Thank You California For Keeping Me Permanently Employed

OK, so the headline is a bit of a hook because at this point, it is only a bill, but if it passes, it will be a nightmare for anyone who does business in California, which is good for my company, bad for everyone else. While this is not in my personal best interest, I hope the bill does not become law.

CA AB 2273 pretends to protect children and that is good in an election year. Who could be against motherhood, apple pie and protecting the children?

If passed, websites will, unless they can show that they are not attractive to kids, have to verify the age of everyone who visits the website.

That means that businesses will need to collect personal data (and keep it) for everyone who visits their website. It also means no more anonymous web surfing because they won’t be able to tell your age if they don’t know who you are.

It is also based on a UK age appropriate law. In Europe, you can get an A if you try hard, even you don’t succeed. In the U.S., you can get an F, even if you do succeed. That will be a problem.

The bill also delves into content moderation, which would turn the California Privacy Protection Agency into the California Internet Regulator Agency.

Some pieces of the bill:

It applies to business that provide an online services or feature likely to be accessed by a child – whatever that means. A child is anyone under 18, so that means you have to treat a 5 year old and a 17 year old the same. Under the current law, COPPA, businesses are affected if they KNOW that users are under 13 or specifically direct their services to those under 13. If it is reasonable to expect that one person, aged 17 years and 364 days will visit your website, you must comply.

It says that businesses should consider the best interests of children in the design of their website. SHOULD? That is different than must. This will keep lawyers employed for a long time.

The bill also tries to say that businesses owe a duty of loyalty or a fiduciary duty to their customers. Other than certain financial advisors, accountants, lawyers, etc. this does not exist today. Great for lawyers, not so good for businesses.

It would require businesses to do a data protection impact assessment. We do those. It is not cheap because it is a lot of work.

Establish the age of consumers with a reasonable level of certainty. How do you do that? What is reasonable?

Configure default settings to a “high level of privacy protection”. No more collecting or selling data. There goes that business model. And what is a high level, anyway?

This feature might be good. Disclosures must use language that is age appropriate, so maybe we could all understand that legalese on web sites.

Provide an “obvious signal” if parents can monitor their kids’ activities online. Huh? How?

Enforce published terms, policies and community standards – not just for kids.

And it goes on for a long time.

The good news is that this is not law yet. If you do business in California, you probably need to watch this bill. If you live there, get involved.

Credit: Professor Eric Goldman

Security News for the Week Ending June 24, 2022

Want Some BidenCash?

This is not a political statement – at least not by me. There is a new carding site that uses the President’s name and likeness to sell stolen credit card data for as little as 15 cents each. Last week the admins gave away a CSV file with names, addresses, phone numbers, emails and credit card number for free. Kind of a marketing push. Of the 8 million records in the free dump, only 6,600 had valid card numbers, but the other data could be useful anyway. Credit: Bleeping Computer

TikTok China Had/Has Access to 80 American Users’ Data

According to leaked audio recordings of internal TikTok meetings, Chinese TikTok employees had and probably have access to the data of all American TikTok users, a security concern of the US government. According to the report, TikTok mislead US officials and users with claims that the data is stored in the US and can’t be accessed in China. When the report came out TikTok said the data is being stored in Oracle Cloud systems – a creative diversion from whether Chinese employees and, by extension, the Chinese government, can access that data. Credit: Cybernews

UK Government Approves Extraditing Assange on Spying

The British government has okayed the extradition of Julian Assange to the U.S. on charges of spying. The U.K. Home Office says that it would not be oppressive, unjust or and abuse of process to extradite Mr. Assange. There are still appeals possible, so he is not likely to get on an airplane soon. Credit: CBS

