Category Archives: Legal

Legal Risks of Cloud and Collaboration Tools

Many employees use consumer grade, unmanaged cloud services such as Dropbox and Google Drive as part of their work.  This is sometimes called BYOC for Bring Your Own Cloud.  It is convenient, but is it a good idea for the business?

Loss/theft of intellectual property

One of the obvious risks of BYOC is the loss of control (AKA theft) of corporate intellectual property.  These personal cloud services make it quick and easy to steal hundreds to thousands of confidential files by merely dragging and dropping.  AND, since the account does not belong to the company, the only way the company can force an employee to let them into their account is via a court order – an expensive and dicey proposition.  By the time that order is granted and appeals are exhausted, any evidence is likely gone.

Data breach and regulatory violations

Just because your company chooses to allow (or not stop) employees from using BYOC does not mean that company does not have liability if the data on the employee’s personal cloud, that the company does not control, is breached.  In fact, likely, the company is fully liable even though they have no authority over that data.  Violation of regulations such as HIPAA also fall on the company.

Litigation risk and electronic discovery exposure

If a company allows users to use BYOC and is involved in litigation, it is very difficult to preserve evidence that could exist on employee’s personal clouds.  If it is discovered that evidence has been destroyed or compromised, the judge could hold the company in contempt or even instruct the jury that they should assume the worst – that whatever was destroyed would have helped the plaintiffs and hurt the company.  A Florida court recently faulted a company for allowing an employee to destroy files in a personal Box account.  Also, depending on what an employee does with the files on the BYOC account, the company  may lose the ability to assert attorney-client privilege.

So what is a company to do?

There are only a couple of options –

Allow BYOC and deal with the risk.  This doesn’t seem like a great solution, but it is what many companies are doing today – understanding that they are going to lose corporate intellectual property in the best of circumstances.

Outlawing BYOC.  Done right, this can work.  After all, the employee just wants to get his or her job done, but done wrong, it can really annoy the employee.

Allow but regulate.  This is likely more complicated.  The company has to decide what BYOC services are OK, create rules for using them and then enforce these rules, but it is possible for this option to work.

For most companies, providing a corporate owned solution that works at least as easily as the employee owned consumer grade solution is probably the best solution, but every company will need to decide for itself.

Information for this post came from JDSupra.

Facebooktwitterredditlinkedinmailby feather

Lenovo Settles With FTC Over Superfish

Some of you will remember back in mid 2014 that Lenovo added some software called Visual Discovery by Superfish to hundreds of thousands of computers.  The purpose of Visual Discovery is to “help” you by intercepting your browser communications and either insert ads into your web traffic or even redirect you to web sites that Superfish thinks you need to visit.

If the traffic to the original web site is encrypted, then Superfish decrypts that traffic without telling you so that it can “help” you and then re-encrypts it, often in a way that is not as secure due to flaws in the Visual Discovery software.

In early 2015, the cat was let out of the bag by researchers and the media started reported about what Lenovo was doing. Lenovo tried, unsuccessfully, to do damage control and eventually released a utility that allowed people to uninstall the Superfish software.  Without this hack, there was, literally, no way to uninstall the Superfish software.

Since they were intercepting user’s encrypted traffic, they likely had access to medical, financial and other sensitive information.  All without obvious notice to the consumer.

It is likely that Lenovo didn’t think too much about what their partner, Superfish was doing, didn’t think much about the security implications, apparently did not look at the coding techniques that Superfish had used and was likely only interested in the size of the commission checks they were cashing.  This is all speculation on my part, but I doubt  that Lenovo gave Superfish access to hundreds of thousands of their customers for free.

Well the fallout has finally happened.  It took over two years, but Lenovo and the Federal Trade Commission have come to an agreement in the form of a consent decree.  A few of the highlights of the agreement:

  • Lenovo does not have to admit any guilt.  This is pretty typical.
  • Lenovo agrees that if they ever do anything that even remotely looks like this again, which I doubt, but you never know, they will create a clear and conspicuous disclosure and require the consumer to OPT-IN not opt-out.
  • Again, if they do this again, they will give the consumer the ability to opt-out at any point in time and also give the consumer the ability to uninstall the software.  None of these were done with Superfish, although there was a brief blurb when they first fired up the browser.
  • Lenovo is prohibited from making misleading representations regarding promotions like this.
  • Lenovo will implement and maintain a software security program designed to address software security risks and protect customer’s information.
  • They will identify a point person – the proverbial one throat to choke (or jail) to manage the program.
  • They will hire an outside expert to conduct software security audits every two years for the next twenty years.  That is a long time to have the FTC breathing down your neck.

