Category Archives: Legal

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

NSO’s Pegasus Spyware No Longer Works in the UK, US

At this point, this is only a rumor, but maybe with high confidence. The Israeli spyware company NSO Group continues to get into trouble as they sell their software, pretty much, to anyone who will pay the price.

Earlier this month a UK court ruled against NSO that it was likely that a Dubai princess and her lawyers had their phones hacked by the NSO software, probably at the request of her ex-husband.

Amazingly, at virtually the same time, according to an unnamed source, NSO stopped the software from working on all FIVE-EYES country’s phone numbers (UK, US, Canada, Australia and New Zealand).

For how long is unclear.

NSO is facing a lot of lawsuits right now, so they may be trying to deflect some heat. Since they are not publicly saying what they are doing or for how long, I would not count on the good behavior lasting. Too much money to ignore.

What likely happened is that some parts of the international intelligence community “suggested” they cool it for a while, otherwise, they might be force to take some actions like they did in Iran with Stuxnet. If you remember, Stuxnet generated a complete meltdown of Iran’s nuclear program. It is highly likely that the NSA or GCHQ could do the same thing to NSO if they wanted to. Not saying that is what happened, but…..

The NY Post reported that the Princess paid $6.4 million to keep an affair with her bodyguard secret. When this fact came out the Princess, daughter of King Hussein of Jordan, left Dubai with her two young children from her marriage from the Sheikh. It is likely that all of this ugliness is what caused the Shiekh to decide to hack her and her attorney’s phones.

The Sheikh was a bit unhappy with her sudden departure and tried to get the UK High Court to return the children. I guess in the UAE, all is fair in love, war and child custody. He even tried to kidnap the kids using a helicopter.

All of this is kind of above my pay grade, but it does seem to poke some holes in NSO’s claims that they are good guys and their software is only used to catch bad guys, which is what their public story is.

How long NSO will continue to lose revenue opportunities is not clear.

What this “outing” of NSO means, however, is that fears that the Pegasus software was used to spy on diplomats, politicians, reporters and activists are likely true.

Credit: The Guardian

Coming Clean After A Hack

A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.

The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as the National Registry of Persons.

The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.

But here is where things get messy.

The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.

The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.

Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.

Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.

When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.

The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.

The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.

I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.

If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.

It is also a problem for citizens if their card is used to commit a crime.

BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.

The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?

This is a challenge for everyone who gets hacked – government or otherwise.

I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.

For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Attorney Client Privilege in Cyber Land

Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.

While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.

Some of examples of doing it wrong.

After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Capital One lost and they had to turn over the report.

Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm.  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  

There are more of these. The wall for attorney-client privilege is filled with holes.

This means that you need prepare for how you are going to respond in case of a breach.

BEFORE the breach.

Some things to figure out:

  • Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
  • Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
  • Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
  • Proceed with caution when using a data breach report outside of litigation purposes.

Now is the time to figure things out. Before you need to use it. Credit: ADCG