Category Archives: Legal

Ransomware, The Next Generation

Hackers are nothing if not creative.  Combine that with businesses not paying enough attention to security and you get a mess.

Researchers discovered an unprotected database with over 5 million client records belonging to Choice Hotels.

The hotel says there is good news.  Only 700,000 of those records were from real customers.  Doesn’t that make you feel better already?

However, that good news is limited.  The researchers were not the first ones there.  They found a ransom note in the database.  It appears that the bad guys copied the data and tried to delete it but something went wrong.    They wanted 0.4 Bitcoin or about $4,000 for the data.  Given the company and the data, they must have been hoping for an easy payday because that much data should be worth a lot more.

That is the next generation of ransomware.  COPY the data, then encrypt it or DELETE IT.  Then demand a ransom to get it back.  If you don’t pay the ransom, they RELEASE the data.  Or SELL it.  For this generation of ransomware, backups do not help.  The only thing that helps is keeping the bad guys out.  Call it ransomware 2.0 .  Luckily in the case, the bad guys were incompetent.  Maybe not the next time.

The database was set up for or buy a vendor.  The hotel says as a result of breach, they won’t be working with that vendor any more.

The hotel did not initially launch an investigation, but eventually did.

So what is the message here?

Just because you are working with a vendor does not let you off the hook.

What was the hotel thinking giving a vendor live data to test with?  What might the consequences be if the data was released publicly?

How much due diligence did the hotel do on the vendor’s cybersecurity program before they gave them the data.  Under some state laws (like Colorado), the hotel would be responsible for ensuring that the vendor had the ability to protect the data BEFORE they handed the data over.

Now the hotel chain will have to face the regulators and the lawsuits and the fines. 

All of this should be part of a company’s vendor cyber risk management program.  Maybe Choice Hotels needs to rethink it’s vendor cyber risk management program.  I can think of about 700,000 reasons why.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

What Does Foreign Influence in Elections Look Like?

The issue of foreign influence in US Presidential elections has been and continues to be a hot button.

Sometimes the focus on election hacking is on hacking the ballot box, but while this is possible, it would be very hard to do that on a national scale, so it is unlikely that this is the tactic that they would take.  However, since we know that Russia attempted to penetrate election systems in all 50 states during the 2016 elections, we should not rule this out completely.

Whether the foreign powers want to help or hurt a particular candidate (and there are likely some of each), there are many things they could do.

Obviously, they could hack the emails and other systems of candidates and release embarrassing emails.  They could also hack candidates personal phones and computers in addition to the campaign’s systems.

More likely, these powers will launch disinformation campaigns.  The number of emails that I get on a daily basis that are designed to inflame or contain outright lies is amazing an will only increase as we get closer to the election.    Same thing with social media.  Whether people will disregard these campaigns is not clear.  It seems that people tend to accept spam that they agree with and reject spam that they disagree with as opposed to treating it all with a whole lot of skepticism.

While it is illegal, foreign governments have been injecting money into campaigns of candidates that they like.  This is done via proxies who can contribute, so figuring out who is a shill for, say, China, might be hard.

Remember also that hacking elections is a time honored tradition.  While the techniques  have gotten better, hacking elections is not new.  One source says that the US interfered with 81 foreign elections (that we know about) since 1946.

The bigger issue is that people THINK that the elections are rigged and do not vote at all.  If this happens, the bad guys win. 

Voters need to be on the alert for all kinds of tricks that a foreign OR DOMESTIC actor might try.  Smart voters will reduce the impact of the bad actor’s work.  And you must vote.

Sources: Nextgov and The Washington Post.

Facebooktwitterredditlinkedinmailby feather

Are You Ready for California’s New Privacy Law?

Security vendor ESet interviewed 625 business owners and executives to understand their readiness for California’s new privacy law that goes into effect on January 1, 2020.  What most businesses are missing is that Nevada’s version of the law goes into effect on October 1, 2019.  Most of the respondents were from small businesses, some of whom are exempt from the requirements of the law.  Here are the results:

  • 44% had never heard of the law
  • 11% know whether the law applies to them or not
  • 34% say that they don’t know if the law will require them to change the way they collect and store data (it likely does)
  • 22% say they don’t care if they break the law (great if you can get away with that)
  • 35% say they don’t need to change anything to be in compliance (very unlikely)
  • 37% say that they are very confident that they will have the required security in place by January 1.  Another third say that they do not know if they will have security in place
  • Half said that they did not modify their behavior or processes to bring their businesses into compliance with GDPR (most likely because they don’t know what GDPR requires)

40% of the businesses said that they did not have anyone responsible for security or privacy in their company and another 18% said they didn’t know if they had someone.

9% said they are moving to avoid having to comply with CCPA, the new California law.  Those people need to understand that they will also need to block Californians from going to their web site and refuse to ship products or deliver services in California.  None of that is realistic for most businesses.

Given the law goes into effect in less than 6 months and Nevada’s version goes into effect in two months, this lack of knowledge is concerning.  However, attorneys, especially those that specialize in class action lawsuits, are thrilled.

There is one aspect of the law that should be a cause for concern for these businesses who think they understand the law – and likely do not.

Any California resident can sue any California business that has a breach that compromises their personal information.

They do not have to show that they have been damaged to sue.

The maximum you can sue for is $750 per person.  A breach of say 10,000 records – a tiny breach by today’s standards (the Capital One breach last week compromised 106 million people) – would generate a potential lawsuit asking for $7,500,000.

Are you prepared for that?

A one million record breach – still small by today’s standards – translates to a $750 million lawsuit.

My suggestion to small businesses – think again about whether you are prepared.  If you need help, contact us.  Source: HelpNet Security.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 26, 2019

Equifax Agrees to Pay UP TO $700 Million to Settle Breach Lawsuits

First – the settlement hasn’t been agreed to by the court yet, so this is all speculation.

Of the $700 million pot, at least $300 million is set aside to pay damages to consumers.  Another $100 million plus is to pay for credit monitoring.

There are lots of details.  For the most part, unless you can prove damages and prove that those damages were caused by the Equifax breach and not some other breach, you probably will not get paid much.  You can get paid up to $250 if you file a claim and without proof.  Everything past that requires proof.   With 150 million victims and a $300 million pot, that averages to $2 a person.

BUT there is one thing you should do and that is get the free credit monitoring.    Go to EQUIFAXBREACHSETTLEMENT.COM and wait until it says that the court has approved it.  Note this is not a site owned by Equifax and given what a mess they are, this is good.  Read more details here.

The Next NSA Hacker Gets 9 Years

Harold Martin, the NSA contractor (employed by Booz, like Edward Snowden) was sentenced to 9 years for stealing 50 terabytes of data over the course of his 22 year NSA career.  The leak is something like 5 times the size of the Snowden leak.  He didn’t sell it;  he just liked data.  He had so much he had to store in in sheds in his back yard.  Many of the documents were clearly marked SECRET AND TOP SECRET.

The fact that he was able to steal hundreds of thousands of documentss doesn’t say much for NSA security, which is sad.  Source: Nextgov.

Huawei – Bad – Not Bad – Bad?!

President Trump said that Huawei is a national security threat and needs to be banned and then he said that maybe we can trade that threat for a better deal with China on trade.

Now it is coming out that Huawei helped North Korea build out their current wireless network.  The equipment was shipped into North Korea by Chinese state owned Panda International.  This has been going on since 2006 at least.  Huawei is likely continuing to provide technical support to North Korea.

This seems like a national security threat and not a bargaining chip for the President to toss in to get a trade deal that he wants, but what do I know.  Source: Fox News.

 

AG  Barr Says He Wants Encryption Back Door And Why do You Need Privacy – Just Suck it Up.

Attorney General William Barr said this week that if tech companies don’t provide a back door into consumer encryption,  they will pass a law forcing it.  And while this will allow hackers and Chinese spies to compromise US systems, it is worthwhile.

He said that they might wait for some terrorist event that kills lots of people and blame it on encryption (whether that is true or not).

He did seem to exclude “custom” encryption used by large business enterprises, whoever that might include.

Barr said that bad guys are using crypto to commit crimes what the police can’t investigate.  If that were true we would expect that crime would be going up.  If it is a really bad problem, it would be going way up.

Only problem is that the statistics say crime is going down.

You may remember that Juniper added such a back door, likely at the request of the NSA and it worked great until word got out about it and hackers had a field day.

This conversation is not over.  Source: The Register.

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 19, 2019

FTC Approves $5 Billion Fine for Facebook

The FTC commissioners reportedly approved an approximately $5 billion fine of Facebook for violating the 2011 consent decree in conjunction with the Cambridge Analytica mess.

To put that in perspective, Facebook’s revenue just for 4th quarter of last year was $16.9 billion and their profit for that quarter was $6.9 billion, so the fine represents a little less than one quarter’s profit.   Still this is two orders of magnitude greater than the FTC fine of Google a few years ago.  The Justice Department has to approve the settlement and is typically a rubber stamp, but given this President’s relationship with social media, you never know.  Source: NY Times.

 

Why do they Want to Hack ME?

The Trickbot malware has compromised 250 million email addresses according to Techcrunch.  Besides using your email account to send spam, it does lots of other nifty stuff as it evolves.  Nice piece of work – NOT!

Why?  So that they can use your email to send spam.  After you, you are kind of a trusted person, so that if someone gets an email from you as opposed to a spammer, they are more likely to click on the link inside or open the attachment and voila, they are owned.

And, of course, you are blamed, which is even better for the spammer.  Source: Techcrunch.

 

Firefox Following Chrome – Marking HTTP web sites with “NOT SECURE” Label

Firefox is following in the footsteps of Google’s Chrome.  Starting this fall Firefox will also mark all HTTP pages (as opposed to HTTPS) as NOT SECURE as Google already does.  Hopefully this will encourage web site operators to install security certificates.  It used to be expensive, but now there are free options.  Source: ZDNet.

 

AMCA Breach Adds Another 2 Million + Victims

Even though American Medical Collection Agency was forced into bankruptcy as a result of the already 20 million+ victims, the hits keep coming for AMCA.  Another one of their customers, Clinical Pathology Labs, said that more than 2 million of their customers were affected by the breach.  They claim that they didn’t get enough information from AMCA to figure out what happened.

It is going to be interesting to see where the lawsuits go, who’s name(s) show up on the HIPAA wall of shame and who Health and Human Services goes after.  Given that AMCA filed for bankruptcy, it is very likely that Quest, CPL and AMCA’s other customers will wind up being sued.  Actually, Quest, Labcorp and the others are who should be sued because they selected AMCA as a vendor and obviously did not perform adequate due diligence.  Source: Techcrunch.

 

Another Day, Another Cryptocurrency Hack/Breach

This time it is the cryptocurrency exchange Bitpoint and they say that half of their 110,000 customers lost (virtual) money as a result of a hack last week.  The hack cost Bitpoint $28 million and they say that they plan the refund their customer’s money. One more time the hackers compromised the software, not the encryption,  Source: The Next Web.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending July 12, 2019

FBI and DHS Raid State Driver’s License Database Photos

The FBI and DHS/ICE have been obtaining millions of photos from state DMV driver’s license databases.  The FBI and DHS have do not feel that they have ask permission to do this.

The FBI conducts 4,000  facial recognition searches a  month.  While the searches might be to find serious criminals,  it also might be used to find petty thiefs.

All that may be required to conduct the search is an email.  21 states allow the these searches  absent a court order.   There is no federal law allowing or prohibiting this.

ICE does searches in a dozen states where those states DMVs give illegal aliens licenses.  Source: ZDNet.

Chinese Authorities Leak 90 Million Records

US companies are not the only ones that have crappy security.  This week the Chinese got caught in that net.   Jiangsu province, with a population of 80 million left 26 gigabytes of personal data data representing 56  million personal and 33 million business records exposed in an unprotected elastic search server.  The internet is equal opportunity.   Source: Bleeping Computer.

Will the Chinese or Russians Hack the 2020 Census?

The census used to be conducted on pieces of paper, sent in both directions through the mail.  That was very difficult to hack.  Unfortunately, it is also very expensive.  Given that the results of the Census affects everything from the makeup of Congress to the receipt of Federal road construction dollars, the outcome is very important.

What way to make people trust the government even less than they already do than to screw up that count.

This year, for the first time, the Census is using the Internet and smart phones to electronically collect data.  And, since the software is behind schedule, what better way to bring it back on schedule than to reduce testing.  After all, what could possibly go wrong.  Even Congress is nervous.  Of  course, the count directly affects their job.  Source:  The NY Times.

K12.Com Exposes Student Data on 7 Million

Its a sad situation where a breach of the personal data of 7  million students is barely a footnote.  In this case, K12’s software is used by 1,100 school districts (maybe yours?)  They  left a database publicly accessible until notified by researchers. Information compromised included name, email, birthday, gender, authentication keys for accessing the student’s account and other information.  Not nuclear launch codes, but still, come on guys.  Source: Engadget.

 

If You Were NOT Paranoid Before …..

Google smart speakers and Google Assistant have been caught eavesdropping without permission – capturing and recording (and handing over to the authorities).  Note this is likely NOT exclusively a Google issue.  They just got caught.  Amazon listens to, they say, about 1.000 clips per shift and has recorded conversations like a child screaming for help and sexual assaults.  THESE RECORDINGS ARE LIKELY KEPT FOREVER.

A Dutch news outlet is reporting that it (the news outlet) received more than 1,000 recordings from a Dutch subcontractor who had been hired to transcribe the recordings for Google as part of its language understanding program.

Among the recordings are domestic violence, confidential business calls and even users asking their speakers to play porn on their connected devices.  

Of the 1,000 recordings, over 150 did not included the wake word, so 15% of the sessions in this sample should not have been recorded at all.

Google acknowledged that the recordings are legitimate but says that only 0.2 percent of all audio gets transcribed.  They also said that the recordings given to the humans were not associated with a user’s account, but the news outlet said that you could hear addresses and other information in the audio, so doing your own association is not hard.

Fundamentally you have two problems here.  One is Google listening (or having its vendors listen) to what you ask Google and the other is Google listening and recording stuff it should not record.  The first should be reasonably expected;  the second is a problem.  Source: Threatpost.

Facebooktwitterredditlinkedinmailby feather