News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.


Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.


British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.


Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.


Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Beware Your Internet Data Caps

The stats say that 75% of all bits on the Internet are for video and that is a number that is up from 63% two years ago.

Cisco says that Internet traffic will reach 396 exabytes a month by 2022.  That is 396,000,000,000,000,000,000 .  Which is a big number.

While regular video for, say, Netflix, consumes about 1 gigabyte an hour and HD video consumes about 3 gigabytes an hour, 4K video consumes about 10 gigabytes an hour.

As ISPs, who are typically also your cable TV provider, lose cable customers, they try to figure out how to make up that lost revenue.  One way to do that is to put data caps on your Internet.  Use more than your cap this month, you get to pay a surcharge of (it varies) maybe $10 for every 50 gigabytes extra that you use.

The Internet providers say they have to do it to manage their networks, but the evidence seems to support that it is actually just an extra way to make money.

There are actually two problems here.

One is how much data you are trying to push through the pipe per second.  If your pipe to the Internet isn’t big enough around, everything just slows down.

The other problem is how much data you use per month and does your plan have a cap.  Some do,  Others don’t.  Some charge you extra every single month to get rid of the cap, whether you would have exceeded it or not.  Others remove it if you buy more services from the vendor.

So what are you to do as a business or consumer?

Be a smart shopper.

Understand how fast your connection is,  For businesses, if you are paying for, say, a 100 megabit per second connection and you are always using 100 megabits per second, your users are probably sitting around watching the paint dry.  Getting a faster connection could save you money as people tend to get de-focused when it takes 30 seconds or more for the screen to refresh.

Same thing at home.  I hate waiting for my Internet “paint” to dry.  I live in the rural world so I make a tradeoff.  I can’t even buy service that legally qualifies as broadband, but that is a separate conversation.  Understand the speed that you have and ask your ISP how much you are using on average (per second) and at the peak to decide if you should upgrade your service to the next speed.

The other half is your total monthly usage.  Understand IF you have any usage caps and what they are?  Customers of fixed wireless and satellite are the most impacted, but cable has caps too – sometimes only 250 gigabytes per month but maybe as high as 1 terabyte.  Understand how much you are using and what your trend is so that you don’t get surprised by a penalty.

Some providers, including cellular, don’t give you a cap but instead slow down your traffic (called throttling) if you use too much.

Other providers will remove the cap if you pay extra every month, whether you exceed that cap or not.  You need to see if that  makes sense for you.

For businesses that have servers in a colo or in the cloud, those providers also charge more if you use more.

Bottom line – like in most situations, be a smart customer.  And understand your speed requirements and total usage.  Also, know that your usage is only going to go up, so you will need to revisit this conversation in a year.

Source: Motherboard.


Dolce and Gabbana Needs a Better Incident Response Program

Stefano Gabbana is known for very edgy ads and posts on social media.  Some people say over the edge – way over the edge.

The brand ran a series of commercials of Chinese people eating pizza and other Italian foods with chopsticks on the eve of a star-studded fashion show in Hong Kong.  I suspect someone thought that it was something the Chinese would find funny (?).

Then Gabbana’s Instagram account sent out racist taunts to people who were complaining about the ad campaign.

The company’s response was to claim that both Stefano’s and the Company’s Instagram accounts were hijacked.  Few people believed that.  Stefano posted this note on his instagram account after.

If there is one thing the Chinese are, it is loyal to their country.  Models pulled out of the show. Next celebrity guests pulled out.  The show was cancelled less than 24 hours before it was scheduled to go on.

Now D&G merchandise is being pulled from store shelves and removed from web sites.  A full scale disaster for the company.

So what lessons are there to learn from this?

The obvious one is that if your strategy for getting attention is edgy commercials and racist social media posts, you might want to rethink that, especially in certain countries.

In reality, most companies don’t do that, at least on purpose.

The bigger issue is how to respond to cyber incidents.

Lets assume their accounts were hijacked.  It is certainly possible.  Obviously, you want to beef up your social media security if you are doing things that might attract attackers, but more importantly, nothing is bulletproof in cyberspace, so you need an incident response program to deal with it. 

That incident response program needs to deal with the reputational fallout of events that may or may not be in the company’s control.  Crisis communications is a key part of incident response.

The Incident response team needs to be identified and then the team members need to be trained.  That can be done with “table-top” exercises.

Bottom line -prepare for the next cyber event. Information for this post came from SC  Magazine and the New York Times.


American Bar Association Issues New Cybersecurity Guidance

Law firms maintain large quantities of their client’s most sensitive information – lawsuits, mergers and other high profile situations make law firms a high visibility target.

So what is contained in what is known as the Standing Committee on Ethics and Professional Responsibility Formal Opinion 483?  Here are the details.


  • Model Rule 1.1 (competence), which requires lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach.
  • Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.
  • Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.
  • Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.
  • Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.
  • Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.

The ABA says that lawyers should be prepared for a breach, including having an incident response plan in place.

So what does this mean for clients of law firms?

Assuming you care about whether your most private information and/or dirty laundry remains private, here are some recommendations.

  1.  Ask your lawyer for a copy of their security and privacy (two different things) policies.
  2. Ask when their last INDEPENDENT THIRD PARTY risk assessment was conducted and for a summary of the findings.
  3. Ask if they have cyber risk insurance.
  4. Find out which partner is ACCOUNTABLE for cyber risk and talk to that partner about it.
  5. Find out if they have an internal cyber security team.

Ultimately, it is up to you to hold the law firm accountable for protecting your information and if you don’t get the right answer, move on.  Source: ABA.




News Bites for the Week Ending November 23, 2018

Japan’s Cybersecurity Minister has Never Used a Computer

Yoshitaka Sakurada, the deputy chief of Japan’s cybersecurity strategy office and the minister in charge of the 2020 Olympic Games in Tokyo says that he doesn’t use computers – basically, he has secretaries and employees to do that.  He also acted confused about whether Japan’s nuke plants use USB drives.

While a few people joked that he has mastered cybersecurity (which of course is not true unless he plans to shut down all of Japan’s computers), most people were amazed that the government put someone with absolutely no understanding of cybersecurity, never mind no expertise, in charge. Source: The Guardian .

Suspect Remotely Wipes iPhone that Police Seized as Evidence

Juelle Grant is a suspect in a shooting in New York in October.  Police think she was the driver and hid the shooter’s identity and hid the gun.

Apparently Grant tried to out-think the police and used Apple’s find my phone feature to do a remote wipe of the phone.

The cops were not amused and charged her with tampering with evidence and hindering prosecution.  The police could have foiled her by putting the phone in a $1.00 foil bag.

That she was able to successfully do this is indicative of the up hill battle that police face shifting from a world of cops walking a beat to a world of cyber experts.  Source: Apple Insider.

China’s Response to Tariffs – Increase Hacking

According to a U.S. government report released recently, China’s response to U.S. tariffs is to increase, not decrease hacking.  The tariffs, which were put in place due to unfair business practices, including hacking, were supposed to get China to reduce hacking our intellectual property, but according to the report, has in fact, had the opposite effect.

The report says that Chinese hacking efforts aimed at stealing American technology and trade secrets have “increased in frequency and sophistication” this year.

The Chinese appear to be interested in stealing information on artificial intelligence and other technologies and includes a “sharp rise” in hacking against manufacturers.

What this means is that U.S. need to take efforts to protect themselves.  Source: Real Clear Defense .


Adobe Releases Yet Another Emergency Fix For Flash

In the “gee, what a surprise” category, the pile of Band-Aids (R) that some people call Adobe Flash released yet another emergency patch for a bug that would allow an attacker to run arbitrary malicious code on a user’s device by getting them to visit a web page that had, for example, a malicious ad on it.

Adobe has announced that they will discontinue support by the end of 2020, which means that we still have years of emergency patches in the wings, followed by hacks for new bugs that are never going to be patched.  Source: CyberScoop.


Just Visiting a Website Could Have Hacked Your Mac

A bug in Safari allowed an attacker to take over your Mac simply by getting you to visit some web page.  The bug, now patched, would have allowed an attacker to own any Mac.  The researchers released a video and proof of concept code now that the hole has been closed.  That, of course, does not mean that other hackers didn’t know about it already.

Attacks are getting more sophisticated as vendors try to lock down their systems.  This exploit used three different Mac bugs to take over your computer.

No user involvement was required after the user opened a web page in Safari.  Source: The Hacker News.

Losses from Online Payment Fraud Expected to Reach $48 Billion Annually

If you believe this week’s report from Juniper Research, online payment fraud is expected more than double in the next five years going from a mere $22  billion in losses this year to $48 billion in losses by 2023.

The industry recovers that money by raising prices.

This cost is about $150 for every man, woman, child and baby in the United States every single year.

What is interesting is that the crooks are morphing their attacks.  They are stealing the data and using it to build fake identities.  They use those identities to commit fraud,

From a business standpoint, businesses are not prepared to deal with this “synthetic identity” attack and will continue to lose billions of dollars to this type of attack.

From the consumer standpoint, consumers need to demand that businesses improve their security.  The Equifax breach was not the result of some incredibly exotic attack method figured out by cyber geniuses.  It was just that Equifax forgot to install some known patches.

In addition, consumers need to improve their own security – simple things like patching their phones regularly, uninstalling apps that they don’t use any more and not clicking on phishing links.

Likely laws will wind up being passed, whether that will help or not.

To put this in perspective, $48 billion represents every dollar of Apple’s profit in a year or roughly the entire revenue of HP.

Information for this post came from Help Net Security.