Category Archives: Legal

Crypto Backdoors and Huawei

Note: If you didn’t know that I am against crypto backdoors before, let me just tell you up front, because that fact will be clear by the end.

The world works in the most mysterious ways.

The FBI has been trying to get phone makers (Apple especially) to install crypto backdoors into iPhones for them for years. What they call lawful access.

The scientists say that there is no way to do this in a way that would be secure. A way where only the good guys can access your stuff and the bad guys cannot.

Sometimes the universe demonstrates things in a way that scientists can’t.

The U.S. has been saying for a long time that the Chinese company Huawei – the world leader in 5G cellular technology – is bad and that they are closely connected to the Chinese military. All of this is likely true.

What they haven’t said is why and they are not really telling the whole truth now – likely because the whole truth is classified. They probably don’t want the Chinese to know what our spies know.

Huawei cell hardware has a crypto backdoor. Not necessarily because they wanted to put it in but more likely because cell providers in many countries are required to provide a backdoor. If Huawei didn’t build one in, they couldn’t sell their hardware.

What has come out now is that there is a concern that Huawei – AKA the Chinese government or Chinese military – may be able to use – or ABUSE that backdoor.

Of course they claim that they would NEVER do that. You believe them, don’t you?

While the U.S. isn’t publicly saying this, likely because some CIA source told them or something like that and as a result, it is considered highly classified. If the Chinese know what we know, they can probably figure out how we got it and from there, figure out who told us. At that point, the next step is a bullet in the head.

So it appears that this backdoor that the FBI so desperately wants is the reason while Huawei is such a threat. Bottom line, if we insert a backdoor into crypto, even for the best reasons, the bad guys will learn about it and figure out how to exploit it. Then we have the Huawei situation all over again.

Since the U.S. is pushing really, really hard to stop carriers from using Huawei hardware, probably with good reason – and we now know why – what is the impact on 5G rollout in the US?

For the large carriers in the core of major metropolitan cities – not much.

For smaller carriers and for the big carriers outside the high profile “gee, we better have 5G coverage here” locations, it means that the rollout of 5G in the U.S. will probably be much slower than would have been otherwise.

Given that almost no one has a 5G capable phone right now, that probably doesn’t matter much – right now.

But there is another use that seems to be garnering some attention and that is Internet of Things. If some IoT devices are dependent on 5G (like your self-driving car) and if the buyer or maker of the device ASSUMES that 5G coverage will be available, well, that is a problem (like the self-driving feature doesn’t work). Hopefully, manufacturers who assume people will have 5G will design their systems to fail safely (like shutting their device off if it can’t get 5G), but even that won’t make people happy.

Looking at 5G coverage today, here is a map from Verizon’s website for Denver. Notice it says AVAILABLE OUTDOORS. Likely, this is because the signal won’t penetrate walls, which means, that we all need to move into tents outside. The tan highlight says that 5G is available in PARTS of these neighborhoods. Granted they will build out more and likely in the next few years, more of downtown Denver will have coverage, but that doesn’t include anything outside downtown and it doesn’t cover indoors. For that you will need to buy a 5G cell simulator and have enough extra Internet bandwidth on your Internet connection to give you 5G speeds. You want gigabit 5G – you better have an extra gigabit of Internet bandwidth on your service that you are not using. And, you better hope that you carrier doesn’t have bandwidth caps.

Source: Ars Technica

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

Government May Be Too Slow To Tackle Cyber Threats Says Outgoing NSA Attorney

The Washington Post is reporting …

Outgoing National Security Agency General Counsel Glenn Gerstell says hacking threats from China and other U.S. adversaries pose as great a challenge to the country as climate change.  And the government and private sector risk moving too slowly to respond.

Outgoing National Security Agency General Counsel Glenn Gerstell says hacking threats from China and other U.S. adversaries pose as great a challenge to the country as climate change.  And the government and private sector risk moving too slowly to respond.

Gerstell’s alarm bell comes after years during which the U.S. has failed to stem the tide of significant hacks from Russia, China, Iran and North Korea — and as a wave of new innovations such as artificial intelligence, quantum computing and 5G telecommunications networks could radically expand the damage adversaries can do in cyberspace.

Gerstell says that we need to update laws, many of which date to the 1980s and before and create additional regulation of tech firms (like the FBI wanting a back door to all encryption so they can snoop at will).