GAO is Worried About Cyber Insurance for Major Attacks

Cyber insurance companies are trying to limit their losses. In 2021 they paid out 69% of premiums to claims; this is a number that is way too high for comfort. Insurance companies are adding “acts of war” clauses and terrorism clauses to create a way not to pay. The Terrorism Risk Insurance Act (TRIA) was created by Congress as a backstop for insurance companies in case of major terror attacks like 9-11. Unfortunately, the way the law is worded, it is likely that companies would not be covered – either by TRIA or by their insurance carriers. The GAO wants Congress to fix this. Credit: ZDNet

Don’t Trust Blockchain With More Than Your Lunch Money

$100 million here, $320 million there, $600 million the other day. After a while, it adds up. Harmony is a vendor that offers cross blockchain bridges. In this week’s story, their Horizon Ethereum Bridge was hacked and lost 85,000 ETH tokens, worth about a hundred million bucks. At this point they have not said how they were hacked or if they are going to pay people back. The Grift Counter, which tracks crypto losses, says that losses have exceeded $10 billion just since 2021. Credit: The Register

What if Ransomware is Just a Cover for Theft of Intellectual Property?

A China-based Advanced persistent threat actor (APT) who has been active since last year seems to be using ransomware as a smokescreen for state-sponsored espionage.

The group has been using just one malware loader called the HUI loader, which seems to only be used by Chinese hackers. They use that to load Cobalt Strike Beacon and use that specific ransomware software.

Unlike most ransomware gangs that become very familiar with one ransomware tool, these hackers have used, at least, 5 different ransomware tools – LockFile, AtomSilo, Rook, Night Sky and Pandora. It is possible that they are doing this to look like several different gangs.

Researchers are calling this gang Bronze Starlight.

The group’s victims include a pharmaceutical company, law firm and media companies in the U.S. Other victims include electronics manufacturers and aerospace/defense companies.

These are the types of companies that China likes to spy on and steal data from.

In at least one case Bronze Starlight installed a backdoor (to be able to steal data) but did not deploy any ransomware.

Their software is also evolving. A new version includes a number of detection evasion techniques like disabling Windows Antimalware Scan Interface so that Windows won’t detect malware that it knows about.

But in one way, these attacks are not sophisticated – they are using known unpatched exploits, for the most part.

If you have valuable (to you or an adversary) intellectual property or personally identifiable information of your customers, you need to make sure that you are making it hard for the bad guys. Zero trust is part of this, as are a number of other processes and technologies. If you need help with implementing this, or if you want to see how secure you currently are, please contact us.

Credit: Dark Reading

Paying Ransoms – it is a Business Decision

So you get hit by a ransomware attack – what do you do?

Is your first thought TO pay it? Or is that first thought NOT to pay it?

Paul Furtado of Gartner, speaking in Sydney said:

“I have yet to see an organization going through that that says ‘No, I’m not going to pay’,” … “The reality is they’re [the executive board] going to do what they need to do and give you that blank check to get the business back to a functional level.”

And ultimately, the board is going to need to figure out what they need to do in order to get things back working and minimizing damage to the company.

The crime, itself, is very effective and very low risk. Even though, for example, Interpol arrested 2,000 people last week, believe it or not, that is a drop in the bucket and most are very low level participants and easy to replace.

Furtado says that many companies do pay the ransom – even the FBI now says it is a business decision – maybe a third – and most get a decryption key, but that doesn’t mean that the key works perfectly or they get all of their data back. Remember, ransomers are not master programs and all software has bugs – they are not exempt. Also, many times the decryption process is way slower than the encryption process.

One interesting note Paul makes – he says that if you pay, there is an 80% chance you will get hit again. That is not terribly comforting.

You have to consider how long you will be down if you don’t pay – and how long you will be down if you do pay.

You also have to consider whether they have stolen data and will publish or sell it if you don’t pay. Maybe the data that they took is very sensitive. Maybe not.

There are two things to consider here: (1) are you adequately prepared for a cyber event. This includes not only backups, but business continuity, public relations, legal, incident response, etc. That is the PROACTIVE part and (2) can you handle the incident by yourself if the worst case does happen. That is the REACTIVE part. We can help you with both – give us a call if you want to discuss.

