Preserving Text Messages

CIOs have always had to worry about the challenges of preserving evidence, but now we have a whole new class of challenges.

The so called Duty to Preserve comes into play when one party learns about the possibility of litigation. This happens, many times, before any lawsuit is actually filed. Once a party has reasonable knowledge of potential litigation, they have to make sure that potential evidence is not deleted (note: I am not a lawyer, so this may not, exactly, be technically correct, but it is close).

So lets assume that you are the CIO of a company. It is relatively easy to preserve emails – there are many solutions for what is called a litigation hold.

It is much harder to deal with employees’ personally owned computing devices, which includes phones.

Most companies, unless they are in a particular industry like financial services, don’t have a requirement to preserve anything absent pending litigation. Once you think there could be pending litigation, things change.

Think about these things –

  • Facebook Messenger UNSEND
  • iMessage TAP BACK
  • iMessage (and many other platforms) automatic delete function
  • Signal and Telegram’s delete functions

In Fast v. GoDaddy, Fast used the unsend feature to stop disclosure of 109 messages. The court was not happy with this and sanctioned them. The court even fined them $10,000. Eventually, they did cough up 108 of the messages, but the last one never appeared.

The court concluded that the failure to produce this message warranted the court’s issuance of an adverse inference instruction at trial. Basically, this means that the judge will tell the jury that because of the failure to produce this evidence, you can assume the contents were not favorable, or worse (again, I am not trying to be a lawyer here, but you get the idea).

The iMessage tapback feature allows an iPhone user to send back an emoticon in response. But if the recipient is an Android user, they get a copy of the message again. Which if you intended to delete the message, is not what you want. At a minimum, it could signal the existence of a deleted message. Again, the judge issued an adverse inference instruction because messages were selectively deleted, but because of the tap backs, forensics could see that messages had been deleted.

If you use a messaging platform that either can or does automatically delete old messages and you have a duty to preserve, the courts can, again, issue sanctions.

That included ephemeral messages that go away after a few seconds.

So now the IT department has to manage preserving evidence on user owned devices. Doesn’t that sound like fun. Credit: Prof. Eric Goldman’s blog, guest post by Philip Favro

Security News for the Week Ending May 13, 2022

Chinese Sponsored OPERATION CUCKOOBEES Active for Many Years

Researchers with cybersecurity firm Cybereason briefed the FBI and Justice Department as early as 2019 about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers (named Winnti or APT41) to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies. The companies compromised include some of the largest companies in North America, Europe and Asia. These attacks go back to at least 2019 and they have stolen intellectual property, R&D, diagrams of fighter jets, helicopters, missiles and more. Credit: The Record

Spain’s Spy Chief Fired After News She Hacked Spanish Politicians

I guess they don’t like it when you use the laws they created against them. It doesn’t appear that she did anything illegal. Got a court order and everything. But, it was them she was spying against. The other problem she had was that there were dozens of other government officials who were also spied on, but it is not clear by whom. That includes the PM and Defense Minister. Their phones were declared spyware-free – but were not. Credit: Security Week

EU Proposes to Kill Child Abuse by Killing Privacy

The challenge of curbing kiddie porn, sometimes referred to by the more polite term child sexual abuse material (CSAM), is hard. End-to-end encryption makes that even harder. One current EU proposal would require companies to scan all communications, meaning that end-to-end encryption would be banned. It won’t technically be banned, it would just be impossible to allow and comply with the proposed regulations. The stupid pedophiles might be caught by this, but the smart ones would just encrypt the material before it is uploaded or use other methods. If we have learned one thing over the years is that bad guys adapt much more quickly than the law does. Of course, that material might stand out, but if they intentionally create a lot of chaff to hide what they are doing, it might not. A Botnet could create terabytes of encrypted garbage in no time, making the carriers’ job impossible. It also requires that providers read the text of every message and email, looking for signs of prohibited content. Credit: The Register

Colorado’s CBI Warns of Fraudulent Real Estate Transactions

My guess is that this is not limited to Colorado and this is not really a new scam, but the CBI says it is quickly ramping up. The scam is that a supposed out-of-state seller wants to sell a property, either with a house or vacant land, that currently doesn’t have a mortgage. The fraudster impersonates the owner looking for a buyer that wants a quick close. The whole transaction is being done remotely by mail with a fraudulent deed. Do your due diligence whether you are an agent or a buyer. Credit: CBI and Land Title Association

