Mitigating Over-Enthusiastic Airport Security

Katie Moussouris, formerly an executive at Microsoft and Symantec and now an executive at HackerOne, which as best as I can tell manages bug coordination with third parties for very large, well respected companies, tells a story about an over enthusiastic security person at Charles de Gaulle airport in Paris.  She was tapped for secondary screening as her flight was boarding and the security agent asked her to turn on her laptop.  While this request is unusual, it is a standard security procedure to reduce the odds that your laptop case is not just a container for a bunch of high explosives.  This is a result of the  2010 actual bombs that were sent from Yemen, one found in the UK, the other in Dubai, both safely defused, thankfully.

What came next was the unusual part.  The security agent asked Katie to log in to her laptop.  According to Katie, customer’s very sensitive bug information was now exposed.  How exposed is unclear, but there are many things that you can do to mitigate this, depending on your level of paranoia.

The first and easiest thing to do is to create a guest login on your laptop with no privileges and no access to other data on the laptop.  Likely, this very simple solution would have protected Katie’s customer information since the laptop remained in her control and possession.

Next, especially when traveling internationally, consider how much information you really need to travel with and remove (and overwrite) unneeded information.  You can put it back when you return.

Another option is to use a program like Truecrypt, Veracrypt or ciphershed or some similar program that allows you to create additional encrypted volumes after you login.  These require an additional step of mounting an extra drive letter after you log in, but they keep your stuff isolated.  Depending on your needs, you could create more than one volume for different purposes and only mount what you need when you need it.  A couple of notes here.  The three programs above  are in different states of maturity and there are other programs that allow you to create secure containers, so these are just examples.  Also, make sure that you SHUTDOWN your computer before you head for the airport and not just sleep or hibernate it;  otherwise, when you turn the computer back on, those secret volumes will still be mounted.

Depending on your requirements, you may opt to make some trips without your laptop at all and just take your phone and/or tablet.  What you don’t have can’t be compromised.

Finally, for the especially sensitive and paranoid among us, some large companies have travel laptops that they give people that their IT staffs load with just the minimum amount of software and data when they are traveling to certain countries.   These laptops are wiped on return and if they have been out of the executives control in certain countries, they are crushed after being wiped.  Like I said  – depends on your level of paranoia.

Obviously, the same issues go for phones and tablets these days.

The important point is that this should be part of your risk management program and you should consciously review your policies and practices for employee’s use of electronic toys and mobile data.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

The Problem Of Attribution Of Cyber Attacks

In some sense, cyber attacks are no different that physical world attacks;  in other ways, they are completely different.

Let’s assume that you did not physically catch some bad guys that broke into a building.  Do you know who broke in?  On rare occasions they leave something behind – there have been instances so rare that they make the news –  where a perpetrator drops a wallet or ID card behind.  Even then, how do you know the wallet that was dropped wasn’t stolen and then dropped.   Sometimes the police get a lead, find that person and they still have the stolen stuff – that’s pretty conclusive.  What if what was stolen was money?  You can’t say “that $20 bill over there looks like mine”.  Most of the time, you can rule out people who don’t live nearby.  It is reasonable to assume – and it is an assumption  – that someone is not going to travel from India to break into your house and steal your TV – the economics don’t work.

Cyber attacks are different.  It could be anyone with access to an Internet connection.  That narrows it down to say 2-3 billion people.  Easy job.  Since it is no harder to launch an attack on your company from 5,000 miles away than it is to launch it from 5 feet away, you can’t rule out anyone.

There are stupid cyber attacks just like there are stupid burglars, but in both cases they are likely to get caught, so I will dismiss those attacks.

The reason attribution is so important is that we want to catch the attackers.  If we cannot attribute the attack, it is hard to go after them.

The case in point is the Sony attack.  The FBI, based on forensic evidence, says it came from North Korea and it was sponsored by the North Korean government.  North Korea denies it.  Other people say it was Russia.  Still others say is was some former disgruntled Sony employees.  Others say it was a combination.  The U.S. decided to retaliate against North Korea because we don’t like them anyway, but in reality, the evidence is circumstantial.

Could some Russian hackers have reused  Korean code and servers?  Could the Russian government have paid North Korean hackers?  Were they even in North Korea?  Some people say the attackers were in Japan.

Since we don’t like North Korea anyway, it really is no big deal to us if we mis-attribute the attack to them, but what if the attack originated someplace else?  The FBI gets to claim credit, sort of (no one gets charged with a crime, gets convicted or spends time in jail). From what has been released to the media, we really don’t know who the actual attackers are.  If the attackers were in a country that we have a better relationship with, we are unlikely to issue sanctions against, say, Germany.  And, issuing sanctions doesn’t hurt the hackers – they go on their merry way.

The bottom line is that just like some murders are not solved, some cyber crimes are not solved either.  The difference is the percentage.  Especially for smaller cyber attacks, the police don’t have the resources to follow up on the attacks (they are not likely to fly to Ukraine to check up on a lead and the Ukrainian police have other things to do that are more important to them).  The reality is that many, if not most, cyber attacks are not solved.

If you have the right kind of cyber insurance it will help lessen the financial impact, but don’t count on the attackers being caught.  It just doesn’t happen very often.  Even for high profile attacks.  Have the Target attackers been caught?  What about the Home Depot attackers?  What about the J.P. Morgan Chase hackers?  Given that, how likely is it that the hacker that broke into some small or medium size business will be caught?  And, even if they are, then what?  Likely, they don’t have the money to pay for your damages.  And, that won’t repair your reputation.

In this sense, cyber attacks are quite different from physical attacks.  If someone steals your car and you have the right kind of insurance, you get a replacement car.  Yes, there is some hassle and time, but overall, it is pretty clean.  And, other than the few people you tell about it, no one knows about it.  And unless you left your key in the car, your reputation isn’t tarnished.

If someone takes down your website or defaces it or steals your customer data, it is much harder to hide the fact.  In most states, you are required by law to tell your customers, who tell the media, who tell the world.  And much harder to be made whole again.  Damage to your reputation is very difficult to repair.

You can hope that the hackers pass over you or you can spend some time and effort making it harder for them.  That time and effort could improve the odds that the hackers will looker for an easier target.

Remember, while the attack on Target was annoying, an attack on your home or business gets personal really quickly.

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather

FBI gets creative on when they need a search warrant

The media has been talking about the feds running Stingrays and Dirtboxes to gather cell phone data on potentially thousands of Americans.  The government’s take on this has been that a warrant is not required.

The FBI made their position known in a private briefing to the Senate Judiciary Committee last week.  The result was a letter made public by Sens Grassley (R-IA) and Leahy (D-VT) that said:

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

So, basically, the FBI is saying that if you are in public, you are fair game, no matter what or where.  For example –

The feds tried to convince the courts that they should be able to secretly and without a warrant, attach a GPS tracking device to a suspect’s car.  The feds got a conviction for dealing cocaine, apparently, partially, as a result of the GPS data.  The case went up to the Supremes and they ruled that a warrant was required.

The administration also attached a webcam to a light pole a hundred yards away from a suspect’s house with remote pan, tilt and zoom capability.  From hundreds of miles away, they could watch this suspect, look in the trunk of his car, look in his front window, etc.  He lived in a rural area, so he had the expectation of not having neighbors watching his every move.  The feds saw him shooting target practice in his yard, which is illegal in his county,  and based on that, got a warrant and found 4 guns and a few grams of meth.  A federal judge threw out the evidence.  The judge said that probable cause and a warrant was needed to conduct 24×7 surveillance of an individual, even in public.  Interestingly, when the police raided his house, the camera was pointed not at his front door, but rather at some sagebrush nearby.  Apparently, the judge noticed that fact as well..

The authorities want to keep information on Stingrays quiet.  Harris Corporation even requires cops to sign a non-disclosure agreement before they sell them one and recently the Baltimore cops dropped their charges against someone rather than let that information see the light of day.  My guess is that they don’t want the bad guys to understand how effective these devices are, but likely, you only catch stupid bad guys this way.  The smarter ones understand that cell phones, at least ones that are not burners, are like a homing beacon tied directly to you.

The Senate Judiciary committee is becoming more interested in these boxes, so I suspect it is a matter of time before we get more information.

What is clear is that law enforcement will push the boundaries as they try to do their jobs.  Recently, when the Sarasota police were going to be forced to turn over records on Stingray use under Florida public records laws, magically, the detective who was using them became a special deputy for the U.S. Marshal Service and the records were moved to a different location hundreds of miles away.  Legal experts think this technique will not hold up.

While there certainly is a balancing act between catching bad guys and suspect’s rights, it appears that vigilance is required to keep the good guys honest.  This is not the last act in this play.

Before you say that we should do whatever we can to put away bad guys, absent some form of independent review there is nothing to stop the operator of a Stingray from pointing it at you – just because he can.

Mitch

Facebooktwitterredditlinkedinmailby feather

New California Data Privacy Laws for 2015

As has been the case for more than 10 years, California leads the way, for better or worse, for the rest of the country in protecting resident’s privacy.  Their original breach law, SB 1386, is the model for laws for the rest of the country.

So, what is new in 2015 – read on.  If SB 1386 is any indication, expect to see this in a legislature near you soon.

REMEMBER, one of the big challenges for businesses is that many laws cover people based on WHERE THEY LIVE, not where you live.  So, if you have a business in Dallas, Texas and a California resident uses your web site, you are required to follow California law and if you don’t the California Attorney General can (and has in the past) come after you.  AND, you have to defend yourself in Sacramento, not Dallas. Small breach and they are not likely to visit you.  Bigger breach and they might.

  • SB 568 extends the federal law for protecting minors online (COPPA).  COPPA defines kids as anyone under the age of 13;  SB 568 defines it as anyone under the age of 18.  So, if you have a web site that may attract Cali residents under the age of 18, this law affects you.
  • AB 1710 removes the wiggle room in the old law.  The old law talked about owning or licensing information.  The new law says if you MAINTAIN information on a California resident you must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”  Of course, reasonable is not defined, but there likely will be some discussion about what is reasonable if you are breached.
  • There are several new laws that govern information collected by third parties and schools about pupils and how that information may be used.

For more details, see this article.

Facebooktwitterredditlinkedinmailby feather

First Party vs. Third Party Cyber Liability Insurance

For those of us who are not insurance experts, the distinction may not be obvious.  As explained in more detail here, the difference is in who experiences the loss.

First party coverage covers damage to your business such as costs of notifying customers, purchasing credit monitoring services, repairing reputational damage or paying a cyber extortionist.

Third party coverage covers things like costs related to the theft, misuse or disclosure of other people’s information (customers, for example) that is stored on your network or infringement of the right to privacy, among others.  Third party coverage is more common.

This article discusses some of the myths surrounding first party coverage.

Another article, “Sizing Up Cyber Risks After The Sony Breach” says that DHS reported, after a late 2012 cyber security insurance workshop, that first party coverage is “expensive, rare and largely unattractive”.

Some people thought that their general commercial liability coverage (GCL) included cyber risks.  Some used to years ago, but very few do today as many breach victims have discovered after the fact.

The important point here is that cyber liability policies do not have standard state mandated language, so it is important, as part of your business risk analysis process to document what risks you want to be covered for and then validate that the coverage you currently have or are planning to buy provides you with the coverage you need.  To do this effectively you need to estimate your costs from a cyber breach in each and every category so that you can figure out what you can and are willing to absorb internally vs. getting help from your insurance carrier to cover.  Unfortunately, this is neither a simple nor exact process.

Parting thought — you cannot do this review after you are the victim of a cyber breach.  Even though everyone hopes it is going to happen to the other guy, that is not always the case.  Although Target, Home Depot and Sony get the press coverage, the breach that hit the Jimmy Johns sandwich chain this year, for example, also hit hundreds of mom and pop pizza and sub shops.

Mitch

Facebooktwitterredditlinkedinmailby feather

Board Of Directors Role In Cyber Security

The National Law Review has a great article on board member’s responsibility in the area of cyber security.

One quote from the article:

2012 Carnegie Mellon poll of how U.S. boards are managing cyber risks found that 71% rarely or never review privacy and security budgets, 80% rarely or never review roles and responsibilities, and nearly two-thirds rarely or never review top-level policies. Additionally, more than half of directors surveyed rarely review security program assessments. Every director should make cybersecurity a topic on the board’s agenda and ask questions if there is any confusion or doubt.

The National Law Review does not have anything to gain from their position, so I think it is wonderful that they are highlighting the board’s role in cybersecurity.

It seems like, with the exception of the JP Morgan Chase case, in the other major breaches of 2014 (Target, Home Depot and Sony), lax company policy and oversight in the area of cybersecurity was at least a contributing factor in each of these breaches.

Ultimately, the buck stops at the board of directors and given how ugly 2014 was from a cybersecurity standpoint and the fact that 2015 will probably be at least as bad, boards should be asking a lot of questions.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed