Category Archives: Legal

US Sets Up Multi-Agency Anti-Ransomware Task Force

As part of CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) in the just passed omnibus spending bill, CISA is required to stand up a Ransomware Task Force. Jen Easterly, head of CISA, having just won the battle that requires companies to report breaches and ransomware payments to her rather than the FBI (which pissed off the FBI enough that they publicly suggested that Congress not pass the Act), offered an olive branch and made the FBI co-chair of the task force.

The idea is to coordinate government wide efforts to curb ransomware. In this case, it does not mean more prosecution, although that is certainly something that Lisa Monaco would love to do.

No, what I think would be the smartest thing and, I think, what Jen Easterly understands, is that the government already has an amazing amount of information and resources.

It also has an amazing number of silos due to power-turf wars. Every agency’s report card gets an “F” under plays well with others.

If she can figure out a way to cut through some of the turf (everything in Washington is about power and the appearance of power), then maybe we won’t have another 9-11 where one agency knew about the attackers but did not share with others, according to the 9-11 commission.

If they are successful at distributing all of the information that they already have and can actually get people to act, we can significantly cut down the attack surface.

How do hackers work? They look at the patches that vendors release and know that businesses (and even worse, government agencies at the local and state level) won’t patch for weeks or months and figure out how to weaponize them. That only takes a few days. They likely have weeks to months to use those weapons before the “locks on the doors” get changed. Combine that with social engineering and you have a powerful weapon and weapon delivery system.

And in fairness, if we can get the LEOs (the FBI, state and local law enforcement) to work together, there are a lot of hackers in the United States. Those are all within the reach of the cops – if they only know who to look for.

But there are some things in government that don’t change. Jen said the group will hold its first official meeting in the next few months.

Pardon me, you can’t find an hour to meet next week or the week after?

I guess it is just not that much of a priority.

Credit: Data Breach Today

Security News for the Week Ending May 20, 2022

Flaw in uClibc Allows DNS Poisoning Attacks

A flaw in all versions of the popular C standard libraries uClibc and uClibc-ng can allow for DNS poisoning attacks against target devices. The library is likely used in millions of Internet of Things devices that will never be patched and will always be vulnerable. This is where Software Bill of Materials is kind of handy. Credit: ThreatPost

Cyberattack on Hawaii Undersea Cable Thwarted

Homeland Security Thwarted an attempted hack of an under-ocean cable that connects Hawaii with other parts of the Pacific region. While Homeland is not releasing any details of the attempted attack, if the attack shut down traffic, that would be really bad for the region. Just one cable, for example, the Hawaiki Transpacific Cable, runs for 15,000 KM and has a capacity of 67 Terabits per second. Credit: Star Advisor

Will the Mickey Mouse Protection Law Go Up in Flames

Full disclosure: I have never been a fan of this law, so if it goes away, it won’t bother me. As some Republicans try to hurt Disney (trying to abolish the Reedy Creek special district, for example), Senator Hawley (R-Mo) introduced legislation to roll back the insane copyright “terms” that companies have used to make money off characters created a century ago. The downside of Hawley’s move is that it likely will anger a lot of people who make money off that 120 year copyright term and they might choose to make donations to the other team to get even. Given that Washington runs on “contributions” and those donors are likely going to explain that fact, I would say the odds of this passing are not great, but who knows. Credit: MSN

Feds Write Memo That Says They Pinky Promise Not to Charge Security Researchers Under CFAA

Sometimes I probably come across as cynical. That is because I am. While it is great that finally the DoJ wrote a memo that says that they are not going to charge security researchers for finding security holes, that memo only has just a little bit more weight of law than if I wrote that memo. There is nothing binding on the DoJ. Still, I guess, it is better than nothing. Credit: The Daily Swig

Sanctions Have Some Effect on Russia’s Tech Sector

Since Russia can no long buy AMD and Intel processors, they had to find an alternative. The solution seems to be a KaiXian KX6640MA. This is an Intel compatible chip, but it is a bit slow. One CPU Benchmark reported that a 4 core, 4 thread chip scored 1,566 points on the CPU benchmark. By comparison, an Intel Core i3, which is the slowest of the current Intel family, scored 14,427. Not exactly a match and for anything that is time critical, that is a problem. Guess how you would feel if someone replaced your computer with one that was 1/10th as fast. Credit: PC Magazine

Bluetooth Spec Says it is not Secure – They Are Right

There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.

In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.

A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.

Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.

While they only tested a model 3, they think the attack will also work on a model Y.

Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.