Mandiant Says Hackers Are Dwelling Inside for Fewer Days

Security firm Mandiant (soon to be part of Google) says that the number of days that hackers are lurking inside your systems continues to decrease. The time now stands at just 21 days. This is likely because hackers are worried about being detected before they can detonate their attack as companies and governments get more serious about fighting crime. That means you don’t have as much time to detect the bad actors. Are you prepared? Credit: Data Breach Today

UK, Australia, Canada, New Zealand and US Warn of Attacks on MSPs

Many or possibly most small businesses don’t have an internal IT department. They rely on a third party to help them manage their IT assets. These third parties are called Managed Service Providers (MSPs) or sometimes Managed Security Service Providers (MSSPs). This is not inherently bad. But many of these MSPs are not much larger than the companies they are managing. Many have 25 or fewer employees.

MSPs have to be trusted by their customers and have to have god-like permissions on their customers’ networks and systems. There is no way around that if you want them to manage things for you.

One example of an attack on an MSP right here in Colorado was an attack against Complete Technology Solutions. The attack on CTS compromised over a hundred Dental Practices that were CTS’s customers.

Another was the attack against Kasaya. Kasaya provides software to MSPs. Compromise Kasaya and you compromise a thousand MSPs, each of which has hundreds (or more) customers, each of which has many users.

There are lots more examples – SolarWinds, Microsoft Exchange, and others.

It is not surprising that hackers want to compromise a company that can allow them to leverage their resources and maximize the damage they can do.

But now we have a joint advisory from the cybersecurity agencies or group of nations (the Five-Eyes) that are telling people to beware. The alert provides recommendations for both MSPs and their customers.

For the customers, you are the ones that are responsible for your network. It doesn’t matter that you outsourced the work to someone else. If your network is attacked, you are in trouble. That means that you have to take action to make sure that your MSP is following best practices.

If you need help, contact us.

Credit: The Register and CISA

Is Amazon’s Marketplace Doomed?

Courts can’t quite figure out how to treat Internet companies. Amazon is an interesting mix. It sells some products itself, it offers other products that are sold and fulfilled by third parties and it does a mix (products sold by third parties but fulfilled by Amazon).

I hope Amazon is hiring a lot of lawyers because they are going to need them.

In 2020 the California Appeals court said that Amazon was strictly liable for items, in this case a battery that exploded, sold by a third party, but fulfilled by Amazon. The court reasoned that it was too hard to reach the third party seller to sue them. Then last year, the same court said that Amazon was liable for a Hoverboard that caught fire, even though all they did is match the buyer and seller.

Now a California court says that Amazon is liable to put a Prop 65 warning on products that are sold by third parties. The court said that Amazon should review the tens of millions of products that they don’t sell directly, figure out which ones need a Prop 65 warning and change the seller’s listing if the seller didn’t have a warning.

Amazon might just put a warning on everything for everyone that says DUE TO A STUPID JUDGE, WE ARE REQUIRED TO TELL YOU THAT THIS MIGHT BE HAZARDOUS TO YOUR HEALTH, EVEN THOUGH WE DON’T KNOW WHETHER THAT IS TRUE AND DON’T EVEN HAVE ACCESS TO THE PRODUCT.

The problem is that they can’t hold the seller liable since many of these sellers are not in the U.S. or are mom and pop companies, so that won’t protect them.

Alternatively, they could get out of the marketplace business, but that is a goodly chunk of their business.

But here is the real rub. Does that mean that every company that sells stuff online is at the same risk? Logic says so. Other than the judge might not like Amazon, they are no different than any other company that sells stuff online.

eBay – sure.

Craigslist – yup.

What about someone that has an ad on their site for a product and that should contain a warning – probably?

The courts are going to need to figure all this stuff out. Which is a problem for judges that have zero understanding of technology. Even those judges who have their assistants print out their emails for them.

Of course, in Amazon’s case, they have lots of money and lots of lawyers, so they might be able to tie this up in appeals for the next decade, but at some point, we have to figure this out.

Credit: Professor Eric Goldman

Zelle Fraud – A New Twist on an Old Scam

Zelle is a peer-to-peer payment network similar to Venmo and others. The difference is that Zelle is owned by the big banks like Bank of America, Capital One, Chase, Wells Fargo and others.

But recently Zelle has been in the news and not for good reasons. Scammers have figured out that they can socially engineer many people and once the money is out of your account, it is hard to get back (more on this later).

How can you protect yourself against Zelle scams? Remember those scams that asked you to buy iTunes gift cards, scratch off the cover and send the scammers the numbers? This is not much different.

