Category Archives: Legal

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC

Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

Security News for the Week Ending April 23, 2021

USTRANSCOM Starts CMMC Lite Now

The DoD’s transportation command, the folks who are in charge of getting all the stuff that the military needs from where it is to where it needs to be, has announced that they are implementing a light version of CMMC NOW instead of waiting for the five years that it is going to take DoD to fully roll CMMC out. The plan for TRANSCOM is to be able to confirm or deny cyber compliance, they say. This is even though the DoD delayed its report to Congress on vendors’ compliance with CMMC. It was due in March but now won’t be ready until June. TRANSCOM’s plans come at the same time that some are complaining that security is too hard and too expensive – even though they have been certifying for three years that they were fully compliant with the standard. Now that someone is actually saying “prove it”, they are saying it is hard. The move to actually protect own nation’s service members and information from our adversaries will not be easy, as we learned when the SolarWinds attack was revealed, but that doesn’t mean that we should not do that. Credit: Federal Computer Week

FCC Allocation of New Bandwidth for WiFi – A Duel to the End

Last year, as WiFi usage skyrocketed, the FCC allocated 1200 MHz of bandwidth in the 6 GHz range for unlicensed WiFi. But the problem is that someone’s ox will always get gored since there is no “unallocated” bandwidth. While this is great news for WiFi 6, the new WiFi standard (and WiFi 6E in particular), the people who currently use that bit of spectrum (like some carriers and first responders), are not thrilled. Last October, the DC Circuit Court of Appeals denied a request for an emergency stay, even though the court said that they would hear the arguments later. Last month the arguments started in court, saying that this FCC order would interfere with them. Now oral arguments begin. No one knows how this will end, but the fight is just starting. If, however, the courts refuse to issue a stay, it is going to be a moot point.

After Google gets you Hooked, they Are Changing the Rules

For Google Photos, effective June 1, 2021 and for Google Drive, effective February 1, 2022, All that free unlimited storage is gone. NEW files uploaded to your account after the effective dates will count to your storage quota, whatever that quota is. To ease the sticker shock, existing files will be grandfathered in. You can see what your storage usage is, here.

Google and Microsoft are Fighting – Can You Imagine That?

Google is trying to figure out how to track people to sell advertising as state privacy laws make that more difficult. Their newest invention is something named Federated Learning of Cohorts. It has been widely criticized by privacy folks. In short, it puts users in anonymous (supposedly) buckets by behavior and tries to show you ads based on what FLoC you are in. It is turned on in Chrome 90 and I don’t see a way to turn it off. Microsoft did not include it in their new build of Edge. Take that Google! Credit: Bleeping Computer

EU Creates AI Rulebook

The European Commission released a draft version of a new regulation on the use of AI – the first time a regulator has proposed to do this. The EU says this rule is to create transparency in the use of AI and ban “systems considered a clear threat to the safety, livelihoods and rights of people”. Whatever that means. It also is proposing stricter rules on the use of biometrics such as facial recognition. Here is the draft rule.

What Will the New State Privacy Laws Mean

As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?

Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:

The only one of these that is not LAW YET is Washington.

Here are a couple of interesting hand grenades.

For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.

What does sensitive personal information mean? It depends.

For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.

Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.

You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.

Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.

Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.

Needless to say, it is probably better to follow the rules.

Credit: Ballard Spahr

The Regulators Are Making a Point

Last month New York’s Department of Financial Services (DFS) fined Residential Mortgage Services $1.5 million for not having a compliant cybersecurity program and, even worse, not telling the regulator that they had a breach.

DFS said that RMS did not investigate the breach seriously, did not conduct a comprehensive risk assessment and did not notify the victims.

This month DFS went after National Securities Corp.

DFS says that they had four separate cybersecurity “events” between 2018 and 2020.

DFS noted that during a 2019 incident an employee’s email account was compromised and, oh, yeah, NSC had not implemented multifactor authentication, which is required by law.

In another event, a broker of the company discovered an potentially unauthorized transfer of $200,000. As the investigation continued, they discovered more unauthorized transfers. Ultimately, the company wrote a check to the client for $400,000. Even then, they did not have multifactor authentication enabled.

They did finally implement multifactor authentication in August of last year.

Out of curiosity – have you implemented multifactor authentication on all systems?

In the consent order, the regulator pointed out the obvious. You have to have MFA enabled, even for third party applications.

As the regulator dug into things, they discovered two more incidents that were not reported as promptly as possible and specifically, not within the 72 hours as required by law.

Regulated entities that do business in New York are required file an annual report with the regulator, signed by the CEO or CoB or similar person. The company claimed they were in compliance in that report, but according to DFS, because of all of these issues, they were not in compliance.

They fined National Securities $3 million and, as is typical in these cases, they said that they could not be reimbursed by insurance. They want them to feel the pain.

A summary of what happened can be found here.

Reading the consent order, one thing that the regulators seem to have focused in on is the fact that this company, like many companies, uses dozens of third party applications and many of these applications did not have multifactor authentication turned on.

In some cases, third party apps do not support multifactor authentication. In that case, you have to follow a process to assess the risk and implement alternate security measures. This process needs to be reassessed every single year. Companies have to follow this process for each application for which they cannot implement multifactor authentication.

The consent requires the company to file a comprehensive incident response plan with the department within 120 days.

They also, according to the consent order, need to submit a comprehensive cybersecurity risk assessment.

For both of these items, the consent order lists specific items these documents need to include.

They also have to provide a copy of compliant policies and procedures and documentation of all cybersecurity awareness training in the same time frame.

I am not sure if this will be a monthly event with the regulators or not, but I do think they are getting tired of businesses ignoring the laws.

While this only affects companies that do business in New York (wherever they may be located), we are also seeing noise from other states, such as California, which has just created a whole new regulatory agency. Funded, I might point out, by the fines that they issue.

Add to that the fact that Virginia’s governor just signed a bill into law that is even more comprehensive than California’s and that there are a number of other states (Florida, Texas, Washington, for example) that are likely to enact similar laws this year.

Consider what the New York regulator is doing as a “shot across the bow”. Do not expect this to go away. Also understand that the condition of not getting reimbursed by insurance is a pretty standard requirement.

To quote Dirty Harry: “Do you feel lucky”?

If not, now is the time to get busy.

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week