Category Archives: Legal

California Privacy Rights, Part 2

The California Privacy Rights Act, CPRA, AKA Prop 24, was approved by voters on November 3rd. This is a continuing story on its potential impact.

Some simple answers first:

When does it go into effect: January 1, 2023.

Who has to comply: That is still murky. There was a $25 million revenue minimum in CCPA and that is still here. It now says that the revenue was for the prior year, but it does not say whether that is California revenue or worldwide revenue. Do you feel lucky?

Number of records: That number has doubled from 50,000 to 100,000, but for most companies, that is still a small number of visitors to a website. It also now excludes devices in the count, so that adds some relief to the number. It is still a small number.

Revenue: CCPA only counts revenue from selling data, but companies like Facebook don’t sell your data – so they tried to claim they were exempt. CPRA says revenue from sharing your data (a new term) is now included in the calculation.

Commonly controlled entities: The new law says that you only have to add numbers together for commonly controlled entities if the entities have common branding and consumers are likely to understand that the entities re the same company.

New data category: sensitive information: Like GDPR in Europe, there is now a category of sensitive information that includes your ID numbers, financial information, account credentials, geolocation data, race and ethnicity , biometric information, health information and sexual orientation. That is a lot of the information that companies collect today.

New right: Limit the use of my sensitive information: This right says that a resident can say that they only want the business to use sensitive information to perform the function that I asked you to perform. This may require a new, special, opt-out link.

New right: Correct my information. Somehow CCPA forgot this one. Now residents will have the right to have their information corrected and businesses will need to track these requests.

Opt out rights expanded. The new law allows not only the right to opt of sale but also the right to opt out of sharing data for behavioral advertising purposes, whether money changes hands or not.

Expanded right to deletion: Under the new law, you now have to track everyone that you share data with. If someone asks you to delete their data, you have to get third parties to delete that data too.

Watch for part 3. This law is a bit of a beast. Getting ready now is a good plan.

Credit: The Jones Day law firm

Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Feds Pass IoT Security Law – Its a Start

The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.

While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.

We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.

The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.

So what does it do?

NIST is Required to Publish IoT Security Standards within 90 Days

This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.

NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days

This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.

Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)

This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.

NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days

NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.

The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted

This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.

This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.

While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security

Security News for the Week Ending Nov 13, 2020

The “S” in Coworking Stands for Security

While the WSJ says that coworking companies are closing money losing spaces as a result of Covid, don’t forget that coworking spaces are about as secure as airport WiFi, meaning not at all. The local news just said that some coworking companies are actually expanding as people want to get out of their house. For most coworking companies, the users are on a shared WiFi connection with no security and often, no encryption. Your remote working policy and procedures need to address this subject, based on the level of risk you are willing to accept and whether you are part of a regulated industry that might frown on you sharing your trade secrets, PII or customer data with the world. Also remember, that if malware gets into shared WiFi, it will certainly try to attack you. Here are a few tips for coworking company security.

Travelers are Faking Covid-19 Test Results

Apparently some travelers don’t want to go through the hassle of getting tested for Covid but still want to travel to countries that require those tests to enter the country. First there were paper documents, which, with Photoshop, were easy to forge. The cops in Paris’ Charles de Gaulle Airport just arrested some of those forgers. They were charging $180-$360 for fake documents. Apparently the French do not cotton to counterfeiters. The penalty for counterfeiting Covid documents is 5 years in a French prison and a half million dollar fine. Brazil arrested some tourists last month for presenting fake documents, so it sounds like you can get in trouble whether you are the buyer or the seller. Some locales are now only accepting electronic versions of the documents from the labs, making it harder to fake. Credit: USAToday

Google Finds At Least 7 Critical Bugs in Chrome, Android, iOS and Windows

Google says the bugs were being actively exploited int the wild, but are not saying by whom or against whom. The iOS 12 patch released patches back to iPhone 5S and 6, typically indicating that it is a big problem. The bugs were “found” by Google’s Project Zero, but apparently were being used by someone(s) prior to them being found. Does this smell like some spies were caught? Probably. We just don’t know which side they were on. Credit: Vice

Vietnam’s OceanLotus Hacking Group Joins Other Countries in Hacks

While countries like China get all the credit for hacking, Russia, North Korea and others are just as active. Add Vietnam to the list. Right now they are attacking their Asian neighbors. As is typical for these government run attacks, they are applying a great deal of effort to compromise their victims. Credit: The Record

White House May Fire Krebs for Securing the Election

Chris Krebs, the head of DHS’s Cybersecurity agency CISA, says he expects to be fired by the White House for securing the election from hackers. All reports indicate that while there is a lot more work to do to secure elections, the 2020 elections were, by far, the most secure ever. The agency also created an election rumor control web site (www.cisa.gov/rumorcontrol). This website debunked many of the myths being spread people who are trying to discredit the election results. General Nakasone, head of NSA and Cyber Command, who also said that there was no significant election fraud, could also be in trouble. Credit: Darkreading

Chain of Evidence

This seems to keep coming up, so maybe spending a little time on the subject might be helpful.

The security or privacy team creates this form for users to acknowledge something or approve something and then hand it off. Marketing gets in the middle of it to make it look pretty. Developers then take a few shortcuts to get it done on time.

Problem solved. Or is it?

Eventbrite was involved in a dispute with a customer. They wanted to invoke the arbitration clause in their terms of service. Okay. So far, so good.

But they run three versions of their application: A desktop website. A mobile website and a mobile app. They all had a terms of service acknowledgement, so are we still good?

Here is where they got into trouble.

Three platforms, three different acknowledgement forms.

Three different color schemes.

Three different button locations.

Then when they went to court they close cropped the screen shot hoping the judge wouldn’t figure out there was a whole bunch of distracting stuff next to the terms of service link.

Did marketing intentionally reduce the contrast of the link so people would not actually read what they were agreeing to?

Then there is the issue of the fact that there were, over the years, multiple versions of that screen.

So here is a question for you to ponder.

COULD YOU TELL A COURT WHAT VERSION OF THE RELEVANT SCREEN WAS IN PRODUCTION AT THE TIME THE USER AGREED TO THE TERMS?

I didn’t think so.

Then there is the issue of which platform the user agreed to the terms on.

COULD YOU TELL A COURT WHICH PLATFORM A USER AGREED TO YOUR TERMS ON?

Then there is the issue of time.

In this case the user signed up 5 years ago.

So what you need to do is know what version of the software was running whichever platform the user was on at the time the user actually acknowledged whatever it is you are concerned about and keep track of that for say, 5 years or 10 years or more. You need to be able to produce a visual image of what the screen actually looked like, including colors and positions. For each platform.

Are you good?

Oh, yeah, one more thing. Are your log files forensically sound? Could you swear under oath that the data that you had could not have been manipulated or even accidentally changed by a DBA or admin? Do you even keep logs for long enough? Do you collect all of the right data? You get the idea.

For the legal version of this conversation, read Professor Goldman’s blog here, but you probably have enough of a headache now.

Likely, you need to partner with your legal team to make sure that you get this right. It basically cost Eventbrite their case.

Could you defend your case if you had to?