that were password protected, the Feds were able to get into 1,210 of those.  They do not say what techniques they used to get into those devices.

This means that out of almost 7,000 devices, the cops could not read about 880 of them.  Said differently, the Feds were able to get into 87 percent of the devices that they were presented to evaluate.

These stats don’t include numbers for devices that local police receive and don’t turn over to the Feds.  This means that the 13 percent number – of devices that they cannot get into – may be high because there may be a number of devices that local police receive that they can easily get into and therefore don’t ask the Feds for help.

It also may include devices that are damaged.  For examine, if a device is broken during an arrest,such as a bad guy intentionally throwing a device off a building on onto oncoming traffic – which probably is not that uncommon in a case where the bad guys think the phone contains evidence – those numbers would be included in the “we couldn’t get into that device”,  How many devices fall into that category is unknown.  So while that is part of the going dark problem, it is not because of encryption.

Still, 13 percent is the most definitive number we have seen so far.

What we don’t have any numbers for is how many of those 6,800 devices contained any useful evidence of a crime.

From the Feds perspective, they want to be able to get into every device.  They are used to the days of executing a search warrant where they are looking for papers and where likely, in almost every case, they are able to examine almost 100 percent of the information that they are interested in looking at.

In response, the FBI said that 13 percent is significant and, in their defense, it is likely significant.  But it is far from an epidemic, at least at this point.

What is unclear is whether there was any evidence on those 880 phones or whether the inability to get into those phones made any difference in the prosecution or non-prosecution of those cases.  From a bad guy’s perspective, they likely have little incentive to unlock a phone even if there is nothing on it.  Their attorney would likely tell them that they could be something on the device that could be used against them, so don’t cooperate.  This is the digital equivalent of challenging a search warrant, but in this case, control is in the hands of the bad guy rather than in the hands of a judge and the Feds likely don’t appreciate that fact.

At least, for the first time, we have some information about the problem.

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Adult Web Site Hacked – 400 Million IDs Hacked

Adult Friend Finder, which bills itself as the largest sex and swinger community, was hacked, for the second time in a year.


Last year was small beans.  Last month it was:

  • – 339 million
  • – 62 million
  • – 7 million (and they don’t even own the web site any more)
  • – 1 million
  • –  1 million

What is interesting is that they were hacked with an exploit called a local file inclusion attack.  With this kind of attack, the hacker tricks the web site to coughing up some file that exists on the web site.  In this case, the web site’s own password file.  GAME OVER as someone who used to work for me would say.

Among the IDs that were leaked were about 15 million that were marked deleted, but apparently were not actually deleted.

On top of this, the passwords were either not encrypted at all or weakly encrypted.  For, 103 million were not encrypted and 232 million were weakly encrypted.  99% of those have been decrypted.  The numbers for the other sites were just as embarrassing.

The good news is that, hopefully, the passwords that people used there were not used elsewhere.  The top passwords were 123456, 12345, 123456789 and 12345678.  Unfortunately, those only add up to around 2 million of the 400+ million passwords compromised.

One more time, people are using their work emails to register for adult web sites.  5,650 .Gov emails and 78,000 .Mil emails.  We don’t know, yet, how many company emails were included, but we will. Have people not heard of Gmail?  Granted, in the context of 400 million, these numbers are very small, but still…..

Initially when the hacker told them about the hack, he says they told him he was a fraud.  Getting a bit upset about being called a fraud, he dumped the database on them.  Oops.

In addition to the user information being hacked, their source code and their private encryption key is now being circulated.

I am sure that they are still trying to assess the damage, but all they have admitted to is that userids, emails and password were compromised.  Looking at the tables that were made available, it sure looks like there may be more.  All in all about 90 databases were supposedly stolen.

Lessons to learn:

  1. If someone contacts you and says he has hacked you, be careful about dismissing him.  The fact that you have not been able to verify the claim doesn’t mean it isn’t real.
  2. Really.  UNENCRYPTED PASSWORDS?  In 2016?  Come on!
  3. If you say you are going to delete people’s identities, actually do that.
  4. If you are hacked once, up your security game.
  5. Don’t use weak encryption.
  6. You better have your incident response plan ready.  Or your resume.

The data, supposedly, goes back 20 years, so people who were members while they were in high school or college are likely still in the system and were compromised.

For email phishing, this is likely fertile ground, so expect all kinds of phishing attacks to come out of this.

One more time, a company did not, apparently, take security seriously and are now going to have to deal with that fact.


Data for this post came from Leaked Source (great post), CSO Online and Ars Technica.



Facebooktwitterredditlinkedinmailby feather