Suffice it to say, this is a large pile of turds; Lenovo will spend millions of dollars and the FTC will be watching closely.  FOR THE NEXT TWENTY YEARS.

All this trouble to make a few bucks from ads to their customers.

The moral of this story is to think through the security implications of programs that hijack user’s traffic and have significant privacy implications.

More than likely, any company that was considering doing something similar to what Lenovo was doing is reconsidering that plan.  It is just not worth the risk.

Information for this post came from the FTC web site.

Facebooktwitterredditlinkedinmailby feather

Courts Easing on Requirements For “Standing” in Breach Cases?

One of the things that has always been a barrier for people who’s data was compromised during a breach is what lawyers call “Standing”.  Standing derives from Article III of the U.S. Constitution.  The courts have said that there are three requirements for “standing” to bring an action against another – Injury in fact, causation and redressability.  I am not going to even try to pretend that I am a lawyer, but basically, it says that you have to suffer harm, that the harm can be reasonably linked to the action of the defendant and that a favorable court decision will reasonably redress the situation (Wikipedia).

For the most part, the courts have ruled that, most of the time, people do not have standing and therefore cannot sue.

In February, the Fourth Circuit Court of Appeals made it harder to show standing by ruling that plaintiffs had to show that the data thieves intentionally targeted the personal information that is stolen in the breach.  The decision centers on the hypothetical future harm and whether you were injured.  There have been a number of court rulings like this (Fenwick and West).

However, there are more cases that are starting to rule in the other direction.  Not overwhelmingly, and ultimately, it will likely will have to be decided by the Supremes.

Earlier this week U.S. District Court Judge Lucy Koh ruled that a case against Yahoo due to the breaches in 2013, 2014, 2015 and 2016 can proceed, in part due to the actions of Yahoo in not disclosing for years that the breaches occurred.

Before this is blown out of proportion, Judge Koh is only a District Court judge.  On the other hand, she was the presiding judge in Apple v. Samsung and made companies like Adobe, Google and Intel bow to her will, so her opinion is not like that of some guy in a diner.

Verizon, who bought Yahoo, had hoped that this case would just go away, but at least, for right now, the case will move forward.

Judicial doctrine takes years, even decades, to create.  The doctrine in this case is no different.  When it comes to determining standing with respect to the Constitution, it will take time.  This is just another building block as the courts continue to figure this out.

When companies reimburse people after a credit card breach or offer them credit monitoring, it is to reduce the injury-in-fact part. This, in turn, makes it harder for people to have standing.

The Yahoo case is a little different.  Since they kept the breaches secret for years;  didn’t offer to reimburse people and didn’t offer credit monitoring, they did little to reduce the injury-in-fact part.  In fact they didn’t even tell people so that they could do these things themselves.

Companies have to make this particular decision all the time.  Do we disclose a breach or keep it secret?  Do we endure the bad P.R. or do we hope that word doesn’t get out.    In Yahoo’s case, the shareholders got to take a $350 million haircut in the form of a reduced purchase price, along with having to own responsibility for certain legal costs associated with the breach as a result of that decision.

As this case moves forward, other companies will be watching closely.  Again, this is just one piece in a very large puzzle.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

More IoT Webcams Hackable – Trivially

Researchers at Bitdefender say that they have uncovered two vulnerabilities in low cost Chinese cameras.

One of the cameras is used in the iDoorbell – which represents a software supply chain issue on top of it.  The cameras come from Shenzen Neo Electronics.  Researchers suspect that other cameras are affected as well.

Using the search engine Shodan, researchers found over 100,000 vulnerable cameras, but researchers suspect the number is larger because other camera models may be affected.

One of the two exploits doesn’t even require the user to be able to login;  they compromised the login process itself.

The low cost of the camera ($39) means that there are likely a lot of them out there.

The low cost of the camera also probably explains why the manufacturer did not respond to the researchers notification of the problem.

Now that the vulnerability has been disclosed, any hacker that was not aware of the problem before is aware of it now.

Since the vulnerabilities allow a hacker to run arbitrary code, the hacker could compromise any network that the camera is attached to.  That is pretty scary.

There is some hope on the horizon.  Maybe.

Senators Cory Gardner (R-CO) and Mark Warner (D-VA) have introduced a bill that could make things a little bit better.

The bill, IF PASSED AND SIGNED BY THE PRESIDENT, establishes certain requirements for any IoT device that a vendor wants to SELL TO THE FEDERAL GOVERNMENT.  This represents a small but meaningful subset of IoT devices and likely vendors will advertise the fact that they are more secure, which could force those vendors who have not implemented the federal government standard to do so for competitive reasons.  IF the bill passes.

