Category Archives: Legal

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

After a Cyber Attack the Details Matter

So you have been hacked and the hackers stole your customers’ data. You try to do the right thing and notify them. By email. Because that might be the only address you have for them.

But many times that email never makes to your customer. Blocked by the customer’s email service provider or spam filter.

Are YOU now liable for failing to notify your customer? Ouch!

Bulk emails will be treated with suspicion if the do get delivered to to your customer’s inbox, so what should you do?

Even if the customer no longer uses your product, has unsubscribed from your email list or has black holed your company’s emails, you still need to notify them.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) last week released best practices recommendations for sender organizations on securely delivering mandated emails. You need to read this; it is a real page turner.

The number one thing to do is to plan in advance. Equifax tried doing the other way and it was a disaster.

Some of their tips include making sure that you have all of the email security features (SPF, DMARC, DKIM) enabled.

Send it from a trusted domain. Equifax created a new domain for the breach. New equates to malicious in email filters’ minds – especially if that new domain is sending out boatloads of emails – all of which go in the garbage.

Make the subject line obvious that it is not a piece of marketing email.

Keep the body as simple as possible with no marketing links.

These are just some of their recommendations. Your compliance or legal team needs to be well versed in the do’s and don’ts.

If you do not already have a plan, now is the time to create one.

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.

Ransomware Operators Up The Ante

Israeli insurance company Shirbit was hit by a ransomware attack last week. The hackers demanded 50 Bitcoin within 24 hours. 50 Bitcoin is about a million dollars.

When they didn’t do that, the hackers started leaking the company’s data and doubled the ransomware demand to 100 Bitcoin or about two million dollars.

They said that if Shirbit still didn’t comply, they would raise the demand to 200 Bitcoin or about $3.8 million in the following 24 hours.

AND then they would start leaking more data every 24 hours as well as selling some of the data.

One thing of interest here is the timeline. Evey 24 hours the rules change. That means that you, as a business, need to be completely prepared because you do not have time to figure it out on the fly.

In the US, you also have to figure out whether paying the ransom is even legal and if not, what your alternatives are.

The insurance company says that they looked and the data that was stolen won’t hurt their customers. That may depend on your definition of hurt. I think that remains to be seen. You may remember that Travelex said their ransomware attack would not have a material effect on their business. Then declared bankruptcy a couple of months later.

Credit: The Jerusalem Post

Security News for the Week Ending December 4, 2020

France Says it is Going Ahead with Digital Tax

France has been complaining that U.S. companies (mostly) have not been paying their fair share of French taxes since they are not selling widgets that delivered in France, so they came up with this digital tax, a 3% tax on digital services delivered in France. They held off for a while trying to get some sort of international tax agreement, but that does not appear to be happening, so they are moving forward with the tax. Only affects companies doing business in France with revenue more than 25 million Euros. Is this the wave of the future? Credit: Cybernews

FCC Chairman Pai to Step Down on Jan 20

Ajit Pai announced that he will step down from the FCC on inauguration day rather than having the new President fire him, which is almost guaranteed. Pai, a former telecom industry lawyer and lobbyist, said that he may try to create some rules in his remaining two months in support of the President’s efforts to hurt Facebook, Twitter and similar companies. Those rules would likely be reversed on the day after inauguration, so it is not clear why he would waste taxpayer money doing that, but that is Washington for you. Credit: CNBC

How Many Phishing Sites?

Since the beginning of this year, Google has flagged 46,000 web sites EACH WEEK as phishing sites. That is over 2 million so far, this year. This is a 20% increase over last year and the year is not over. Hackers can buy as many sites as they want, but, in part, they are looking for “look alike” sites – sites with a zero swapped for an Oh or an “L” swapped for a “1”. But also, they just take over sites with bad security. There is almost no way to track that, but I can say from personal analysis, that there are way more of the second kind than the first kind. Credit: KnowBe4

Docker Malware – Its a Thing

Docker containers are the darling of the development world – light weight and easy to deploy; self contained and OS agnostic, supported in the cloud – everything that developers want.

Three years after the first Docker malware showed up, it is now common. Malware gangs are now targeting Docker and Kubernetes.

Many of the attacks – surprise – are due to misconfigured Docker servers, leaving them exposed to attack. It appears that we in IT never learn. Just because tech is delivered slightly differently, the basics still apply.

To make a point, researchers looked at images publicly available in the Docker Hub. 51% had critical vulnerabilities and 6,500 of the images tested could be considered malicious.

You can wait until you are compromised or you can get ahead of the freight train. Credit: ZDNet and Dark Reading

Even Before Dust Settles on Swiss/CIA Deal to Subvert Encryption …. Another One

Even before all of the investigations are complete of the CIA’s compromise of Crypto AG and selling compromised encryption hardware to both our friends and enemies so we could spy on them, another story surfaces. Apparently Crypto AG was not the only one. Now the Swiss media is reporting that the CIA controlled another Swiss crypto company, Omnisec. The Swiss politicians are going crazy and calling for executions in the public square. Stay tuned, but assume your crypto has been compromised. By someone. Credit: Security Week

California Privacy Rights, Part 2

The California Privacy Rights Act, CPRA, AKA Prop 24, was approved by voters on November 3rd. This is a continuing story on its potential impact.

Some simple answers first:

When does it go into effect: January 1, 2023.

Who has to comply: That is still murky. There was a $25 million revenue minimum in CCPA and that is still here. It now says that the revenue was for the prior year, but it does not say whether that is California revenue or worldwide revenue. Do you feel lucky?

Number of records: That number has doubled from 50,000 to 100,000, but for most companies, that is still a small number of visitors to a website. It also now excludes devices in the count, so that adds some relief to the number. It is still a small number.

Revenue: CCPA only counts revenue from selling data, but companies like Facebook don’t sell your data – so they tried to claim they were exempt. CPRA says revenue from sharing your data (a new term) is now included in the calculation.

Commonly controlled entities: The new law says that you only have to add numbers together for commonly controlled entities if the entities have common branding and consumers are likely to understand that the entities re the same company.

New data category: sensitive information: Like GDPR in Europe, there is now a category of sensitive information that includes your ID numbers, financial information, account credentials, geolocation data, race and ethnicity , biometric information, health information and sexual orientation. That is a lot of the information that companies collect today.

New right: Limit the use of my sensitive information: This right says that a resident can say that they only want the business to use sensitive information to perform the function that I asked you to perform. This may require a new, special, opt-out link.

New right: Correct my information. Somehow CCPA forgot this one. Now residents will have the right to have their information corrected and businesses will need to track these requests.

Opt out rights expanded. The new law allows not only the right to opt of sale but also the right to opt out of sharing data for behavioral advertising purposes, whether money changes hands or not.

Expanded right to deletion: Under the new law, you now have to track everyone that you share data with. If someone asks you to delete their data, you have to get third parties to delete that data too.

Watch for part 3. This law is a bit of a beast. Getting ready now is a good plan.

Credit: The Jones Day law firm