Category Archives: Legal

The Power of the Cloud

As you are probably aware by now, somewhere upwards of 100 celebrities have had private pictures of themselves posted on 4Chan and many other sites yesterday.  Earlier today Reddit was going crazy with comments and pictures.  Some of the celebrities who have confirmed that the posted pictures are of them include Jennifer Lawrence, Kate Upton and Mary Elizabeth Winstead.

Needless to say, these stars are not happy about things, but how how does this affect you?

Time Magazine reported that one theory of what happened is that a hacker exploited a vulnerability in Apple’s Find My iPhone Service that was patched today (coincidentally?) that allowed for a brute force attack against your account.  Some tech observers discount this explanation saying there is evidence that some photos came from Android phones that don’t backup to Apple services.

Whatever the answer is, it is a reminder that nothing is perfect.  There are however a number of things that you can do.

First is to do a risk assessment.  If you are a celebrity and you have taken nude pictures of yourself and your partner engaging in “adult activities”, perhaps the risk of storing those in the cloud exceeds the rewards of doing that.  Of course the problem may be that you may not clearly understand what is being copied from your phone or pad to the cloud and what is not.  That is part of a risk assessment.

If you are a business person, the same is true.  If you have trade secrets, forward looking financial information, business partners confidential information, etc., then a risk assessment will help you determine whether a public cloud is a good place to store this information.

Training your employees of good computer hygiene is important, but people tend to zone out on that stuff.  Convenience usually wins out over security.

If you are a business, understand where your employees are storing your information.  A few years ago a friend was doing an assessment for a client and he asked the client how many Sharepoint sites they had.  The CIO thought it was around 50.  After an audit, it turned out to be around 1,300.  Slight difference.  If you don’t know where your data is, you cannot protect it.

Encryption.  Whenever and wherever possible, encrypt stuff.  It doesn’t mean that the bad guys can’t steal it, but you definitely make it harder.  And, make sure that the encryption is not easily compromised.

Review your third party service providers and partners that have access to your information.  This may include performing a security audit on some or all of these providers.  Financial institutions have been doing this with their third party service providers for years.  It is a cost that you bear and it should not be a “one size fits all” process.  An external risk mitigation expert can help you analyze the risk and come up with a plan.  If one of your providers balk at participating in an assessment OR they balk at fixing the issues that the assessor found, then you have a decision to make.  NOTE:  This is NOT the same thing as a PCI audit because it covers information that is not related to customer credit card or other NPI data.

You can follow all of the recommendations above, but the list is not complete and, for many companies, the expertise and bandwidth to do this internally is not there.  I recommend that you get a risk mitigation assessment performed by a competent, external, security expert at least once a year.  You can and often should conduct internal assessments first, but the external assessor doesn’t have an axe to grind.   If you pick a vendor to do this who just happens to sell the PERFECT product to fix the issues he or she found, be suspicious of the vendor’s motives.  It could be a coincidence, but also, it might not be.

Once you have the assessment document, you and your Chief Risk Officer need to review the recommendations and make a business decision regarding which identified risks you are willing to accept and which ones you are going to address.  There may be a number of ways to address a given risk with different costs and impacts.  The security assessor can assist you with this analysis by providing an objective framework and process, but ultimately the executive team and likely the Board will need to make some business decisions.

As more information is stored digitally and the business consequences (legal, reputation and financial) increase, a cyber risk mitigation assessment should be an annual event.

Mitch Tanenbaum

Significant number of major businesses hit by Backoff malware

After my last post, a  new article came out about the Backoff malware.  The article, quoting the US Department of Homeland Security, said that over a thousand small, medium and enterprise U.S. businesses have been compromised by the Backoff malware package.

Backoff is fairly new – first seen last year – and scrapes the memory of POS systems.  7 POS vendors have confirmed that they have multiple clients affected.  The Secret Service is involved.  It is believed that this malware is responsible for the breaches at Target, SuperValu and UPS.

The attackers break into the POS systems using a variety of techniques and then install the malware on the system.  Once the malware is installed, every transaction on the system from that point forward will be compromised.

MItch Tanenbaum


Why we are going to see more card breaches at retailers

An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers.  First I will share their list, then I will add my own.

Their list includes:

  1. The PCI standard is failing to protect merchants from breaches
  2. Merchants are not implementing P2PE
  3. Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
  4. Merchants add new features to their payment platforms as patches to already buggy systems.
  5. Many of the POS systems are still running Windows XP
  6. Many card breaches lead to Russia.  Russian hackers attack American systems as a patriotic move
  7. EMV is not a silver bullet.

The article goes into more detail on each of these, but these reasons probably are obvious.  I don’t disagree with any of these conclusions.

Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard.  It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes.  All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough.  So, what retailers do is comply with the PCI rules and state laws and leave it at that.

