Category Archives: Legal

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.

Undetected.

This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.

Undetected.

How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

Facebooktwitterredditlinkedinmailby feather

Australia Is On The Fast Path to Ban Encryption Without Backdoors

While this is still a bit like Jello (R) waiting to congeal, the Australian Assistance and Access Bill is designed to require back doors in encrypted communications like Whats App and iMessage.

COMPANIES THAT DEVELOP SOFTWARE THAT USE END TO END ENCRYPTION NEED TO PAY ATTENTION TO WHAT HAPPENS SO THAT THEY CAN MAKE APPROPRIATE BUSINESS PLANS.

The party in power is trying to ram the bill through Parliament in 4 days and the opposition labor party is playing politics – maybe supporting it maybe not.

Continuing the political bull-poop, the prime minister said that the Labor party is “happy” for terrorists to plot attacks using encrypted messages.  I don’t recall ever hearing the Labor party ever say anything remotely close to that.

They are saying that if the bill passes, the Australian software industry will be toast as anyone from another country will assume that any Australian software is riddled with security holes to keep the police happy.  Who would buy that software?

One proposal is to limit the back doors to terrorism and child trafficking, but i have no idea how, technically, you could possibly do that.

It is also possible that such a law would conflict with provisions of other foreign laws such as the U.S. Cloud Act and possibly even GDPR.

The bigger question is whether big software players like Apple and Facebook will buckle and build in back doors to protect a tiny bit of the world market to keep Australia happy.

One possibility is what we had in the U.S. in the 90s, which is two versions of software – one for the Australian market, full of security holes but legal in Australia, and one for the rest of the world.  The disadvantage of this is that vendors would need two sets of software and maybe some amount of separate infrastructure.  It is also not clear how you would stop Australians from downloading the other version.

Another possibility, although less likely, is that companies Apple and Facebook will abandon the Australia market.  After all, in the grand scheme of things, it is not a big part of their revenue.  For the moment, they are lobbying against it and other than that, keeping their collective mouths shut.

The Australian government is saying that they need to ram this legislation through Parliament because of the heightened risk during the Christmas holiday, although it is completely inconceivable that even if the bill passes that companies would do anything in time for Christmas.

The government is trying to scare people into passing the bill without any review by saying if they don’t that lives are in jeopardy, but when asked if there is a specific problem they answer no.  After all, they have not had this capability for the last 10 years, why will waiting 30 days mean the end of life on the planet?

The proposed law would require companies to add back doors unless adding back doors would create systemic weaknesses – whatever that means.

Information for this post came from ZDNet and Sky News.

Of course, since politicians are not, for the most part, technically savvy, they appear to have missed the issue of open source software, which we have seen grow in popularity among terrorists in the Middle East.  With open source there is no company to haul into court and it is likely impossible to stop the distribution of open source source located outside of a country’s borders.

Stay tuned.

 

 

 

Facebooktwitterredditlinkedinmailby feather

What is 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V ?

Some of you probably figured out that it is a cryptocurrency (AKA Bitcoin) wallet.  But there is something that makes this bitcoin wallet different from the tens of millions of Bitcoin wallets out there in the wild.

Making a payment to this Bitcoin wallet may classify you a terrorist and subject you to arrest and prosecution.

But, you say, you were hit by a ransomware attack and you need your data back.

Sorry, says the government, you are still a terrorist.

Enough, you say, with this riddle.  Explain what the **bleep** is going on.

OK, here is the story and most of it is not news to anyone who has worked in financial services.

The U.S. Treasury Department has an office (AKA Department) called OFAC or Office of Foreign Asset Control.  Predecessors to the current OFAC department have around at least since the 1940s.

The idea behind OFAC is to make sure that U.S. businesses and citizens do not send money to terrorists.  In fact, when I was in the title and escrow business, we checked each and every payment, both inbound and outbound to make sure that we were not accepting money from terrorists nor sending money to terrorists.  We had special software to do this since we made tens of thousands of payments a day.

OFAC manages a list of what they call Specially Designated Nationals (SDN) or, basically, terrorists or people that help them.  As of today, that list is contained in a PDF file that is 1254 pages long.

As a way to try to squeeze terrorists, the government has started adding cryptocurrency wallet addresses to the SDN list.  The government expects that every time you make a cryptocurrency transaction, you check to make sure that the recipient is not on the SDN list.  If you use a service like Coinbase or one of its competitors, they do that for you.  If you arrange for the Bitcoin transfer yourself, they expect you to do it.

Since the Bitcoin blockchain (unlike many other blockchains) is publicly visible, it is pretty easy for the government to look at transactions and see if anyone in the U.S. is sending money to that wallet.  Since transfers are relatively anonymous if done carefully (like you only use that wallet for one transaction and other restrictions), the government may or may not try and find you if you violate the OFAC rules, but if you are a money handler, they will definitely come after them.  If you put money into a Bitcoin wallet from a bank account to pay the hacker, anonymity is totally gone – FYI.

Penalties, recently, for violating OFAC rules varied from a low of $87,000 to a high of $53,966,000 .  Big range, although $87,000 is still a large number.