It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”

https://www.theregister.com/2022/05/17/ble_vulnerability_lets_attackers_steal/

Credit: The Register

These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).

Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.

The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.

This is one of those cases where convenience won out over security. Credit: Helpnet Security

Preserving Text Messages

CIOs have always had to worry about the challenges of preserving evidence, but now we have a whole new class of challenges.

The so called Duty to Preserve comes into play when one party learns about the possibility of litigation. This happens, many times, before any lawsuit is actually filed. Once a party has reasonable knowledge of potential litigation, they have to make sure that potential evidence is not deleted (note: I am not a lawyer, so this may not, exactly, be technically correct, but it is close).

So lets assume that you are the CIO of a company. It is relatively easy to preserve emails – there are many solutions for what is called a litigation hold.

It is much harder to deal with employees’ personally owned computing devices, which includes phones.

Most companies, unless they are in a particular industry like financial services, don’t have a requirement to preserve anything absent pending litigation. Once you think there could be pending litigation, things change.

Think about these things –

  • Facebook Messenger UNSEND
  • iMessage TAP BACK
  • iMessage (and many other platforms) automatic delete function
  • Signal and Telegram’s delete functions

In Fast v. GoDaddy, Fast used the unsend feature to stop disclosure of 109 messages. The court was not happy with this and sanctioned them. The court even fined them $10,000. Eventually, they did cough up 108 of the messages, but the last one never appeared.

The court concluded that the failure to produce this message warranted the court’s issuance of an adverse inference instruction at trial. Basically, this means that the judge will tell the jury that because of the failure to produce this evidence, you can assume the contents were not favorable, or worse (again, I am not trying to be a lawyer here, but you get the idea).

The iMessage tapback feature allows an iPhone user to send back an emoticon in response. But if the recipient is an Android user, they get a copy of the message again. Which if you intended to delete the message, is not what you want. At a minimum, it could signal the existence of a deleted message. Again, the judge issued an adverse inference instruction because messages were selectively deleted, but because of the tap backs, forensics could see that messages had been deleted.

If you use a messaging platform that either can or does automatically delete old messages and you have a duty to preserve, the courts can, again, issue sanctions.

That included ephemeral messages that go away after a few seconds.

So now the IT department has to manage preserving evidence on user owned devices. Doesn’t that sound like fun. Credit: Prof. Eric Goldman’s blog, guest post by Philip Favro

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

Is Amazon’s Marketplace Doomed?

Courts can’t quite figure out how to treat Internet companies. Amazon is an interesting mix. It sells some products itself, it offers other products that are sold and fulfilled by third parties and it does a mix (products sold by third parties but fulfilled by Amazon).

I hope Amazon is hiring a lot of lawyers because they are going to need them.

In 2020 the California Appeals court said that Amazon was strictly liable for items, in this case a battery that exploded, sold by a third party, but fulfilled by Amazon. The court reasoned that it was too hard to reach the third party seller to sue them. Then last year, the same court said that Amazon was liable for a Hoverboard that caught fire, even though all they did is match the buyer and seller.

Now a California court says that Amazon is liable to put a Prop 65 warning on products that are sold by third parties. The court said that Amazon should review the tens of millions of products that they don’t sell directly, figure out which ones need a Prop 65 warning and change the seller’s listing if the seller didn’t have a warning.

Amazon might just put a warning on everything for everyone that says DUE TO A STUPID JUDGE, WE ARE REQUIRED TO TELL YOU THAT THIS MIGHT BE HAZARDOUS TO YOUR HEALTH, EVEN THOUGH WE DON’T KNOW WHETHER THAT IS TRUE AND DON’T EVEN HAVE ACCESS TO THE PRODUCT.

The problem is that they can’t hold the seller liable since many of these sellers are not in the U.S. or are mom and pop companies, so that won’t protect them.

Alternatively, they could get out of the marketplace business, but that is a goodly chunk of their business.

But here is the real rub. Does that mean that every company that sells stuff online is at the same risk? Logic says so. Other than the judge might not like Amazon, they are no different than any other company that sells stuff online.

eBay – sure.

Craigslist – yup.

What about someone that has an ad on their site for a product and that should contain a warning – probably?

The courts are going to need to figure all this stuff out. Which is a problem for judges that have zero understanding of technology. Even those judges who have their assistants print out their emails for them.

Of course, in Amazon’s case, they have lots of money and lots of lawyers, so they might be able to tie this up in appeals for the next decade, but at some point, we have to figure this out.

Credit: Professor Eric Goldman