On top of it, no matter what you do, there is no quick fix.  You can do many different things and still get hacked.  It has been, and likely always will be, a cat and mouse game.

And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.

From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?

Anyone got a silver bullet?

Mitch Tanenbaum


Traffic lights are easy to hack

According to an article on CNN’s web site, many traffic lights in the US are easy to hack.

Earlier this summer researchers in Michigan demonstrated how easy it was to hack into the traffic lights in an undisclosed city.

The traffic lights in question are made by Econolite, the largest manufacturer of traffic controls in the U.S.

Used to be, the controllers were all mechanical and the only way to control them was to drive to the intersection, open the control box and do what you needed to do. Now they support WiFi and anyone with a laptop – and in the case of the undisclosed city above – the default userid and password which is published in the manual – can get in and change or shut down the traffic lights.

There is a standard in the U.S. for traffic controllers, NTCIP 1202, that all manufacturers support. It is also susceptible to the same problems if cities don’t change the default settings.

The interesting thing is that with a little work cities could make the traffic lights more secure.  However, that requires money (time) and since most cities are strapped for cash, nothing is likely to change.

Until some hacker decides to shut down a city by turning off all the traffic lights or making the all red or whatever.  All of a sudden folks will get religion.

Mitch Tanenbaum

To disclose or not to disclose

In an August 12, 2014 post on, the information security executive at Urban Outfitters, Dawn-Marie Hutchinson, argued against disclosure of breaches.  In fact, the company’s policy is to notify their lawyers first so that they can use attorney-client privilege.

While I sort of understand the concept of not disclosing things too soon (like before you have any facts, for example), I have also seen companies not disclose breaches for 6 months or more.

I will argue that if customers find out that you have had a breach and decided not to tell them – without respect to whether that is even legal in many states – I can guarantee that you will tick off more people than if they find out from you in a timely and responsible fashion.  Social media will go crazy once it does get out – it always does.  Guaranteed.

For many years – prior to CA SB 1386, the grandfather of all breach laws – companies were not required to disclose and for sure, security was much better then — NOT!.

So what is the argument for not disclosing or not disclosing early?  Customers will beat us up.  Right!  What’s your point.  If you insist as a business to keep a lot of customer information and not protect it well, then you should get beat up.  The answer to that is to communicate.  Do it at the appropriate time.  Take responsibility.  Explain things.  Have people understand the world is not going to end.  And yes, you will likely take a short term hit.

Security is a business (financial) decision just like everything else a company does.  It has to be weighed against all the other needs that those dollars can also be spent on.  However, the pre-CA SB-1386 was  not more secure than the post-CA SB-1386.  In fact, most companies are paying way more attention now than they ever have.  It’s a VERY hard problem.  The hackers only have to be right (get in) one time.  The company has to be right (keep the hackers out) every time.  I have been doing this for a long time – it is not easy or simple.

Now maybe what Ms. Hutchinson was suggesting was that your first call after finding out about a possible breach should NOT be to the NY Times or Wall Street Journal.  If so, then I agree with her.    Responsible disclosure means just that.  Responsible.  You have to have some facts in order to be responsible.

Does that mean 1 day?  1 week?  1 Month.  Probably one of those.  It does not mean silence, however.

Mitch Tanenbaum

Update:  Here is another article on the issue.


A Billion here, a billion there …

It has been reported in the NY Times, among other places, that a Russian crime gang has amassed 1.2 BILLION userid/password combinations, along with 500 million email addresses.  Even to me, that is a large number.

The passwords represent data stolen from 420,000 web sites, including both large and small companies.

The bad news is that they are not disclosing the names of the sites that have been compromised, in part because many of them are still vulnerable.  What this means is that you as a user have no idea where to look.

Ultimately, this tells us that the security processes and mechanisms that we are using have failed and cannot be fixed, but rather must be changed.

The challenge is that people don’t like change and will, for the most part, resist it  — which is why we are still using userids and passwords.

Apparently, this particular gang is currently only using this data to spam people, but that does not mean that it will only be used for that or that the gang won’t morph into a different business model.  If they do change into a financial crime model, it could get pretty ugly.

For now, all you can do is be vigilant, and that is hard to do for more than a short period of time.  Do pay special attention to important sites like online banking and bill pay, credit cards and e-commerce sites.

Even though it is inconvenient, I avoid allowing web sites to store my credit card and bank account information.  This is especially true for the smaller sites.  Remember that if your userid and password have been compromised and the site has your credit card information, your credit information is also compromised.  So, while you may not care if the hackers know that you are buying jeans at Wal-mart, you probably care if those crooks can lift your credit card information from that site.

The better web sites do not allow you to see your credit card information after it has been entered (other than the last 4 digits) to make harvesting the card information harder.

Stay tuned … there will be more details I am sure.