Category Archives: Legal

Small Businesses Face Big Cyber-Risks

Is your business prepared for a cyber breach?  Besides the cost, there is the potential for damage to your reputation , loss of customers, distraction while dealing with it and the potential for lawsuits, which can go on for years.

An article at talks about the subject and the fact that hundreds of small businesses have been hacked recently.  The challenge with cyber-breaches is that the bad guy gets your data but you still have it too, so you might not even be aware that you have been attacked.

Sometimes you are never aware that you have been attacked.  Other times, the media catches it and announces it – like with Home Depot.  Still other times, law enforcement pays you a visit and lets you know.

Don’t think that because you are a small business that you are immune.  In fact, hackers assume that small businesses likely have less defenses and are less likely to discover an attack.  Statistics indicate that about a third of all data breaches are against organizations with less than 100 employees.

Cyber-insurance may help with the costs and your defense in court if it goes there (there are over 50 lawsuits pending against Target right now), but that won’t help with the distraction and the damage to your reputation.

Cyber-insurance is a non-standard product meaning that the exclusions and limitations vary from policy to policy.  Assuming you don’t have cyber liability insurance, you should consider it.  If you do, you should review it to understand what is covered and what is not covered.  This is a case where surprises are not a good thing.

For many businesses, cyber risk mitigation is an area where bringing in outside expertise is a good idea.

Mitch Tanenbaum

Sometimes the simple con is the best con

According to an article in Business Insider, Sharron Laverne Parrish, Jr. scammed Apple 42 times with a very simple scam.  He presented debit cards on closed accounts for purchases – apparently in the thousands of dollars each.  When the card was declined, he offered to call his bank and handle it.  Except he was not talking to his bank.

At the end of the conversation, he would give the Apple employee an override code and take his purchases.  This worked at Apple stores in 16 states, which would indicate they may have a process or training issue.

Since the store opted to override the decline, the store is on the hook for the fraud, not the bank.  He did this to twice to some stores.  To the tune of over $300,000 !

Apparently, as long as the syntax of the authorization code is correct, no validation is performed on the code.  How’s that for smart?

He’s not the first person to do this.  The article talks about another person who did a similar thing to Victoria’s Secret, Banana Republic and others to the tune of $550,000 !

Moral of the story – make sure employees are well trained and up to date on the current scams.


Mitch Tanenbaum

Russian tool grabs nude selfies from iCloud accounts

Yes, this is for real.  Russian entrepreneurs have figured out there is a market for this.

According to an article in ITWorld, there is a business in hacking iCloud accounts.  Get the password by some means and then using EPPB from Elcomsoft, the hacker can grab just pictures or contact or messages – just what their customer wants.

And also, since this is tedious, there are posts on the hacker boards for services that will do this for a fee.  You provide the credentials, they give you the data.  They don’t ask how you got the credentials – they don’t want to know.  That is their way to avoid the question of whether what they are doing is legal or not.  Of course, if it is illegal, do you plan to go to Russia or Ukraine or some other country to arrest them?  Good luck getting a US police agency to do that.  We will see if the FBI finds the person or persons who leaked the nudes of Jennifer Lawrence, Kate Upton and others this weekend and IF they find them, if they can be extradited, brought to trial and convicted.  That might, possibly, work if you are a famous celebrity, but fat chance if you are not.

Elcomsoft’s EPPB is targeted to law enforcement, but they will sell it to anyone who has $399.  If that is too much, hacked copies are available on the hacker boards as well.

My philosophy is that any backup you put in the cloud should be encrypted and ONLY YOU should have that key.  If the decryption is transparent to you (meaning the provider either has the key or can generate the key), it is likely transparent to the crooks also, so it won’t help you.

Apple says this is not their problem and recommend that you use two factor authentication when logging on to iCloud.  While this is not, in my opinion, as good as what I suggested above, that is all the offer right now.  It is better than nothing.

Clouds are wonderful and can be very pretty (enticing).  Just make sure that you know what you are getting in to.

Mitch Tanenbaum


The Power of the Cloud

As you are probably aware by now, somewhere upwards of 100 celebrities have had private pictures of themselves posted on 4Chan and many other sites yesterday.  Earlier today Reddit was going crazy with comments and pictures.  Some of the celebrities who have confirmed that the posted pictures are of them include Jennifer Lawrence, Kate Upton and Mary Elizabeth Winstead.

Needless to say, these stars are not happy about things, but how how does this affect you?

Time Magazine reported that one theory of what happened is that a hacker exploited a vulnerability in Apple’s Find My iPhone Service that was patched today (coincidentally?) that allowed for a brute force attack against your account.  Some tech observers discount this explanation saying there is evidence that some photos came from Android phones that don’t backup to Apple services.

Whatever the answer is, it is a reminder that nothing is perfect.  There are however a number of things that you can do.

First is to do a risk assessment.  If you are a celebrity and you have taken nude pictures of yourself and your partner engaging in “adult activities”, perhaps the risk of storing those in the cloud exceeds the rewards of doing that.  Of course the problem may be that you may not clearly understand what is being copied from your phone or pad to the cloud and what is not.  That is part of a risk assessment.

If you are a business person, the same is true.  If you have trade secrets, forward looking financial information, business partners confidential information, etc., then a risk assessment will help you determine whether a public cloud is a good place to store this information.

Training your employees of good computer hygiene is important, but people tend to zone out on that stuff.  Convenience usually wins out over security.

If you are a business, understand where your employees are storing your information.  A few years ago a friend was doing an assessment for a client and he asked the client how many Sharepoint sites they had.  The CIO thought it was around 50.  After an audit, it turned out to be around 1,300.  Slight difference.  If you don’t know where your data is, you cannot protect it.

Encryption.  Whenever and wherever possible, encrypt stuff.  It doesn’t mean that the bad guys can’t steal it, but you definitely make it harder.  And, make sure that the encryption is not easily compromised.

Review your third party service providers and partners that have access to your information.  This may include performing a security audit on some or all of these providers.  Financial institutions have been doing this with their third party service providers for years.  It is a cost that you bear and it should not be a “one size fits all” process.  An external risk mitigation expert can help you analyze the risk and come up with a plan.  If one of your providers balk at participating in an assessment OR they balk at fixing the issues that the assessor found, then you have a decision to make.  NOTE:  This is NOT the same thing as a PCI audit because it covers information that is not related to customer credit card or other NPI data.

You can follow all of the recommendations above, but the list is not complete and, for many companies, the expertise and bandwidth to do this internally is not there.  I recommend that you get a risk mitigation assessment performed by a competent, external, security expert at least once a year.  You can and often should conduct internal assessments first, but the external assessor doesn’t have an axe to grind.   If you pick a vendor to do this who just happens to sell the PERFECT product to fix the issues he or she found, be suspicious of the vendor’s motives.  It could be a coincidence, but also, it might not be.

Once you have the assessment document, you and your Chief Risk Officer need to review the recommendations and make a business decision regarding which identified risks you are willing to accept and which ones you are going to address.  There may be a number of ways to address a given risk with different costs and impacts.  The security assessor can assist you with this analysis by providing an objective framework and process, but ultimately the executive team and likely the Board will need to make some business decisions.

As more information is stored digitally and the business consequences (legal, reputation and financial) increase, a cyber risk mitigation assessment should be an annual event.

Mitch Tanenbaum

Significant number of major businesses hit by Backoff malware

After my last post, a  new article came out about the Backoff malware.  The article, quoting the US Department of Homeland Security, said that over a thousand small, medium and enterprise U.S. businesses have been compromised by the Backoff malware package.

Backoff is fairly new – first seen last year – and scrapes the memory of POS systems.  7 POS vendors have confirmed that they have multiple clients affected.  The Secret Service is involved.  It is believed that this malware is responsible for the breaches at Target, SuperValu and UPS.

The attackers break into the POS systems using a variety of techniques and then install the malware on the system.  Once the malware is installed, every transaction on the system from that point forward will be compromised.

MItch Tanenbaum


Why we are going to see more card breaches at retailers

An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers.  First I will share their list, then I will add my own.

Their list includes:

  1. The PCI standard is failing to protect merchants from breaches
  2. Merchants are not implementing P2PE
  3. Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
  4. Merchants add new features to their payment platforms as patches to already buggy systems.
  5. Many of the POS systems are still running Windows XP
  6. Many card breaches lead to Russia.  Russian hackers attack American systems as a patriotic move
  7. EMV is not a silver bullet.

The article goes into more detail on each of these, but these reasons probably are obvious.  I don’t disagree with any of these conclusions.

Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard.  It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes.  All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough.  So, what retailers do is comply with the PCI rules and state laws and leave it at that.

On top of it, no matter what you do, there is no quick fix.  You can do many different things and still get hacked.  It has been, and likely always will be, a cat and mouse game.

And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.

From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?

Anyone got a silver bullet?

Mitch Tanenbaum