Credit: Data Breach Today

Board Members & C-Suite Need Secure Communication Tools

Board members and other executives are the key target of hackers. There is even a term for it – whaling. This has nothing to do with anyone’s personal dimensions, but rather that they are the big fish in the pond and have the most access to data.

Many times, executives and board members are also not technical so they don’t use sophisticated tools. Hackers know this too.

Boards are directly linked to their organization’s risk management – cyber, third party, supply chain and have other sensitive responsibilities like ESG, compliance, diversity and other subjects.

Non-profits have the additional responsibility of donor and fundraising information and they depend on the goodwill of those folks.

Non-profits also, often, have less security resources to protect themselves with.

So what do boards need to do to protect their companies?

  • Make sure that all sensitive communications between board members and between the board and management – which it probably almost all communications except for the lunch order – are encrypted.
  • Make sure that communications are integrated – chat, messaging, collaboration, store. Easy to use, secure, encrypted.
  • Make sure the solution does not require a year’s worth of training to use
  • Make sure that the solution can minimize weak links like lost devices
  • Include the board and executive family members and home networks – they are often used and outside of the control of IT. Hackers know this and call it the soft underbelly.

If you don’t have a strategy for this, we can help you. It needs to be comprehensive, secure and, most importantly, easy to use. It also needs to be flexible enough to handle the unexpected. Also consider the board and executive non-corporate resources.

Call us and we will help you design a solution.

Credit: Help Net Security

Security News for the Week Ending June 17, 2022

Ransomware Morphs Again

We know that ransomware has gone through a lot of iterations over the last couple of years as hackers try to maximize their revenue. The BlackCat group is now creating public websites for each victim company and has indexed the data to make it easy to search. I guess this means that it will be harder for companies that get hacked to hide what data was stolen. In one of their sites, you can select between employee data and customer data as the first filter and then search on that subset. Credit: Brian Krebs

NSA Quietly Appoints General Counsel After Two Years

You may remember that in the final, sort of weird, final days of the last President’s administration, the ex-President attempted to force the NSA to accept an unqualified political hack in the role of GC – a person who had not even worked inside the intelligence community, a process known as burrowing. Burrowing converts a political appointee into a career civil servant. Gen. Nakasone was ordered, on the last day of the ex-President’s administration to swear the guy in. That same day, the General put the new GC on administrative leave pending an inquiry about some security incidents. After several months in limbo, he resigned. He now is a lawyer at Rumble, a business partner of Truth Social. See a pattern? Anyway, April Falcon Doss, who seems to have impressive legal creds, was finally, quietly, sworn in as GC last month. Credit: The Record

Cyberattack – One and Done? Nope; Not Likely

According to research by Cymulate, 39% of companies were hit by cybercrime over the last year. Of those, TWO THIRDS were hit more than once. Also, of those who were hacked once, 10% were hacked ten times. That doesn’t give me a lot of warm fuzzies. Credit: ZDNet

Joshua Schulte, Former CIA Coder, Represents Himself in Second Espionage Trial

Joshua Schulte, is a former software engineer who worked for the CIA. He is accused of the largest, most damaging leak the CIA ever had. In his first trial, the jury hung on espionage charges. Now the second trial is beginning and he is representing himself. I recall a saying about a lawyer who represents himself has a fool for a client. Even though he is not a lawyer, the saying applies. He says he was framed. Prosecutors say he is guilty. Stay tuned for details. Credit: Security Week

Indian Police Planted False Evidence on Activist’s Computers to Arrest Them

Police in India were caught using hacking tools to plant evidence on people’s computers and then arresting them for the staged crime. The people being cyber attacked are not terrorists, but rather journalists and activists – in other words, people who annoy the police. With the help of SentinelOne, the hacking-by-police incidents have been publicly exposed. Credit: Wired