Category Archives: Legal

The FBI is TRYING to Stem Cyber Badguyness

There is no easy answer, but I can tell you for sure that the FBI has been applying more and more resources to cybecrime every year.

Just this month they unsealed seven indictments charging 16 people from China, Russia, Iran and Malaysia with hacking crimes.

Treasury sanctioned 45 people associated with Iran and two people from Russia.

At the same time, DHS and the FBI have been flooding us techies with threat advisories.

While this is completely unlikely to stop crime, it does increase the risk for bad guys. I am always amazed when these folks travel to countries friendly to us and get arrested and extradited.

FBI Director Wray said last week at a CISA summit that the FBI’s plan is to increase risk for the bad guys.

They have also been working with companies like Microsoft to take down web servers hosted by the hackers.

But it turns out that none of these recent indictments went after government sponsored hackers. That may be a coincidence or it may be intentional.

In fairness to the FBI, these crimes are hard to solve. It is not like China is going to cooperate with us

Still, we have to acknowledge that the more pressure the FBI and other law enforcement puts on hackers, the better. And, we should not forget, there are a lot of hackers right here in the U.S. Those should be easier to apprehend.

I will say that I would not want their job. It is next to impossible to win. Most hackers think, correctly or not, that the odds of getting caught are very low.

The risk is low – if they remember one thing – one thing that hackers seem to forget regularly. Pigs get fat, hogs get slaughtered. If you are too greedy, you will paint a target on your back. And you will increase the odds of getting caught.

Credit: The Record

Election Security Status

With elections less than two months away and lots of stories about election hacking, what is the real story.

Unfortunately, the real story is classified so even if I did know, which I don’t, I couldn’t tell you. The government won’t admit that straight out, but they know a whole lot more than they are telling us.

But at this year’s Billington Cybersecurity Summit, experts talked about their opinion about what is so. Here is some of what they said.

Chris Krebs, head of DHS’s CISA and the government’s point person on election security says that we have turned the corner in a really meaningful way. Chris is a good guy, a smart guy and no one’s fool, so I think he honestly believes that.

What has CISA done? Well one big change from 2016 is that at least this time the vast majority of election officials (there are around 10,000 election entities in the U.S.) are no longer sleeping at the switch. That is a big improvement but it doesn’t fix the problem. At least they know that there is a problem.

Since the last election, CISA is working with a lot of election officials in every state. Not every official by a long shot. CISA says that they are working on supporting 8,800 election officials, whatever that means.

Remember that there is a lot of tech. There are voter registration systems, election night reporting systems, vote processing systems, public web sites and, of course, voting machines. This is far from a complete list. You also have voting tech vendors. Some of them, like one of the biggest, ES&S is completely scared. They are so scared that they are arguing before the Supreme Court that researchers who try to find bugs in their software should be thrown in jail. Is that really the smartest response? Better we should leave those bugs there for the Chinese and North Koreans to abuse. But their ego and reputation is much more important than the safety of your vote. Maybe they should spend more money on security instead of lawsuits.

One thing that is absolutely true is that way more votes will have an audit trail. In part this is due to the fact that many more people will be voting by mail. Nearly 75% of voters will be allow to vote by mail. We don’t know yet how many will. Each of those votes will be auditable. In addition, more and more voting machines will create a HUMAN READABLE audit trail for votemasters to use to verify your vote. It used to be that many voting machines had no audit trail at all so there was nothing to recount. Then there were voting machines that created a 3D barcode, but since you couldn’t read that, there was no way to know if your vote was recorded correctly. Or at all. Now most voting machines create an audit trail that says that I voted for, say, Sue for Secretary of State. You can look at that piece of paper before you deposit it in the ballot box and see if that is really who you voted for.

The states asked for a lot more money than Congress gave them to bolster election security. They got less than a half billion when the amount needed was 1-2 billion or maybe more. There are a lot of small election districts that have a zero dollar security budget and zero security expertise.

This time disinformation campaigns are much more of an issue than hacking voting machines. It is a lot more cost effective. We already saw that the Russians stood up an entire fake media organization to create and publish fake information to attempt to shift the conversation. If they can do that, it is way more cost effective.

At the same time, social media is getting a little bit better about kicking the disinformers off their platforms. Since chaos builds traffic and traffic is money, they really don’t want to do that at all, but they know that if they don’t at least make a half-hearted attempt at it, Congress will legislate what they do and they sure don’t want that.

All in all, we are better than 2016. Significantly better. The biggest issue is still human beings because they believe what they want to believe and don’t fact check what they are reading.

There is still a lot of room for improvement, but at least we are fighting the battle. Credit: CSO Online

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer

Privacy in the Land of California

For those of you that live in California, work in California or have customers in California, 2021 is going be different.

Probably more complicated for businesses and possibly a little better for consumers.

Act 1: CA AB-1864 creates the Department of Financial Protection and Innovation (DFPI). California is not particularly happy that the Republican administration in Washington has defanged the Consumer Financial Protection Bureau. My personal opinion is that there are people in the legislature who are not happy that Xavier Becerra, the California AG, has been less than enthusiastic about enforcing CCPA.

The result is DFPI, aka California’s own CFPB. The governor is expected to sign the bill later this month.

Like the CFPB was supposed to do, the DFPI will have the power to bring administrative and civil actions, issue subpoenas and create rules and regulations. It also requires that all money collected by the department (AKA fines) will be used to fund the department. If the commissioner wants more staff … issue more fines.

For many of our clients, there is good news. Escrow agents, mortgage originators, broker-dealers, banks and other financial institutions are exempted from this regulation.

Who is not exempted are fin-tech companies. They need to watch out. The text of the bill can be found here.

Act 2: The second bill is SB-908, which will require debt collectors to be licensed. And regulated. Mortgage lenders are NOT exempted from the provisions of this bill. The governor is expected to sign this bill as well.

Given the current financial “troubles” in the country now and in the foreseeable future, there is going to be a lot of non-performing debt. For debtors in California, this bill will attempt to make the debt collection process a little more civil. Given the reputation of the industry as a whole, civil is not a term that I would generally use when describing the process. Of course, there are many exceptions. The text of this bill can be found here.

Act 3: The last bill in the collection is CA AB-376, which establishes a student loan borrower bill of rights. Among other things, this bill, which will be enforced by the new DFPI, requires loan servicers to operate like a fiduciary by managing payments to the benefit of the borrower and to reduce fees to the borrower.

The bill would allow a borrower that suffers damages as a result of a debt collector’s failure to follow this law or other relevant federal laws to sue the debt collector for actual damages, injunctive relief, restitution, attorney’s fees and other relief, including treble damages in some cases. The text of this bill, which the governor is also expected to sign, is available here.

This is not all; there is CCPA 2.0, but I will leave that for another day.

As you can see, for folks living, working or doing business in California, 2021 will be an interesting year.

Also remember, where California leads, the rest of the country follows. If you don’t believe that, check out CA SB 1386, the 2002 law that created privacy rights and the basis of state law in virtually every state in the country.

Suppliers Under Attack

The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.

The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.

Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.

Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.

While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.

Among those companies are:

  • Northern Light Health – 657,000 people’s information compromised
  • Saint Luke’s Foundation – 360,000 people
  • Multicare Health System – 179,000 people
  • University of Florida Health – 136,000 people

and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.

This is just ONE VENDOR who serves healthcare that was attacked this year.

Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.

Some organizations were affected by both breaches.

And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.

In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.

In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.

These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.

Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.

But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.

So what needs to happen?

First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.

Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.

There is no rocket science involved. What is involved is

  • Time
  • Money
  • People
  • Motivation

Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.

But as a company that hires these vendors, you can impact this.

Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.

You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.

The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.

In the case of healthcare, it is easy – it is the law!

If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week