There is a mechanism for requesting a waiver to send money to a person on the SDN list (called a blocked person or blocked entity), but I doubt the process is simple or quick, two things that are probably important when you are trying to unlock your data.

The simple solution is don’t get attacked by ransomware (easier said than done) or only get hacked by friendly hackers or hope that your attacker is not on the SDN list.  Otherwise, check and see if the person you are paying is on the bad guy list. 

We live in interesting times.  Information for this post came from Bleeping Computer and information on OFAC and the SDN list can be found here.

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.

 

Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.

 

British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.

 

Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.

 

Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Facebooktwitterredditlinkedinmailby feather

FCC Continues to Support Network Providers at the Expense of Consumers

In general, the U.S. ranks below many third world countries in the speed, quality and cost of Internet access.  If you ask your neighbors what they think about the price, speed and customer service of their internet provider , you will generally not get a positive answer.  My brother lives in Europe and his internet connection is 50 times faster than mine is here and he pays less than half of what I pay.  That is a 100 to 1 ratio.

Some cities have attempted to fill this vacuum by building their own network for Internet services.   While the number is small (about 750 cities) compared to the number of cities in the U.S., cable companies are not happy about the competition.

Therefore, it falls on the FCC to protect those cable company’s interests by saying that local community owned Internet services are a threat to free speech.  Really,  FCC commissioner Mike O’Reilly actually said that in a speech.

As is often the case with Washington, he gave zero evidence to support that claim.  That is a big surprise.  But at least a few people will believe him.

Recently the FCC reversed its own net neutrality regulation saying that it didn’t have the authority to issue the order and when 38 states started issuing similar orders, it said that the states didn’t have the authority to do that, only it had that authority.  Confused?  Me too.

So now the FCC is saying that when local cities work to solve local problems (poor or non-existent internet services, it is a threat to the First Amendment.

The only remote connection is one university paper that says the same thing, also with no evidence.  The issue at hand is the pretty universal statement in almost all ISP’s terms of service that say that they can kick you off the network if you threaten violence or spew hate speech.  The Pittsburgh synagogue shooter used an online service called Gab to promote the killing of all Jews and, not surprisingly, Gab’s ISP kicked it off when the fact became public and threatened its reputation.  Paypal refused to process its credit card transactions and its domain name provider won’t host it’s domain.  None of these are community run, but I don’t hear the FCC whining about them.  In fact, as of today, no ISP is willing to host them and they are off the air for now.  ISPs create terms of service that reflect community norms and have the ability to drop customers who violate those standards.

What is not clear is why the FCC is so anti-consumer at this point.  It kind of makes you wonder if there is money involved.  And not in a good way.  Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

Smart Home Manufacturers Won’t Say if They are Giving Your Data to the Feds

From a sales and branding perspective, the last thing that smart home device manufacturers (think Amazon Echo, Google Home, Apple HomePod and a raft of other) want you to worry about is whether the Feds are snarfing up your data.

We do know of a few highly publicized cases like asking for smart water heater data in a murder case, Fitbit data to charge a 90 year old man with murdering his stepdaughter and a few others, but at least as far as media coverage is concerned, this has not been in the news much.

So Tech Crunch went to a number of players to ask them.  Here is some of what they got:

  • Google’s Nest says it has responded to government requests about 300 times (a pretty small number) since 2015 and has not received any national security letters.  Yet.  Google is the only vendor that currently publishes numbers.
  • Amazon won’t say.  They are burying the requests for Echo data deep in other reports so you can’t tell and has no plans to impact sales by telling you.
  • Facebook also says that it will bury the data for its Portal device and wouldn’t say if it will ever break that data out.
  • Google would not comment on requests for Google Home data and instead tried a slight of hand and said “look at our Nest data”.
  • Apple said there would be nothing to report regarding HomePod because all requests are given a random identifier (such as an IP address?   Nice try Apple!) that can’t be tied to a person.  An IP address might not tie directly to a person, but it does tie directly to a household.
  • Ring refused to answer the question and said they require a legal demand.

Bottom line, everybody is dodging and weaving, so I think it is reasonable to assume that the cops are asking them for data.  Probably a small amount right now because smart homes are still a very small niche, but as it goes more mainstream, expect more requests.  And, probably, no more transparency, at least at first.

So what should you do?

The first question is do you care?  The second is well, exactly what data are they collecting.  We know a couple of TV makers (Vizio and Samsung, I think) paid multi-million dollar fines for snooping.

Will vendors decide to collect more data or less data over time?

We don’t know and the vendors aren’t saying.  Assume the worst.  Probably a safe bet.

Assuming you care, there are limited things that you can do.

For things like smart TVs, there is no easy way to turn recording of you off.  Vizio was required to notify customers that they should not say anything sensitive in the same room as the TV.  So, watch TV in silence.

Check for devices with on-off switches.  Check the vendor’s policy statements.  That’s not a guarantee of anything, but better than nothing.

Of course there is the nuclear option – again assuming that you care – do you REALLY need you refrigerator telling you to get milk?  Maybe?  But maybe not!  If you do, then turn the smart device into a dumb device.  If you don’t connect the device to the Internet, it cannot blab.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather