Guilty Until Proven Innocent – Software Licensing

Lewitt, Hackman, Shapiro, Marshall and Harlan, a law firm based outside Los Angeles, has an interesting take on software licensing.  They don’t say whether they have been representing plaintiffs or defendants in software piracy lawsuits, so I don’t know if there is a bias in their blogging, but it is an interesting point of view.

They talk about the Business Software Alliance or BSA, an industry trade group made up of heavyweights like Microsoft, Adobe and Intel, that offers rewards to current or former employees to turn in their company if they suspect they are using pirated software.  Note they say “suspect” and not “have evidence of”.

The BSA investigates about 15,000 companies a year, starting by asking them to do a self audit and then “negotiating” for damages.  Having been on the wrong end of that deal once, we had to write a check with way too many zeros before the period.  Not fun.

That is old  news.  The BSA has been kicking this dog for a long time and they try to get the occasional large penalty in order to try and cut down piracy, which from their point of view is understandable.

Here is what is interesting.  According to Lewitt, Hackman, under the law, all the BSA or Microsoft or whoever has to do to prove infringement is the following:

  • That it owns the copyright for the software
  • That the (soon to be) defendant used the software

They don’t have to prove that you pirated it or that you are using more copies than you bought.  At this point, you are assumed to be guilty and have to prove your innocence, something that very few companies can do.

Your claim that you are using the software legally is a legal defense.

The law says, according to Lewitt, Hackman, that it is your burden to prove you have a license from the copyright owner.

I doubt there is any company on the planet that has zero disgruntled ex-employees and if reporting you, anonymously, to the BSA is a way to get both revenge and cash, I could see that some people might do that.  The BSA even runs ads in magazines suggesting pretty much this.

How many companies can show an invoice or check copy for every copy of Windows, Office, Photoshop or any other piece of software you have installed on any computer in the office.  By the way, whether you are using the software or not is irrelevant to your defense.  If it is installed and unlicensed, you are guilty.  Been there, have the scars.

So, one part of your business risk management program should be to keep copies of all software receipts, licenses and other records so that if the issue comes up you don’t have to recreate history.

Food for thought.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Enterprises Are Still Failing At The Security Basics

VentureBeat wrote an interesting item pointing out some of the obvious things that Target messed up.  Fixing these items won’t stop every attack, but it certainly would slow the attackers down.

According to a lawsuit filed in federal court recently Target missed the ball on a few things.  Of course, at this point, these are just claims, but they have been widely reported in the media and not disputed by Target corporate.

  • Target did not take written warnings from Visa seriously.
  • The attackers got in by compromising the credentials of a vendor.  The thieves gained too much information from Google searches.
  • The security problem grew due to weak security at that vendor. Target should have required better security procedures of their vendors.
  • Target IT staff gave security warnings to their superiors, which were ignored.
  • Target’s network was not properly segmented.  As a result, access with the vendor’s credentials to the vendor billing application gave the hackers way too much access.
  • Target did not use two factor authentication, which did slow down the attackers at JP Morgan Chase.  Except they found ONE server that did not have it installed.
  • Target used the FireEye security software which alerted Target’s security team to the presence of malware, but the team took no action.
  • Target failed to remove unused default accounts, which that attackers took advantage of.
  • Target used Symantec Endpoint protection, which also generated alerts that were not acted upon.
  • Target did not block traffic to cyber thief havens like Russia, which allowed the hackers to use a command and control attack server in eastern Europe.  My guess is that Target has no stores in Russia and probably does not ship clothing there either.  This one is hard with multinationals, but it can be done.

The article goes on to talk about Chase, Sony and basic human nature.  It provides some interesting food for thought.

So, as I have said for years, you have to take care of the basics before you worry about rocket science.

Mitch

Facebooktwitterredditlinkedinmailby feather

Mitigating Over-Enthusiastic Airport Security

Katie Moussouris, formerly an executive at Microsoft and Symantec and now an executive at HackerOne, which as best as I can tell manages bug coordination with third parties for very large, well respected companies, tells a story about an over enthusiastic security person at Charles de Gaulle airport in Paris.  She was tapped for secondary screening as her flight was boarding and the security agent asked her to turn on her laptop.  While this request is unusual, it is a standard security procedure to reduce the odds that your laptop case is not just a container for a bunch of high explosives.  This is a result of the  2010 actual bombs that were sent from Yemen, one found in the UK, the other in Dubai, both safely defused, thankfully.

What came next was the unusual part.  The security agent asked Katie to log in to her laptop.  According to Katie, customer’s very sensitive bug information was now exposed.  How exposed is unclear, but there are many things that you can do to mitigate this, depending on your level of paranoia.