Don’t use Zelle to send money to people you don’t know. If the scammer tries to convince that things are super urgent, take a deep breath. If someone calls you and the caller ID says it is your bank but they want you to send them money with Zelle, it is, 100 percent, a scam. Hang up. Credit: Channel 3000

Some other tips – and this is no different than any other scam:

  • Don’t respond to unsolicited text or emails
  • Watch for urgent deadlines
  • Always use two factor authentication and never give out your code

The banks have been reluctant to reimburse you for Zelle scams since you did initiate the transaction, but talk to your bank and, if they give you a hard time, talk to your local TV station. Banks love the press saying they have horrible customer service and don’t care about their customers.

But here is the most important thing to “suggest” to your bank. Ask them to look at the Consumer Financial Protection Bureau’s position on banks’ compliance requirements with the Electronic Funds Transfer Act of 1978 known as Reg E. Basically, the feds say, that the banks have to give you bank your money. You may need an attorney to get their attention, but the rules are clear. Credit: CNET

But just to make sure that the banks understand the plan, two US Senators sent a letter to Zelle’s owner, Early Warning Services (which itself is owned by the banks), asking it to explain how it is handling fraud. The outcome of this, likely hearings and either more regulations or laws, means that the banks need to clean up their act before it is forced on them. The banks do not have a popular position in this situation and they will lose in the court of public opinion. Credit: Finextra

Security News for the Week Ending May 6, 2022

Tomorrow is the one-year anniversary of the Colonial Pipeline attack. The government has done more to improve cybersecurity in the last year than it had done in the last 10 years. But there is still a lot more to do.

Jury Finds Norton/Lifelock Infringed on Two Columbia University Patents

Even in the world of cybersecurity, patent infringement is a problem. A jury decided that Norton’s use of emulators to detect malicious behavior violated patents owned by Columbia. Norton says they will stop using the technology and appeal the verdict. Among the Norton products affected are Norton Security and Symantec Endpoint Protection. Since the infringement was deemed to be willful, the judge could triple the $185 million judgement. The suit goes back to 2013. Credit: Data Breach Today

Data Broker Stops Selling Location Data of Planned Parenthood Visitors One Day After Being Outed

Yesterday I read a piece that one of the security trade magazines bought data on visitors to all Planned Parenthood visitors, including where they went after (home) and where they came from before (work). They paid $160. I think the company, SafeGraph, decided the incredibly negative PR wasn’t worth $160, so today they decided to stop selling it. That doesn’t mean other greedy data brokers will do the same – In the U.S. there is nothing illegal about it. Credit: Motherboard by Vice

Cryptocurrency Projects Are As Secure As a Screen Door

In just four days hackers stole over $100 million in cryptocurrency. Who pays for that? Fei Protocol lost $77 million, Saddle Finance $10 million, Deus Finance $13 million and Bored Apes $6 million. There is no government insurance for cryptocurrency owners. Credit: Metacurity

Ukrainians Figure Out How to Beat Russia – Shut Off its Booze

Ukraine’s army of hackers have figured out how to hit Russia where it hurts. Russia requires the booze industry to use a government run portal call EGAIS. Hackers have kept it out of commission, so stores can’t “receive” alcohol, factories can’t accept tanks of alcohol, and distributors can’t ship or receive products. As a result, factories are reducing or stopping production. Interesting attack. Credit: Bleeping Computer

Spain Admits It Hacked Some of its Politician’s Phones

After a week of public reporting that some Spanish politician’s phones had been hacked using the Pegasus spyware, a leading Catalan separatist politician said that Spain’s top intelligence official said that her agency did, in fact, hack some opposing politician’s phones. But, she said, it was all legal. Reports say that the court orders were for far fewer people than Citizen Labs found infected, so who hacked the rest of the phones? If you are high profile in any way you should assume your phone is not secure. Even secure message apps like Signal or iMessage would not be secure since the phone itself is compromised. This follows the disclosure, earlier in the week, that Spain’s Prime Minister and Defense Minister’s phones were both infected with Pegasus spyware by someone. Pegasus is so stealthy that even the government’s cyber sleuths did not detect it until the facts were reported in the media. Credit: ABC News

Treasury Sanctions Cryptocurrency Mixer BLENDER

Mixers are apps that are designed to obfuscate cryptocurrency transactions, to make them harder to track. I am not sure that sanctioning one of the hundreds of these mixers will really help, but I guess it can’t hurt. Credit: The Register

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed