Category Archives: Legal

Will New York Follow In California’s Footsteps?

The New York Privacy Act was introduced last month.  Like California’s CCPA, it gives consumers more power over their data, but in addition to that, it would require companies to put their customer’s privacy before their own interests.  I am sure that there will be a huge lobbying effort by special interests.

While the sponsor is still looking for cosponsors in the lower house, he thinks he already has enough votes to pass it in the Senate.

The Committee on Consumer Protection is scheduled to hold a hearing this week.

Like California’s law, this bill would allow people to find out what data companies are collecting, who they are sharing it with, get it deleted, make companies correct incorrect data and stop companies from sharing the data with third parties.

One difference from the California law, is that this bill allows from consumers to sue companies over privacy violations.  One compromise that was made when the California bill was passed was to change that to only allow a private right of action in cases where there was a breach.  Here, a private right of action would exist for any violation.

Another big difference is that while the California law only applies to companies with revenues over $25 million (or a couple of other situations), this bill would apply, like Colorado’s law does, to any company of any size.

Obviously, the big companies (Facebook,. Google and others) and their lobbyists (the Internet Association) are more than just freaking out.    They are saying that keeping customer’s data private is “unworkable for businesses” which really means that it messes with their business model and fails to give residents meaningful control over their data, which makes no sense at all.  Are they suggesting that their current business model already gives people meaningful control over their data?  That certainly doesn’t seem to be the case.

While I certainly agree that a law like this messes with the business models of some companies that have built a business around selling your data, if those businesses have something that people find valuable, most people will recognize that this is a reasonable trade.

What is required is transparency and that is something that folks like Google and Facebook fight, because they know that for many people, it is not worth the trade.

This is far from law, but definitely a bill to watch.

The name of the bill is NY S 5642.

While this bill may not pass in its current form, it seems like the handwriting is on the wall and smart businesses will start to understand privacy concerns and rework their business models to take that into consideration.

Information for this post came from Wired (registration required).

 

Facebooktwitterredditlinkedinmailby feather

Self Inflicted Cyber Breaches Still Huge Problem Along with Third Party Risk

And it continues to be a major issue for some reason.

This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.

The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.

The sever has been connected to the Pyramid Hotel Group.  Their web site says they provide superior operations, owner relations and support services to hotels and their investors.  IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.

The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.

IN THE U.S., THERE MAY BE NO LEGAL REQUIREMENT TO DISCLOSE BREACHES OF THIS TYPE BECAUSE THEY MAY NOT CONTAIN AND NON-PUBLIC PERSONAL INFORMATION.

It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.

Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.

What’s in the data?

  • Information on hotel room locks and room safes .
  • Physical security management equipment.
  • Server access API keys
  • Passwords
  • Device names
  • Firewall and open port data
  • Malware alerts
  • Login attempt information
  • Application errors
  • Hotel employee names and usernames
  • Local PC names and OS details
  • Server names and OS details
  • security policy details
  • and a bunch of other information.

In other words, a veritable road map for the bad-peops.

Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.

Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.

Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.

And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.

Information for this post came from ZDNet.

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

$67 Million Jury Verdict for Violating People’s Privacy

This is not directly a security issue.  Or a privacy issue. Because the County did not get hacked.

BUT it still is important to businesses.  And governments.

Juries are no longer sitting back and allowing organizations to ignore basic privacy law without consequences.

In this case it is Bucks County, Pennsylvania (population about 650,000), and this is going to cost them some bucks.

The federal jury awarded $1,000 for each of the 67,000 people who were booked into jail in the county since 1938.

The Bucks County budget is about $400 million, so this verdict, if it stands, represents about 16% of the total county budget for a year.

These people, whether they were convicted of a crime or not, were added to a publicly available web site  called the Inmate Lookup Tool.

The suit started in 2013 – six years ago – when Daryoush Taha was arrested and charged with harassment, disorderly conduct and resisting arrest.  He was released the next day.  He completed a one year probationary program for first time offenders and the judge ordered that his arrest record be expunged.

For whatever reason, the folks that ran the Inmate Lookup Tool didn’t get the message and his name, photo, personal details and charges were available online.  Apparently, posting that information online is against the law in Pennsylvania.

The federal judge granted class action status and the plaintiff’s attorney said, in closing arguments, that residents have the right to expect that local governments follow the law.

The county said that they did not know that posting all of this personal information on people who were arrested was illegal.

Basically, their defense was “we’re dumb.  We didn’t know the law.”

I wonder how that defense would work for someone they arrested?

Likely the County does not have insurance for this and, for the most part, you cannot get insurance to cover the penalty for being convicted of a crime.

This is only one of a number of cases we have seen lately where juries have said (to steal a line from a movie) “I’m as mad as hell and I am not going to put up with it any more“.

For businesses, this means that a defense of ignorance or gee, I’m sorry, is not a sure fire defense anymore.  We just saw Equifax’s Moody’s rating downgraded to NEGATIVE as a result of their breach as an example.

Information for this post came from the Philly Inquirer.

I don’t have a crystal ball, but I don’t see this getting better for companies that violate privacy or security laws in the future.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 17, 2019

Be Thankful That You Are Not Equifax – Costs Reach $1.4 Billion So Far

Two years after the big breach, Equifax reported financials for the first quarter.   They reported a loss of $555.9 million compared to a net income of $90 million for the same period in 2018 on basically flat revenue.

Equifax had $125 million in cyber risk insurance with a $7.5 million retained liability.  The insurance has paid out the full amount.

So far, the company has accrued $1.35 Billion in data breach costs and this game is far from over.  The say it is not possible to estimate the full costs.  For more information, read the Bank Info Security article.

Boost Mobile Announces Breach – Two Months Ago

Boost mobile apparently got some customer data boosted.  Two months ago.  An undated letter to the California AG and an undated web page on Boost’s website says that the breach happened on March 14, 2019.  We don’t know what the bad guys took, how many customers were affected or even when people were notified.  The only thing we can guess is that since it hit the media today, the notifications were very recent.

If any of the people affected were in Colorado, the notifications came 15-30 days late.  There are probably other states for which the notification was late as well.  Stay tuned- we may see some AGs getting upset.  Source: Techcrunch.

Supply Chain Attacks Get Bigger and Badder

Last week it was WebPrism and 200 college bookstores.   This week it is Picreel, the analytics firm, Alpaca Forms (open source-so much for open source is more secure) and over 4,600 hacked websites.

The attack is still going on; the sites are still infected and the problem is only getting worse.  If you are loading third party code on your website, you need to rethink your security.  Source: ZDNet .

Intel Announces New Family of Speculative Execution Attacks

Intel seems to be challenged to catch a breach.  Err, a break.    After last year’s Spectre and Meltdown attacks comes this year’s ZombieLoad and Fallout attacks.  This is not a surprise – experts predicted more speculative execution attacks would be found.

Other than some new Intel 8th and 9th generation chips, all Intel chips made in the last decade are vulnerable, but ARM and AMD chips are not.  Some older chips will be patched while others, which are likely out of patch space on the chip, will never be fixed.

Apple, Intel, Microsoft and others have all released patches to mitigate these attacks on the chips for which there are fixes.  The attacks can be made either by planting malware on the device or remotely over the Internet.

The good news FOR THE MOMENT is the attack seems to be complex, so likely it will be used in targeted situations, but if used, everything on the device can be compromised including passwords and encryption keys.

Disabling Simultaneous Multi-Threading will significantly reduce the impact of this attack.

Source: Security Week.

For $600 A Hacker Could Confuse Any Commercial Plane’s Instrument Landing System

From a Cessna to a jumbo jet, every commercial plane built in the last 50 years uses a radio based system to guide it to land when it can’t see the runway – such as in rain or in fog.

These radios were not designed to be secure from hacking.

There is no encryption.  There is no authentication.  The system in the plane assumes that any radio signals that come from the ground are legit.

Unfortunately, for $600 a hacker can purchase a software defined radio that can tell the plane that it is off course.  A little high.  A little to the side.

In theory, if the pilot can see the runway, he or she will execute a “missed approach” and go around.  Given how busy the US airspace is, that decision may be at 50 feet off the ground – not a lot of time to react.

Probably, right now, this is an  unlikely attack.  Right now.  But remember, attacks never get less probable, only more probable as attackers figure out how to manipulate things.  Source: Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

More Info on the Wipro Hack

Last week, I wrote about the Wipro hack (if you didn’t see that post, click on the search box and enter Wipro).  While Wipro is being pretty close-mouthed about what happened due to the inevitable lawsuits, SLA complaints and even claims of breached contracts, it isn’t stopping the media from reporting on it.

In fact, Wipro would probably have been better off addressing the issue rather than attempting, unsuccessfully, to stonewall the media.

When Brian Krebs, who was the first to report on this, reached out Wipro for a comment, they took several days and then came back with a non-answer that said how wonderful their security was.

Apparently their incident response program didn’t include how to deal with the media.

After Brian’s story broke, Wipro decided to talk to an (perhaps more friendly) Indian media outlet and reported that they had a breach.  They did not reach out to Brian.

The next day they had a quarterly investor conference call (bad timing for them) and their CEO said that many of Brian’s details were in error.  They basically said that the issue was handled.

Brian then asked Wipro’s CEO what parts of the story were in error, instead of responding, he read some PR statement about their response to the incident.

Note that if you are going to call a reporter a liar, you probably ought to be able to back that up, because the reporter is likely to call you out on it otherwise. 

The CEO did agree to have a one on one call with Brian, a statement that another reporter recorded and posted on twitter.

During the follow up call, the CEO took issue with Brian’s statement that the incident lasted months.  When Brian asked when it did start, the CEO said he didn’t know but surely it wasn’t months.

It would seem that if you are going to put your CEO on a one on one call with a reporter, you probably ought to make sure that the CEO is prepared.

The CEO also claimed that the company was hit by a zero-day attack.  Given that they are a very large IT services firm, that doesn’t seem like a great defense.  Certainly, no one is bulletproof, but you need evidence.

When asked about the details of the zero-day, they have been quiet other than to say that they shared the details with their anti-virus vendor- and apparently no one else.

That is very unusual for zero-days.  Generally, if you think you have uncovered something new, you want to let others know so that they don’t get hit by the same attack.

In reality, they probably meant, according to Brian, that zero-day in this context means an attack that their anti-virus software didn’t catch. Unfortunately, nowadays, that is not much of a surprise.  Anti-virus software, unless it is very special (and there are a few such products but not any of the typical mainstream ones) it will only catch basic attacks.

A few hours after the call, Brian heard from one of Wipro’s customers in the US.  They decided to sever all electronic communications with Wipro as a result of the attack since Wipro was found to be attacking this customer.  This is the exact right thing to do.  Disconnect now and then figure out IF and WHEN you should reconnect.  This should only happen after the customer is sure they are safe.

A large retailer who is a Wipro customer said that the attackers used the compromise to execute a gift card fraud attack.  Something that would generate cash right away.

India has no laws requiring a company to disclose a breach, so anyone who is outsourcing to India (and other countries) needs to make sure that contractually the outsourcer must report and report within, say, 24 hours, any cyber incident to the customer.  That way, if it doesn’t happen, it is a breach of contract that be dealt with in any number of ways.  Source: Brian Krebs.

Since this story won’t go away, Brian reported the next day that not only was Wipro attacked, but other Indian outsourcers were attacked.  Specifically, Infosys and Cognizant were also attacked.

It appears that some of the companies the hackers were after were Sears, Green Dot (the prepaid credit card company), Evalon (credit card processor), Rackspace, Avanade, Capgemini and others.  Looking at this list, it is clear the attackers want fast money (Sears) but also more victims by attacking a bunch of outsourcers like Rackspace, Avanade and Capgemini.

Sourcces are saying that the attack may have been initiated by hacking a remote desktop software, Screen Connect.  That is consistent with an alert I got from Homeland Security over the weekend that said that hackers were using remote access software to perpetrate attacks and mentioned Screen Connect by name.  Possibly that is a coincidence, but I doubt it due to the timing.

Some of the companies mentioned confirmed the attack in this additional post of Brian’s, here.

Bottom line is that when it comes to breaches, stonewalling DOES NOT WORK. Period.  Plan your response long before you are going to need it.    That is just smart.  The media will keep reporting on it until you either deal with the core issues or look like a bumbling idiot,  Wipro opted for the second in my opinion.

 

Facebooktwitterredditlinkedinmailby feather