The first and easiest thing to do is to create a guest login on your laptop with no privileges and no access to other data on the laptop.  Likely, this very simple solution would have protected Katie’s customer information since the laptop remained in her control and possession.

Next, especially when traveling internationally, consider how much information you really need to travel with and remove (and overwrite) unneeded information.  You can put it back when you return.

Another option is to use a program like Truecrypt, Veracrypt or ciphershed or some similar program that allows you to create additional encrypted volumes after you login.  These require an additional step of mounting an extra drive letter after you log in, but they keep your stuff isolated.  Depending on your needs, you could create more than one volume for different purposes and only mount what you need when you need it.  A couple of notes here.  The three programs above  are in different states of maturity and there are other programs that allow you to create secure containers, so these are just examples.  Also, make sure that you SHUTDOWN your computer before you head for the airport and not just sleep or hibernate it;  otherwise, when you turn the computer back on, those secret volumes will still be mounted.

Depending on your requirements, you may opt to make some trips without your laptop at all and just take your phone and/or tablet.  What you don’t have can’t be compromised.

Finally, for the especially sensitive and paranoid among us, some large companies have travel laptops that they give people that their IT staffs load with just the minimum amount of software and data when they are traveling to certain countries.   These laptops are wiped on return and if they have been out of the executives control in certain countries, they are crushed after being wiped.  Like I said  – depends on your level of paranoia.

Obviously, the same issues go for phones and tablets these days.

The important point is that this should be part of your risk management program and you should consciously review your policies and practices for employee’s use of electronic toys and mobile data.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

The Problem Of Attribution Of Cyber Attacks

In some sense, cyber attacks are no different that physical world attacks;  in other ways, they are completely different.

Let’s assume that you did not physically catch some bad guys that broke into a building.  Do you know who broke in?  On rare occasions they leave something behind – there have been instances so rare that they make the news –  where a perpetrator drops a wallet or ID card behind.  Even then, how do you know the wallet that was dropped wasn’t stolen and then dropped.   Sometimes the police get a lead, find that person and they still have the stolen stuff – that’s pretty conclusive.  What if what was stolen was money?  You can’t say “that $20 bill over there looks like mine”.  Most of the time, you can rule out people who don’t live nearby.  It is reasonable to assume – and it is an assumption  – that someone is not going to travel from India to break into your house and steal your TV – the economics don’t work.

Cyber attacks are different.  It could be anyone with access to an Internet connection.  That narrows it down to say 2-3 billion people.  Easy job.  Since it is no harder to launch an attack on your company from 5,000 miles away than it is to launch it from 5 feet away, you can’t rule out anyone.

There are stupid cyber attacks just like there are stupid burglars, but in both cases they are likely to get caught, so I will dismiss those attacks.

The reason attribution is so important is that we want to catch the attackers.  If we cannot attribute the attack, it is hard to go after them.

The case in point is the Sony attack.  The FBI, based on forensic evidence, says it came from North Korea and it was sponsored by the North Korean government.  North Korea denies it.  Other people say it was Russia.  Still others say is was some former disgruntled Sony employees.  Others say it was a combination.  The U.S. decided to retaliate against North Korea because we don’t like them anyway, but in reality, the evidence is circumstantial.

Could some Russian hackers have reused  Korean code and servers?  Could the Russian government have paid North Korean hackers?  Were they even in North Korea?  Some people say the attackers were in Japan.

Since we don’t like North Korea anyway, it really is no big deal to us if we mis-attribute the attack to them, but what if the attack originated someplace else?  The FBI gets to claim credit, sort of (no one gets charged with a crime, gets convicted or spends time in jail). From what has been released to the media, we really don’t know who the actual attackers are.  If the attackers were in a country that we have a better relationship with, we are unlikely to issue sanctions against, say, Germany.  And, issuing sanctions doesn’t hurt the hackers – they go on their merry way.

The bottom line is that just like some murders are not solved, some cyber crimes are not solved either.  The difference is the percentage.  Especially for smaller cyber attacks, the police don’t have the resources to follow up on the attacks (they are not likely to fly to Ukraine to check up on a lead and the Ukrainian police have other things to do that are more important to them).  The reality is that many, if not most, cyber attacks are not solved.

If you have the right kind of cyber insurance it will help lessen the financial impact, but don’t count on the attackers being caught.  It just doesn’t happen very often.  Even for high profile attacks.  Have the Target attackers been caught?  What about the Home Depot attackers?  What about the J.P. Morgan Chase hackers?  Given that, how likely is it that the hacker that broke into some small or medium size business will be caught?  And, even if they are, then what?  Likely, they don’t have the money to pay for your damages.  And, that won’t repair your reputation.

In this sense, cyber attacks are quite different from physical attacks.  If someone steals your car and you have the right kind of insurance, you get a replacement car.  Yes, there is some hassle and time, but overall, it is pretty clean.  And, other than the few people you tell about it, no one knows about it.  And unless you left your key in the car, your reputation isn’t tarnished.

If someone takes down your website or defaces it or steals your customer data, it is much harder to hide the fact.  In most states, you are required by law to tell your customers, who tell the media, who tell the world.  And much harder to be made whole again.  Damage to your reputation is very difficult to repair.

You can hope that the hackers pass over you or you can spend some time and effort making it harder for them.  That time and effort could improve the odds that the hackers will looker for an easier target.

Remember, while the attack on Target was annoying, an attack on your home or business gets personal really quickly.

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather

FBI gets creative on when they need a search warrant

The media has been talking about the feds running Stingrays and Dirtboxes to gather cell phone data on potentially thousands of Americans.  The government’s take on this has been that a warrant is not required.

The FBI made their position known in a private briefing to the Senate Judiciary Committee last week.  The result was a letter made public by Sens Grassley (R-IA) and Leahy (D-VT) that said:

For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

So, basically, the FBI is saying that if you are in public, you are fair game, no matter what or where.  For example –

The feds tried to convince the courts that they should be able to secretly and without a warrant, attach a GPS tracking device to a suspect’s car.  The feds got a conviction for dealing cocaine, apparently, partially, as a result of the GPS data.  The case went up to the Supremes and they ruled that a warrant was required.

The administration also attached a webcam to a light pole a hundred yards away from a suspect’s house with remote pan, tilt and zoom capability.  From hundreds of miles away, they could watch this suspect, look in the trunk of his car, look in his front window, etc.  He lived in a rural area, so he had the expectation of not having neighbors watching his every move.  The feds saw him shooting target practice in his yard, which is illegal in his county,  and based on that, got a warrant and found 4 guns and a few grams of meth.  A federal judge threw out the evidence.  The judge said that probable cause and a warrant was needed to conduct 24×7 surveillance of an individual, even in public.  Interestingly, when the police raided his house, the camera was pointed not at his front door, but rather at some sagebrush nearby.  Apparently, the judge noticed that fact as well..

The authorities want to keep information on Stingrays quiet.  Harris Corporation even requires cops to sign a non-disclosure agreement before they sell them one and recently the Baltimore cops dropped their charges against someone rather than let that information see the light of day.  My guess is that they don’t want the bad guys to understand how effective these devices are, but likely, you only catch stupid bad guys this way.  The smarter ones understand that cell phones, at least ones that are not burners, are like a homing beacon tied directly to you.

The Senate Judiciary committee is becoming more interested in these boxes, so I suspect it is a matter of time before we get more information.

What is clear is that law enforcement will push the boundaries as they try to do their jobs.  Recently, when the Sarasota police were going to be forced to turn over records on Stingray use under Florida public records laws, magically, the detective who was using them became a special deputy for the U.S. Marshal Service and the records were moved to a different location hundreds of miles away.  Legal experts think this technique will not hold up.

While there certainly is a balancing act between catching bad guys and suspect’s rights, it appears that vigilance is required to keep the good guys honest.  This is not the last act in this play.

Before you say that we should do whatever we can to put away bad guys, absent some form of independent review there is nothing to stop the operator of a Stingray from pointing it at you – just because he can.

Mitch

Facebooktwitterredditlinkedinmailby feather

New California Data Privacy Laws for 2015

As has been the case for more than 10 years, California leads the way, for better or worse, for the rest of the country in protecting resident’s privacy.  Their original breach law, SB 1386, is the model for laws for the rest of the country.

So, what is new in 2015 – read on.  If SB 1386 is any indication, expect to see this in a legislature near you soon.

REMEMBER, one of the big challenges for businesses is that many laws cover people based on WHERE THEY LIVE, not where you live.  So, if you have a business in Dallas, Texas and a California resident uses your web site, you are required to follow California law and if you don’t the California Attorney General can (and has in the past) come after you.  AND, you have to defend yourself in Sacramento, not Dallas. Small breach and they are not likely to visit you.  Bigger breach and they might.

  • SB 568 extends the federal law for protecting minors online (COPPA).  COPPA defines kids as anyone under the age of 13;  SB 568 defines it as anyone under the age of 18.  So, if you have a web site that may attract Cali residents under the age of 18, this law affects you.
  • AB 1710 removes the wiggle room in the old law.  The old law talked about owning or licensing information.  The new law says if you MAINTAIN information on a California resident you must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”  Of course, reasonable is not defined, but there likely will be some discussion about what is reasonable if you are breached.
  • There are several new laws that govern information collected by third parties and schools about pupils and how that information may be used.

For more details, see this article.

Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed