Category Archives: Legal

The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather

GDPR Regulators Getting Their Game On

Poland’s data protection regulator made an interesting decision affecting a Swedish based digital  marketing company named Bisnode.

Poland’s regulator, the national Personal Data Protection Office (UODO in Polish), fined Bisnode 220,000 Euros for failing to comply with Article 14 of GDPR.

Article 14 requires a data controller to inform a person when it collects data about that person from another source. In addition, you have to tell them the purpose that you are collecting the data for and give them the option to object.

Bisnode’s business model is to collect data from public records of various types and then, we assume, sell that data.

Bisnode apparently understood that obligation to notify people because of the 6 million records they scraped, they sent out notices to the people for whom they had email addresses.  That represented about 90,000 businesses.  Of those 90,000, about 12,000 or 13% responded back saying that the company did not have their permission to use this data for the purpose stated.

For the rest of the people, even those for whom they had a phone number, they opted not to notify them at all.

Instead, they put a notice on their web site.  Of course, those 6 million people had no reason to look at the company’s website and besides, I am guessing that they did not include a list of 6 million names on the web site, but maybe they did.

Bisnode objected to having to notify people because they said it would be too expensive to send everyone a registered letter.  Of course an email is not equivalent to registered mail, actually closer to a postcard, and they could have  sent 6 million postcards for a whole lot less than the cost of 6 million registered letters.

There is a lot more information in the source article linked below, but for now the point is that businesses that depend on scraping other people’s data and selling it should be wary about their business model.

At a bare minimum, they need to consider the notification requirements and understand that each distinct purpose the data is being used for requires its own notification (if you know now that it will be used for, say, 3 purposes, you can include all three purposes in one notice, but if you decide next month that you have  new purpose, you have to renotify.  And, the notice cannot be generic in nature like “we are going to sell your information to folks who are going to do stuff with it, like spam you”.

The Polish DPA also required them to notify the 5.9+ million people that they didn’t notify.  Bisnode is thinking about deleting the data instead, but even if they do, will that relieve them of their notification obligation?

Assuming Bisnode does appeal, hopefully that appeals decision will improve the clarity of the rules under GDPR, but given what I  have seen in the past, Bisnode is unlikely to get a free pass in this situation.

So for businesses that depend on the ability to take data from third parties and use it in a way that the consumer did not anticipate, anticipate that you could be on the wrong side of a DPA decision and then will need to decide if you can afford to fight.   Not being able to do that freely may make the business not viable, so either way, those businesses have a problem.

Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

Security News bites for the Week Ending March 15, 2019

Jackson County Pays $400,000 in Ransomware

Following a ransomware attack on March 1st, 2019, Jackson County, Georgia decided to pay hackers a ransom of $400,000.

The county population is 67,000 according to Google.  While hackers may not be explicitly targeting these small municipalities, they may be.  After all, small municipalities likely have poor cybersecurity practices and are likely to be willing to pay exorbitant ransoms in order to restore public services.

After the attack, the county said that they decided to pay the ransom because they thought, given their shoddy security practices, it would take them months and cost them even more to rebuild their systems.

Who gets to pay the price of their poor security practices, unfortunately, are the county residents.  The county budget for 2017 was about $40 million, so a $400k hit represents about one percent of the total annual county budget.  There is no indication that the county had any insurance.  In addition to the actual ransom, the county hired a consultant, had downtime and is in the process of recovering from the outage.  Hopefully, the county will institute better security practices now that the horse is out of the barn, costing residents even more money.

This same ransomware, Ryuk, was used in the recent newspaper attacks, but other than delaying the printing of several newspapers like the NY Times by a few hours, the impact was minimal – likely due to better cybersecurity practices in the private sector than the public sector.

There are at least 10,000 municipalities across the country, the vast majority of them are small and with no cybersecurity expertise, so, to the hackers, this is a bit like shooting fish in a barrel — expect more attacks and millions in ransom paid.  Source: Bleeping Computer.

 

Consider Security Basics

Journalists were able to waltz into an undersea fiber optic cable landing station in the UK because engineers forgot to close or lock the gate to the fiber hut.

For terrorists, that would be a wonderful way to destroy a  very high speed Internet link.

As is often the case, even though there were surveillance cameras at the building, no one came to question the reporters as to why they were there.

So, locking the doors and monitoring the surveillance cameras might be a “basic” security measure.   Source: The Register.

Google Now Allows You to Disable Insecure Two-Factor Authentication Methods

Two-factor authentication is a great way to improve security but nothing is perfect.  There are many methods of two-factor authentication, including a phone call and a text message.

Now Google will allow Corporate G-Suite administrators to disable less secure two-factor methods if they choose to (a feature that Microsoft Office has had for a long time, so Google is playing a bit of catch-up).

If you want to force users to either use the Google Authenticator App or a Yubi Key as the only approved second factor, you can do that.  MUCH – repeat MUCH – more secure.  Source: Bleeping Computer.

 

App 63red Security Lacking;  Developer Threatens Messenger

63red, an app that was developed by conservative news site 63Red Safe, is supposed to provide a directory of places that were safe to do things like wear your MAGA hat without being harassed.

Soon after it was released, a French security researcher discovered that the security of the app was less than perfect.  Inside the code of the app the researcher found the developer’s email, password and username in plain text,  Also, there was no security in the app’s API and other security issues.

Developers react differently to being told their app is not secure. In this case the developer reported there was no breach, no data changed, minor problem fixed.  The first two statements are accurate but misleading.  He called it a politically motivated attack.

The developer called the FBI on the researcher, claiming he hacked them, when in fact all he did was look at the source code and then use what was in the code to test the security.  Theoretically, that could be considered exceeding your permissions under the Computer Fraud and Abuse Act, but there are specific exceptions for security research.

The app has now been removed from the app store, apparently due to security issues.

If you are going to fire back at a security researcher, you probably need to make sure that you are on solid ground.  Sources:  The Daily Beast and Ars Technica.

Facebooktwitterredditlinkedinmailby feather

What is Going to Happen in Europe Regarding Privacy?

Well, we certainly DO live in interesting times.

The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.

The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years.  For folks with large operations in the UK, that could be a problem.

The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years.  For those hoping for relief, do not count on it.

He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”.  He said that Privacy Shield is an interim instrument.  He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.

Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story.  That, once approved, will be another set of rules for companies to adopt.

When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years.  Of course, in the US, there is no limit on retention.  He did, however, like the German approach, which allows retention for weeks, not years.

Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts.  Stay tuned.  Source: IAPP (membership may be required to view).

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.

 

 

Facebooktwitterredditlinkedinmailby feather