He is also suggesting that the government needs to consolidate responsibility which is now spread across the Pentagon, Department of Homeland Security, FBI and numerous other agencies (I think I will pop some popcorn when that ox gets gored – no one wants their agency to lose power).

He also thinks the NSA is going to have to be far more public about its work on both the offense and defense side.  Anne Neuberger who heads up the newly recreated cybersecurity division (it replaces the Information Assurance Division which was shut down a few years ago in a really misguided effort to shake up the bureaucracy) seems to already be making a difference in this department, starting with the announcement of the Microsoft Crypto API bug  last month.

I do think it is going to be real challenge for the government to move fast enough without doing a lot of stupid stuff and/or having a significant negative effect on the economy.

This administration does not seem to have a good handle on dealing with the problem.  This is not limited to one party.  After all, Congress is mostly made up of lawyers and we know how well many lawyers understand technology.

The Senate just released a report that said that the Obama administration was woefully unprepared for dealing with Russia’s hacking of the 2016 elections.  This administration has been in denial that Russia did hack the elections, saying maybe it was a 400 pound person in their parent’s basement.

None of this makes me super optimistic that the government will fix this problem any time soon.

 

 

 

 

 Facebooktwitterredditlinkedinmailby feather

Ransomware 2.0 Attacks 3 Law Firms in the Last 24 Hours

I know I keep beating the Ransonware 2.0 drum, but there is a reason for it.  There is not a good response to it other than to stop it from happening.

According to media reports, Maze ransomware hackers have attacked 5 law firms in the last 30 days and 3 law firms in the last 24 hours from when the report was written.

More importantly, the hackers posted some of the data on the web – and not the dark web but rather the normal web for everyone to see – to prove that they exfiltrated data before they encrypted it.

The hackers are demanding $1 million for the decryption  keys and another $1 million to not sell the data.  From some of the attacks we have seen the data posted with a note asking other hackers to do as much damage as possible with the data.

So far, the media is not naming these law firms, but that will only last so long.

Source: Lawfareblog

Hmmm.  So long is not very long at all.

Doing another Google search, the firms are:

  • Bangs McCullen
  • Lynn, Jackson, Shultz & Lebrun
  • Costello Porter

Source: law.com

Obviously, the objective here is the embarrass the firms and hopefully get them to pay up.  And act as a warning to other firms.

With ransomware 2.0, having backups is not sufficient.

If the hackers threaten to publish, for example, your client’s confidential information in your care, what is your plan?

A couple of thoughts from the client’s side.  Many of you engage law firms.  If you look at the engagement agreement, it probably says that they are not liable if they are hacked.  I would suggest that you get out your marker and cross that out and sign it.  If the law firm won’t agree to removing that, find a different firm.  There are lots of them.

Larger clients are asking prospective law firms for a copy of their most recent cyber risk assessment, or at least a summary version of it.

They are also asking about what kind of training the firms do and what policies they have in place.  What kind of threat detection solutions are being used. 

These are all legitimate questions.

Of course, you need someone knowledgeable on your side to evaluate the answers, too.

One reason they are going after law firms is that if you attack a single firm, they get information hundreds of companies or more.

On your Vendor Cyber Risk Management program (VCRM), law firms should be considered high risk vendors. 

In the agreement with the firm is there an arbitration requirement?  Typically arbitration works in favor of the firm and not you.

Also note that there is no law that requires your law firm to tell you if your company confidential information is breached (unless there is personal information in there too).  Make sure that your agreement requires that they notify you if they are hacked.  Quickly.

Do they have cyber risk insurance?  Do you have to hope that the firm has enough cash to repair the damage?

If you have any questions about this, please contact us.

 

 Facebooktwitterredditlinkedinmailby feather

The Challenges of Border Patrol

I am going to try and make this non-political.  We will see if I succeed.

Customs and Border Patrol detained a U.S. Citizen active duty Army solider as he went through a U.S. airport as part of his directed orders.  The soldier, who is an American citizen, was born in Iran.

A leaked Border Patrol document says the agency directed agents to question travelers of Iranian descent, even if they are American citizens or even active duty soldiers traveling on orders.

Customers also asked the soldier for the password to his  iPhone, which he gave them, but they decided to keep his phone for further examination.

The Border agent said that the soldier’s phone number had been popping up on multiple different travelers that had been flying recently.

He asked if he could get his phone back to get information off it and they said no (which is reasonable in the context of the situation).