Here are the bill’s requirements as of today:

  • The devices must be patchable (seems logical but have you tried to patch your refrigerator lately).
  • The devices must not contain known vulnerabilities.  That means that the cameras at the beginning of the article could not be sold to the government.  If the vendor identifies vulnerabilities later, they must disclose that to the government, explain why it is still secure and what compensating controls might exist.  After that, the agency’s CIO can issue a waiver. Most likely, CIOs would not want their signature on that waiver unless it was absolutely critical to the agency’s mission.
  • That the devices rely on standard protocols.  No secret, proprietary (and hence untested for security) protocols allowed.
  • Agencies can ask the OMB for a waiver to buy a non compliant device if they can show that there are compensating controls, but who is going to ask for that?  If that device were to be hacked after the fact, there would be hell to pay.
  • The OMB, working with NIST, would be required to create security standards for the government to deploy those devices.  Of course businesses could use those standards too.
  • Agencies could have their own security standards for IoT devices – as long as they were more rigorous than the standard.
  • Vulnerabilities found must be patched or devices replaced in a timely manner (whatever that means – full employment for lawyers, I suppose).
  • It also protects researchers from being prosecuted under the Digital Millennium Copyright Act (DMCA) for hacking into the device to find and report vulnerabilities.

We shall see if the bill gets passed, but it might be and that would be very good.  Stay tuned.  If it does get signed into law, I will let readers know.

Information on this post came from ZDNet and Senator Warner’s web site.

Facebooktwitterredditlinkedinmailby feather

Industrial Espionage – Much Worse Than Credit Card Breaches

General Keith Alexander, former director of the National Security Agency, said that cyber espionage is the greatest transfer of wealth in history.  In 2012 when he made that statement, the the value of cyber industrial espionage on an annual basis was $338 billion.  Per year.  5 years later I am sure that number is greater.

Of course industrial espionage is not new.  In the early 18th century John Lombe, a British silk spinner went to Italy to steal the technology of an Italian company.  At night, by candlelight, he sketched drawings of the Italian company’s machines that he had managed to get a job working for.  He returned to England with the stolen technology and built a better machine to compete with the Italians.  Industrial espionage is not new.

What is new is the ease with which this can be done.  With everything being connected, you can now steal secrets from half way around the world.  And with cyber security practices at many businesses being a bit lax (there are a few industries for which this is not the case, but they are the exception), it is pretty easy to do.  Even defense, which you think would be secure, is not.  Lockheed lost the technology for the F-35 and now the Chinese make a knockoff and sell it at a fraction of the price.

Unlike credit card or personal information theft which is required to be disclosed, for the most part, stolen intellectual property is kept quiet.  It is embarrassing and would likely make stockholders upset.  What they don’t know won’t hurt them.

As the manufacturing process becomes more computerized, it is a huge leak opportunity.  Traditional IT security solutions sometimes don’t work on the factory floor.  Crooks know that and attack at that weak spot. In the absence of controls, detection and good processes, the crime will go undetected.

Fast forward a couple of centuries.

6 men in Houston were arrested for stealing technology for creating marine foam.  China wanted to increase it’s marine business and this foam is used in building boats due to its special buoyancy.

The Chinese, like John Lombe above, spent years weaseling their way into the company in Houston that makes this.  The crooks sent the info back to China who then had the gall to try and sell it back to the company they stole it from saying they could make it for less.

In the process of stealing the information they kept coming back to the insiders in the U.S. to get more information when their efforts at cloning the process was not working.

Now, except for one guy who is in China, they are all under arrest.  BUT, the technology has already been stolen, so it is not clear how this company can get the genie back in the bottle.  Not clear at all.

Supposedly, this information that was stolen was only known to about a half dozen employees in this company – it was the company’s crown jewels and now the cat is out of the bag.

The company considered buying the stuff from the Chinese knockoff IF the Chinese would give them an exclusive.  SO, rather than go public and be outed, they proposed making a deal with the devil.

When the Chinese started offering this U.S. company’s technology to other companies in the U.S., the company called in the FBI.  That started an investigation and, eventually, the arrest of these 6 engineers. FOUR years later.

Unfortunately, this is one of, likely, thousands of incidents.  Stopping one will NOT stop the hackers.  They just consider that an acceptable loss or collateral damage to the bigger game.

And American companies continue to ignore the warning signs (because, in many cases, there are no warning signs because the companies who got hacked keep the attack quiet).

Think about what happens to your company if you lose control of your intellectual property, whatever that is.

Information for this post came from IIoT World and the Houston Chronicle.

Facebooktwitterredditlinkedinmailby feather

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather