Category Archives: Legal

Senate Republican Proposes Federal Privacy Bill

In an interesting turn of events, Republican US Senator Roger Wicker’s staff has written a draft federal privacy bill.   It’s main goal is to overturn California’s privacy law that goes into effect in January.

Of course, there are only 28 days between now and January 1, so I would be really surprised if the bill made it through the House and Senate and gets signed by the President.  Still it is interesting.

Wicker, who heads the Senate Commerce Committee, says it offers more detailed consumer protections, covers more companies, and has more explicit requirements that companies collect the minimum amount of personal data needed for their purpose.

*IF* that is true, I can’t imagine that Facebook, Google and the like will sign on to supported it, but who knows.

I have not seen a copy of the draft, although the Senator has given Reuters a copy.

One challenge is this:  The Democrats won’t support a bill that preempts state law and the Republicans won’t support one that doesn’t preempt state law.  I am not sure how you resolve that.

Reuters says the draft covers any company doing business across state lines (a one person company?  Non-profits?), expands the definition of sensitive information to include biometrics, requires companies to have clear and conspicuous privacy policies (that no one reads) and would allow consumers to request to have inaccurate information corrected.

What I don’t see, from the Reuters article, is that consumers have any rights in their data.  No right to get a copy of their data, no right to stop companies from selling their data, no right to have their data deleted, etc.  BUT, I have not seen the actual draft bill.

If those rights are not there, I can’t see how Wicker can say with a straight face that the bill is better than California’s current law, unless he means better for Google, Facebook and others.

There also does not appear to be any right for consumers to sue.

If the consumers don’t have any rights from under this law and if it preempts state law, then I think that the Facebooks and Googles of the world will support it, even if it isn’t perfect.

Wicker’s committee is holding a hearing Wednesday which will include lawyers from Microsoft and Walmart.

Wicker said “If there is something weak here, if there are other protections that need to be added, let’s add them, but let’s make it a nationwide standard.”

If he is serious, that is great, but I think that companies that earn all of their money by selling your data are not very interested in giving consumers rights to their data or the right to sue.

I said months ago that I doubted that a federal law would be passed and signed anytime soon.  The two sides are still far apart.  However, I could be wrong.

Stay tuned!  Source: Reuters

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.

 

Facebooktwitterredditlinkedinmailby feather

Yet Another Hosting Provider Hit By Ransomware Attack

SmarterASP.net, a web hosting provider with over 400,000 customers, was infected by ransomware over the weekend.

They are, at least, the third provider to be hit by such an attack.

Affected user web sites are down and the company’s website was also down.

Customers logging in might see a directory listing that looks like this

The encrypted files have the extension kjhbx, except for the ransom note below:

The company has not returned calls so it is unclear if they paid the ransom or are restoring from backups.

If this is like the previous hosting provider attacks, it will likely take weeks for them to restore all the data – if it all can be restored.

A2Hosting and iNSYNQ are two other hosting providers that were attacked earlier this year.

In 2017 South Korean hosting provider Nayana paid a ransom of over $1 million after they were attacked.

Hackers understand that if they can get a hosting provider to pay, the payday is likely a lot larger than attacking you or me.  As a result, attacks against cloud service providers are likely going to continue.

There is no obvious notice on the company’s homepage of the attack and for good reason – it is not terribly good for business.  They are likely hoping that this disappears off the radar and they can continue signing up customers.  There is a note buried on the support site, here.  It says don’t bother to call us or email us, we are kind of busy right now.

So what does this mean for you?

First of all, check your cloud provider’s contract that you signed – either without reading it or without caring.  It probably says that they will not charge you while your web site is down.  Beyond that, you are likely on your own.  Maybe your contract is different, but I doubt it.

You can try suing them for damages, but in light of the contract, that probably will go no where.

*IF* you have cyber risk insurance WITH  network business interruption coverage, you will probably be able to collect on your policy, but only if you have that coverage.

From some of the earlier attacks, it took the providers *WEEKS* to recover all the data – if they were able to recover it at all.

ARE YOU OKAY WITH YOUR WEB SITE BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH SOME OTHER CLOUD SERVICE PROVIDER THAT IS KEY TO YOUR BUSINESS BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH LOSING SOME OR ALL OF YOUR DATA FOREVER?

Assuming the answer to these questions is no, it is up to you to figure out a business continuity plan.  Assuming your data is permanently gone, it is up you to figure out what to do.

We have read stories of some companies going out of business after one of these attacks because customers fled or they lost all of their data.  These are the minority, but it does happen.

Plan for it now because dealing with it after the fact is no fun.

AND, your cloud service provider is likely not liable, other than not charging you for the service that you are not getting.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Expect Cellular Prices to Go Up; Service to go Down

This is really an informational piece, along with some whining on my part, since there is not much you can do about this.

The FCC today approved the merger between Sprint and T-Mobile, thereby reducing the number of cell carriers from 4 to 3.

The republican members of the FCC said that history not withstanding, this is good for you and me.

Somehow, they think, with less competition, carriers will be more motivated to spend billions of dollars upgrading their networks to support 5G.  They didn’t explain their logic.

It is likely true that the remaining cell phone companies will install some 5G cell towers in super densely populated areas like in the downtown areas of major cities, but beyond that, they have zero motivation to attempt to keep up with countries like China, which already has 10,000 operational 5G cell base stations.

Here is a map of each city where at least one carrier has one 5g cell site.  Colorado’s was in front of Denver City Hall, but the carriers are working on turning on more sites.  Remember that (a) you must  have a 5G capable phone (Apple is rumored to be releasing one mid next year) and (b) be located OUTSIDE within a few hundred yards of that 5G cell site.

5G Coverage

 

For example, taking Denver (cuz I am partial to that), Verizon claims to have at least one cell tower live in 5 areas: Potter Highlands, Highlands, LODO, Central Business District, Capitol Hill and the Denver Tech Center.

Contrary to the FCC’s claims, none of these are rural;  rural customers should expect to see 5G cell sites sometime after never.  After all, I can’t even get broadband Internet and I am  only 20 miles from downtown Denver, but in a sparsely populated area.

Expect the combined T-Mobile/Sprint to fire about 10,000 to 20,000 people (according to Wall Street) as they close redundant stores and merge back office operations.  The union says the number is likely closer to 30,000.  You can’t really blame T-Sprint for doing that.

According to insiders, the FCC actually approved the merger in May, months before the Justice Department said the merger was anti-competitive, but the current administration is more willing to allow the market to do whatever it does.

The FCC did require Sprint to sell it’s prepaid phone business (used by people who don’t enough money to buy a traditional phone plan, hence not very profitable to anyone) to Dish and also to sell Dish some spectrum.  Dish is now planning on getting into the phone business as the satellite TV business continues to decline.  For the moment, since Dish has, well,exactly, zero towers, it is going to buy service from the 3 carriers who do have towers, but within the next 5-10 years, they will build out networks, likely in the same densely populated areas as where the current 5 G build-out is being done.

After all, the deregulation of Ma Bell worked well.  That business is completely in the toilet now and will probably disappear in a few years.

By the way, both Canada and Ireland reduced the number of cell carriers in their countries from 4 to 3 and prices went up for consumers in both cases.  I am sure it will be different here.

Sprint has been trying to merge itself into profitability for years now, but this time, they were smarter.  They hired a number of ex-FCC commissioners to lobby for them and dramatically ramped up their use of Trump’s DC hotel.   Hmmm.  What could possible be wrong with this?

Stay tuned.  This deal is still not completely done as a dozen State Attorneys General have filed suit to block the merger.  Whether the courts say that they have any standing in the matter is to be determined.  Source: Vice

 

Facebooktwitterredditlinkedinmailby feather

If Your iPhone Dies, Does That Make You a Criminal?

No, this is not an Apple-bashing post, just coincidence.  The problem could just as easily happen to an Android user.

The short answer to the question in the subject of this post is, apparently, at least according to the courts in London.

Here is the story.

Jemima is a digital convert.  She is a resident of London and is dedicated to her iPhone.  She uses Apple pay. After all, what could go wrong?

The story starts with her getting on a bus in London and using Apple pay to pay the fare.  Then her iPhone’s battery died.

The bad news is that the fare inspector came by and she couldn’t prove that she had paid the fare.  She gave the fare inspector her information figuring that bus company should be able to verify that she paid.

But she was charged with a CRIME –  not being able to PROVE that she paid the fare and had to go to court and plead guilty or not guilty.

When she went to court she  produced a bank statement showing that she paid the fare, but they said that wasn’t enough.

But apparently she had failed to “register” her Apple Pay with Transport For London.  Which, they said, is actually not required.

But since she had not done that and the digital world doesn’t print you a paper receipt, you get to deal with the mess.

She was found guilty and  fined $592.  For not paying for the bus.  Which she had paid for.

Being a convicted criminal, she was turned down for a U.S. Visa.

MONTHS later, she was able to convince a judge that this was not right and finally overturned her conviction.

So ponder this when you do things the “convenient” (AKA digital) way.  It can come back to bite you in the ….

Recently, I had a somewhat similar situation but luckily it didn’t turn me into a criminal.

I went to check in for a flight and the airline said I didn’t have a reservation.  But I had the confirmation number.  Of course, no officially issued ticket.  I wound up having to pay a ridiculous amount for a last minute ticket.  Ultimately, we were able to trace down the problem, but it took quite a while.

Bottom line, understand the risks when you opt for convenience.

And understand the arcane rules that the business you are using has like requiring you to “register” your phone while not really requiring you to register your phone.

And maybe, get a paper receipt.

Oh, Jemima bought an external battery for her phone.

Of course, the challenge is that businesses are “out over their skis” as the expression goes.  They are moving so fast into the digital world, they are not ready to deal with what happens when things go sideways.

If you are responsible for a business, consider that.  What failure modes do you need to be ready to handle.  Don’t make it your customer’s problem.  Plan for it because, well, poo-poo happens.

Source: ZDNet

 

 

Facebooktwitterredditlinkedinmailby feather