Since many people connect their phone to cloud services, in theory the forensics investigation could access your cloud data (of course, they can get a warrant to do that anyway), so either way, they likely have access to all of the data on your phone plus in your cloud.

The soldier does not know when he is going to get his phone back.  I am probably more paranoid than most, but I would not use that phone even if I did get it back.  He could, of course, sell the phone, but in the mean time, assuming he, as a soldier, wants to stay connected to his loved ones, he has to shell out his own money for a new phone.

In theory, Customs is only supposed to keep confiscated phones for 5 days, but they can extend that week by week indefinitely.  There are numerous stories online of Customs keeping phones for 90 days or more.

Customs had previously told the media that there was no directive to target people of Iranian descent, but after a memo stating exactly that was leaked, they changed their story and admitted that they were doing that.

So, what to make of all of this?

It would appear that Customs did nothing wrong.

Was this soldier targeted because of his heritage?  Likely but you can’t prove anything.

If Customs decides they want to keep your phone, there is nothing illegal about that and all they are required to do is give you a receipt.

Non U.S. citizens can be sent home if they refuse to unlock their phone but, for U.S. citizens, all they can do is keep your phone.  Of course, they can detain you for questioning, but unless they arrest you, they do have to let you in.  In the grand scheme of things, Customs only looks at a few tens of thousands of phones out of the many millions of people coming into the country every year, so the odds are pretty low that they would ask.

If you have business information on your phone that you are concerned about or if you are an attorney with privileged information, talk to your security team or don’t take it with you if possible (this includes all electronic devices, not just phones).

If you have adult personal information on your devices, you might not want to travel with that.  There have been reports of issues with that being shared – unproven but reported.

On the other hand, Customs is charged with protecting us and I suspect that, in general, they try really hard to do just that.

If, however, you are a citizen who gets caught up in the dragnet, well, that is not a lot of phone.

Feel free to post your thoughts.  Source: Vice

 

 

 Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 31, 2020

UK Proposes Weak Security Law for IoT Devices; Calls it Strong

The UK is proposing a law similiar to California’s existing IoT law and calls it strong security.  What makes it strong is that they call it strong, maybe?

The bill requires that default passwords on IoT devices be unique (likely part of the serial number) and not resettable to a single default password.  It also requires the manufacturer to provide a public point of contact for security researchers to report bugs and finally it requires manufacturers to tell consumers the minimum length of time they will provide security updates.

It does not require that they fix reported bugs at all and it doesn’t say how over the manufacturer will provide security updates.  It also doesn’t make manufacturers liable for the damage their bugs do.

All in all, it is a pretty weak bill and even so, it has not been enacted yet.  Source: The UK Gov web site.

 

Business Email Compromise victim sues MSP for Professional Negligence

A Business Email Compromise victim who paid fake invoices to the tune of $1.7 million to businesses in Hong Kong and Cambodia is suing it’s managed service provider (MSP) for messing up.  The fake invoices came from the business owner’s hacked email account which the MSP was supposed to protect.  Source: Channel Futures

 

Travelex Says They Are Back Online

After a MONTH of downtime, Travelex says they are now back online.  They are still saying that it won’t impact their 2019 or 2020 financials.  Sources say that part of the losses will be covered by insurance.  This calls out the importance of having a tested incident response, disaster recovery and business continuity program – and the importance of having cyber insurance.  Source: Reuters

 

Apple Dropped Plans to Encrypt Cloud Backup After FBI Complained

Apple dropped plans to fully encrypt iCloud backups after the FBI told them that it would harm investigations according to multiple sources.  They often turn over iCloud backups to help police investigate crimes.

While Apple publicly says it protects your privacy and in many ways they do, sometimes they make business decisions that they would prefer their customers not  know about.  Source: Reuters

 

Extradition Hearing for Huawei’s CFO has Begun in Canada

The extradition hearings for Huawei’s CFO and daughter of its founder, Meng Wanzhou, have begun in Canada.

The U.S. says that she and her company violated the U.S. ban on selling to Iran.  China says it is a political stunt.

Currently, she is free on bail and living in one of the mansions she owns in Vancouver.  If she gets extradited to the U.S. her accommodations will not be as comfortable.

On the other hand, President Trump has indicated that all things with China are bargaining chips.  Stay tuned;  it is a long journey.  Source: The L.A. TimesFacebooktwitterredditlinkedinmailby feather