All posts by mitch tanenbaum

Malicious Cyber Costs US $50 to $100 Billion Plus a Year

The White House (Council of Economic Advisors) released a 62 page report today detailing the cost of malicious cyber activity in the U.S. in 2016.  The White House says that the cost was between $57 Billion and $109 Billion for that one year.  That’s billion with a B.  The report is available here.

The report says that damages from cyber attacks and cyber thefts may spill over to economically linked firms from the original target, magnifying the damage.  In English, this means that if Target is hacked and their sales go down, it affects their entire supply chain.

They say that companies are not comprehending the costs external to their organizations (like to you and me) and as a result, they are under-investing in cybersecurity.  That is because, due to the nature of the laws, the company that gets hacked doesn’t really bear most of the costs.   For example, after the Target breach – way after – they settled the consumer class action lawsuit for about $30 million.  If there were 50 million victims, that means each victim gets about 60 cents.  For a company the size of Target, that $30 million payout may be considered a cost of doing business.

If we look at the law that goes into effect in May in the European Union, the fine from the regulators alone, worst case, might be $2.8 billion (4% of revenue of $70 billion).  Compare that to $30 million for that one lawsuit or $250 million overall.  We don’t know what the regulators are going to do, but they are making noises about making examples of people.  If Target or other companies faced a risk of a $2.8 billion fine, the economics of cyber security change quickly.

The report also says that attacks against critical infrastructure (such as power or energy) could be highly damaging to the economy.

Rick Perry, former governor of the big oil producing state of Texas and now Secretary of Energy says that the DoE plans to create an office of cybersecurity, energy security and emergency response.

Given the impact to the country in the case of hackers creating massive power outages or energy distribution failures and the cost to the businesses in Perry’s home state, it makes sense that he is doing that.  How they plan to fund that is unclear.  There is $96 million for it in President Trump’s proposed 2019 budget, but people are saying that budget is dead on arrival at The Hill. So, Perry can create the office, but, for now, the only way to staff it would be to steal people from other parts of the agency.  Given that the agency has a $30 billion annual budget, it is possible that there could be some waste there that Perry could clean up to create funding for this idea.  Maybe.

Of the report’s 62 pages, a little over two pages (45-47) are devoted to  thoughts about possible ideas regarding improving cyber security.

While the report doesn’t say so, maybe the White House will propose some legislation or regulation reqarding improving cyber security sometime in the future, but for now this report is merely meant to put some specifics on what we already know – that malicious cyber activity is costing us a fortune.

Information for this post came from the White House web site.


Facebooktwitterredditlinkedinmailby feather

Private Facebook Posts May Not Be So Private

This is not Mark Zuckerberg trying to extract a few more cents out of you by pushing more ads to you – in fact, Facebook really doesn’t even have much of a say in this.  It is not even a Google thing.

Still, it is useful to understand.

In the case of a Manhattan woman who was disabled in a horseback riding accident, the courts have ruled back and forth.

The woman is blaming the trainer and horse owner for fitting the horse with a defective stirrup.  The case is unusual because usually equine trainers have no liability for accidents, based on the law.  In this case, the rider, who suffered brain and spinal injuries, is claiming negligence.

The trial court ruled that the woman had to provide both Facebook posts and photos from both before and after the accident during discovery.  The trainer is trying, I assume, to determine if the disabilities prevented her from doing the things that she did before the accident and turned her into a recluse, which is what she is claiming.

The trial court did exclude any nude pictures from having to be disclosed.

But then the appeals court reversed the trial court and said that she did not have to produce that information.

But now the full appeals court, by a vote of 7-0, said that the trial court was correct and that the information did have to be produced.  This court is the state’s highest court, so it is not clear if there is any further appeal avenue available.

The appeals court did acknowledge that the posts were private, but said that did not allow her to avoid discovery.

For users, there is a warning here.  Do not assume that anything that you post online, even if you think it might be private, is really private.  I am sure that this woman did not think about the implications of her Facebook posts during a trial.

But there is a simple answer – if you want it to be private, do not post it.  Don’t even put in on Google photos or Microsoft One Drive.  If you make it accessible to an Internet provider, it is likely disclose-able.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

FBI, NSA, CIA Say Don’t Use Huawei, ZTE Phones

The heads of the intelligence community – NSA, CIA, FBI and the Defense Intelligence Agency, appearing in front of the Senate Intelligence Committee, said that Chinese smartphones posed a threat to national security.

Exactly why they singled out those two Chinese phones, compared to the iPhone, which is likely made in the same factory, is not clear.  It would seem that two phones, made in the same factory by the same people would have a similar security risk, but apparently not.

FBI Director Chris Wray said that it was because Huawei and ZTE are beholden to the Chinese government.  I would think that Foxconn, who, for example, makes TVs for Sony and others, Cisco networking gear, HP and Dell computers and Nintendo games would also be beholden to the Chinese government in a very big way.

I suspect there is classified intelligence that they are not sharing that explains why these two companies are being singled out.

The concern, they say, is that these devices could steal information or conduct undetectable surveillance using the phone’s user.

AT&T was going to going to sell Huawei phones but magically decided not to last month.  No doubt these same agencies explained to AT&T why that was not a good plan.

Ultimately, everyone has to make their own decisions, but there are plenty of phones made in Korea, which seems to be a more friendly locale.  There are no phones made in the United States.

Apple and others do buy some parts in the US, like glass from Corning,  but those parts are then shipped to China to be assembled.  Apple is looking at assembling some phones in the US, likely for the PR value, but doesn’t actually do that.  Even if they do, since iPhones represent less than 15% of smartphone sales, that will still mean that 80% to 90% of smartphones are manufactured in other countries.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

Consumer Reports Says Smart TVs Vulnerable to Hacking

Consumer Reports says that Smart TVs by Samsung and multiple brands that are powered by Roku are vulnerable to hacking.

While this particular hack won’t empty your bank account, it will allow the hacker to change the channel, volume and other settings.

What is even more interesting was the two vendor’s response to being contacted by Consumer Reports.

Samsung said that they would fix the problem as soon as technically feasible.

Roku said that it was feature;  that they published an interface to allow third party developers to control your TV and it didn’t compromise your Roku account on their server (which no one said it did).

Then they went further to say that you could disable that feature by clicking on SETTINGS, then ADVANCED SYSTEM SETTINGS, then EXTERNAL CONTROL, then DISABLED.

Call me dumb, but why wouldn’t you ship the system with that feature disabled and then allow the small minority that want to allow hackers or other third parties to control their TV to turn it on?

Separately, Consumer Reports said that all these TVs raise privacy concerns by collecting very detailed information.

Besides collecting all your viewing data and selling it, many have microphones and collect audio all the time.

Vizio paid a multi-million dollar fine last year for failing to disclose that feature.  Now Vizio says, in the manual, do not discuss anything sensitive in the same room as the TV.  Nice.

Consumer reports does say that you can limit the data collected by the TV by disabling the features you paid extra for when you bought a smart TV.  In other words, if you turn the smart TV into a dumb TV, it won’t collect data.  Or be very smart.

You could replace your iPhone with a rotary dial land line to improve security also, but that kind of misses the point.

Information for this post came from CNET.


Facebooktwitterredditlinkedinmailby feather

Chrome to Mark All HTTP Sites as Not Secure in July

For those companies that haven’t installed HTTPS certificates on their web site because, you know, why bother – Google has just upped the ante a bit.

Starting in July, the Chrome browser will mark all websites that do not use HTTPS by default NOT SECURE.

It used to be that HTTPS certificates were expensive and complicated, but that has gotten a lot simpler and a lot cheaper in the last few years.

Chrome, which leads the way in market share with about 60% of the market, is often the bell weather for other browser makers to follow.

Additionally, even currently, sites that are not HTTPS get their Google search engine page rank lowered, so they appear further down in the Google listings than other sites.

While they have not said this, if history is any indicator, the next move after this release will be to issue a warning to users saying the site they are about to visit is not secure and do you really want to proceed.  They will have to click on a box to get the browser to display the web page.

Our recommendation is that if you have not already made your site AUTOMATICALLY use HTTPS, now it the time to get that done.

Information for this post came from Google’s Blog.

Facebooktwitterredditlinkedinmailby feather

DHS Says Russians Penetrated US Voter Systems in 2016

While the head of cybersecurity at DHS said the details of which states were compromised is classified, she admitted that 21 states were targeted during the 2016 elections and that some of them were penetrated.

Former DHS Secretary Jeh Johnson said 2016 was a wakeup call and now it is up to the government(s) to do something about it.

Even though the President isn’t quite sure of it, DHS says that the Russian government was behind the attacks,

The good news is that there is no EVIDENCE that the voter rolls in those states that the Russians were successful at hacking were changed.

Many people think the 2016 election attacks were merely a test.  That test will likely continue in 2018 with plans to take more aggressive action for the 2020 presidential elections.

Even though Secretary Johnson designated the states’ voting systems critical infrastructure before he left office over a year ago, he says that the states have done little to nothing to actually harden the systems.

The head of DHS cybersecurity disagreed with Secretary Johnson.  She said that the states have taken it seriously.

I am not quite sure that her statement in any way, shape or form conflicts with Secretary Johnson’s statement that the states haven’t actually done anything about it.  You could certainly take the threat seriously and not do anything about it.

The National Association of Secretaries of State say that they are only aware of one state that was hacked.  Depending on your level of cynicism, you could say that means that they are ignorant, either intentionally or unintentionally or are being willfully blind.  Alternatively, you could say that DHS doesn’t know what they are doing.  Since DHS doesn’t seem inclined to provide us with any data, the reader is left to draw his or her own conclusion with regard to what really happened.

In the states’ defense that they don’t know, many of the states complained that DHS wouldn’t share details of the attacks with them, supporting their assertion that they don’t know about the attacks.  DHS says they don’t have clearances to access the classified data.

And, with a level of speed that would make a snail proud, DHS says that now, two years later, they are processing the clearances.  Since it often takes a year to get a clearance, depending on the level of clearance, it is certainly possible that the 2018 midterm elections will be long over before the states see the data and for sure, the window to fix anything will definitely be long over.

Other states are saying they are waiting for DHS to help them (I assume that help from DHS is free;  if they were really concerned they would pay someone to help them).  DHS says there is no waiting list for help and DHS “will get to everyone”.  When they will get to everyone they didn’t say.

How, exactly, the public is supposed to figure out the truth here is completely non-obvious to me.

Some states objected to the feds designating their voting systems as critical infrastructure, preferring, instead, to put their egos ahead of their citizens.  Secretary Johnson pulled even fewer punches saying that the Secretaries that were objecting were being naive and irresponsible to the people they are supposed to serve.  He is not likely to be getting a Christmas card from any of the Secretaries of State next year.

Rex Tillerson, the current U.S. Secretary of State says that the Russians are already meddling in the 2 018 election, a statement that likely puts him at odds with the Oval Office.

Given all of the above, it seems likely that the Russians will continue to successfully meddle in the U.S. election process this year and that the states will have made only minor progress to protect themselves.

Information for this post came from NBC News.

Facebooktwitterredditlinkedinmailby feather