Counterpoint to Guilty Till Proven Innocent

Last month I wrote a piece talking about the Business Software Alliance’s point of view of software piracy, which is guilty till proven innocent.

As with any good story, there is often an opposing view and I came across one on Mondaq, the legal (among many other things) information publisher.

The article, written by Steven Hellend of the law firm of Fredrikson and Bryon, has a different point of view and I think his point is well taken.  Understand, of course, that if you take his strategy you are likely in for a large legal bill, but the situation is messy either way and you need to decide what is the best strategy for your company.

Steven’s point of view is summed up this way, by him:

Imagine that you are accused of shoplifting a pair of Levi’s® jeans by an un-named tipster. The agent for the clothing store demands that you inventory not only your Levi’s® jeans, but every article of clothing in your closet. Next the agent demands that you provide a dated receipt for each article of clothing. No matter how old. And if you can’t find a receipt for a favorite old sweater, the agent is un-interested that your mom will provide an affidavit that she bought it for you as a gift. Absent a dated receipt, all items are deemed shoplifted or stolen. And the agent will demand a settlement payment or threaten to sue you for $150,000 per item.
The inference of shoplifting/theft above is absurd on its face.
The inference of copyright infringement for software under like circumstances is equally absurd.

I think that Steven is not particularly arguing with the guilty until innocent comment, but he thinks that there are many possible defenses, contrary to what the BSA might tell you.  Remember, the BSA is a private organization, not a judge, jury or regulatory body.

So, in short summary, here is his take:

  • The BSA says you have to have dated receipts.  Steven says that you may be able to convince a court that other evidence is sufficient.
  • The BSA says if you cannot provide dated receipts you are de facto guilty.  Steven says there are many factors and in court (assuming you go that far), things may not be so simple and the burden MAY shift to the BSA. Note I said MAY.
  • The BSA says you can be fined up to $150,000 per infringement. Steven says that the BSA forgets to mention that the statute says ordinary or typical damages are between $750 and $30,000 as the court considers just.  The $150,000 is the maximum for certain willful infringement. It also says that the court may reduce the fine to no less than $200.

So, I think what Steven is saying is that you should not cave, consider your options and come up with a plan.  The result may be much less dire than the BSA suggests.

That being said, as part of your cyber risk management plan, you do need to manage software licenses, manage documentation, enforce the rules, punish violators, etc.  Doing this will likely (not guaranteed, but likely) eliminate any chance of willful infringement charges being successful.  In that case, your exposure will certainly be a whole lot less than the BSA suggests.  However, if you just let it slide or wink while employees copy software, the picture will not look anywhere near as pretty.

Here is an article on software audits that Steven has written on his company’s web site.  More information.  In this case, information is definitely good for you.



Anthem Blue Cross Hacked

I thought it had been quiet recently – apparently too quiet.

Anthem, the healthcare insurance company that operates in 14 states and is the second largest insurance company in the country, reported that it had been hacked.  Anthem operates under a lot of names including Anthem Blue Cross, a name well known in the Northeast.

According to a statement signed by Anthem CEO Joe Swedish,  the attackers did not take credit card information or healthcare information. Anthem said that possibly as many as 80 million customers, current and former, are affected.

The fact that no healthcare information was taken has to be a huge relief to Anthem’s board.  With the new HIPAA rules, the fine could possibly have been as much as 80 million records times $1.5 million fine per record.  That is $120 trillion.  Of course, they would never be assessed such a large fine or even a small percentage of that number, but that is the potential max.  Even 1/1000th of 1 percent of that number is a big number.

Another relief is the hackers did not use the Sony attack technique of thermonuclear information destruction and wipe all of Anthem’s systems.  That could have been a bit of a mess for them.  Think about an insurance company that could not pay claims for a couple of months.

What the hackers did take is names, addresses, social security numbers, email addresses, employer information and income and they did this for both current and former employees and customers.  Mr. Swedish said that it was in the tens of millions of people and maybe as many as 80 million.

They only discovered this last week, so there is probably more they don’t know than they do know, so the facts may change.  I give Anthem credit in announcing this so quickly.  For most companies, they would not even know what the hackers got after a week, so it is possible that they have a good information risk management process in place – we don’t know yet.

One question that you might ask is why the hackers stole what they did steal.  I don’t have any insider info and the FBI is investigating, along with the security firm Mandiant, but I have a thought.

When the hackers at Home Depot stole those tens of millions of credit cards – or one of the other thousands of attacks that did not make the news – some, but only some, credit card companies issued new cards.  Some of those cards are still live.  More importantly, credit card numbers by themselves don’t sell for a lot of money any more because they get turned off pretty quickly.

BUT, if besides the credit card info, you have name, address, employer, social, date of birth, etc. – what hackers call “fullz”, meaning the full credit info, it sells for a lot more.

While that won’t help the hackers much right now regarding last year’s hack of Home Depot, when the next attack comes, having a database of information on 20 percent or more of the U.S. population is a hugely financially valuable tool.  Merge this with the 75 million records stolen from Chase last year and you have a pretty nifty database.

Like healthcare information, fullz information doesn’t change anywhere as quickly as credit card information.  Are you going to change your blood type or sell your house and move because of the hack?  It is really hard to change your blood type and unlikely that you are going to move because of one.

What this means is that hackers, who are becoming good at using big data, have a great repository of information to merge with the next credit card or healthcare hack to make a whole lot more money.  And yes, hackers do work together – not so much for fun as for the collective profit, so my scenario is very realistic. That combined information makes it a lot easier for the hackers to create new credit in your name then just having a credit card number and even the PIN.

Only time will tell, but check back for updates over the next few weeks.


Yet Another Adobe Flash Bug

Trend Micro is reporting (see here) yet another Adobe Flash zero-day attack in the wild.  Yes, this is a new one.  No, this is not one I reported about last week.  I had to read the article three times to convince myself this was not the exploit I wrote about last week.  And,  Trend Micro has already caught about 3,300 instances of this attack among their user base.  Given their user base is huge, 3,300 is a small number, but there is not a fix for this yet.  Adobe is promising one this week.

To say that 2015 has not started out well for Adobe would be kind.  They released their normal Flash update in January that fixed 9 critical flaws.  Then 9 days later, they released an out-of-band patch to fix a critical flaw that was being exploited.  Last Saturday, they released another patch to fix a critical flaw and now they are saying they are going to release another patch this week.  That would be 5 patch releases in the first 5 weeks of the year.  Out-of-band patches are a huge pain for both developers and users, so software vendors like Adobe reserve them for critical problems.

This flaw is particularly nasty because, Trend Micro says, it is showing up in ads appearing on web pages and IT DOES NOT REQUIRE THE USER TO CLICK ON THE AD TO WORK.

Some people are suggesting you disable Flash, but that would make many web sites look like a blank page.  I would suggest, at a minimum, that you make sure that you are using a highly rated anti virus product (apparently Trend Micro does catch this and it is pretty cheap – I saw a version of Trend the other day on Amazon for $25/year for 3 PCs or $8 a PC a year).

And, yes, watch for yet another Flash update this week on a computer near you.


Internet Explorer 11 Vulnerability Opens Door To Phishing

Many sources are reporting (see here) a bug in Internet Explorer 11 that could support a very credible looking phishing attack.  Interestingly, this attack does not work on older versions of Internet Explorer, which is the reverse of what usually happens.  The problem was disclosed on Saturday with a proof of concept on the full disclosure mailing list, so the hackers even have example code to start from.

The exploit does require the user to click on a link to get it to work, but if the user does click, which is not hard to get a user to do, the web page for say ABC Bank does appear and the Bank’s URL appears in the address bar.  In the demonstration code, a few seconds later, a web page from the hacker appears, but the original web site URL still appears in the address bar.  What this means is that a victim would think he is still at the ABC Bank web site and so if the web page asks for some personal information, the user would think that he is giving that information to the bank but would really be giving it to the hacker.

Unfortunately, this attack even works with HTTPS based web pages (this is yet another way that SSL is broken;  see yesterday’s post for other reasons it is broken).

In concept, this is similar to the bug discovered in the default Android browser a few months ago that allows this same kind of attack.  Google has taken some heat over that one because they said that they are not using that code in the current version of Android (4.4), so they are not going to fix it.  The only solution for Android users using version 4.3 or earlier is to use Chrome or Firefox instead.

For Windows users, a simple solution would be to use another browser, at least until Microsoft fixes this bug.

Microsoft said that they are not aware of hackers using this bug (which is not a surprise since it was only published on Saturday), that they are working on a fix (which may take a couple of months, depending on the priority and the difficulty of fixing it) and that you shouldn’t click on links from “untrusted sources”.  By untrusted sources, they mean a link in a phishing email that appears to have come from your boss.  Good luck in getting that to happen.

Interestingly, the researchers who disclosed this bug said that there was a simple solution to this for web sites (like ABC Bank) to protect themselves simply by inserting a particular option in the web page header (X-Frame-Options with deny specified), but the researchers say that very few web sites do this.  Still, for web site owners, this might be a smart change to make to protect their visitors while Microsoft works on a fix.



BMW Fixes Bug That Would Allow Hackers To Unlock Your Car

BMW announced that it had fixed a bug that would have allowed hackers to compromise it’s ConnectedDrive car automation system.  The bug affected over two million BMWs, Minis and Rolls Royces, according to Mashable.

Apparently, the communications between BMW’s servers and your car were not even encrypted, so the solution was to use HTTPS to encrypt the traffic.

BMW claimed that the bug did not affect the driving, steering or braking functions of the car.  That’s great, but I am not sure that this is the bar that we should measure their security by.

ADAC, a German automotive group, discovered the bug in the middle of last year and decided not to announce the bug  until BMW came up with a solution.

BMW, the article says, patted itself on the back for coming up with a fix so quickly.  Others said that HTTPS should have been there in the first place.

The good news is that BMW owners do not need to take the car into the dealer to fix the problem;  the fix will be downloaded the next time the car connects to BMW’s servers.

Given how poor BMW’s security was around the car automation function, I am not sure that BMW’s being able to load new firmware into the car over the air is a good thing.  They may want to review the security of that process as well.  I can just see a hacker downloading new firmware into my car causing the car to do who knows what.

Unfortunately, I suspect that this problem will only get worse for a long time before it gets better.



Is SSL Broken

While every single bank and ecommerce provider tells you that SSL (or HTTPS) is wonderful and fully protects you, unless they are on drugs, they don’t really believe that.  From their perspective, the risk is manageable and they would rather reimburse you if you can prove their SSL connection leaked AND cost you money than tell you that it is not very secure.

Lets remove some of the reasons that people usually give for why HTTPS is not secure and get down to my pet peeve.  First, if you use a public WiFi hotspot, it can execute what is called a man in the middle attack and have your device exchange a handshake with the hotspot instead of the real site.  Your device will never know and the hotspot will see your data in the clear.

Next, there have been many instances of hackers operating fake WiFi hotspots.  Even if the real hotspot is clean, the fake one may execute a man in the middle attack on your traffic.

Next are the bugs in the software.  This year there have been several.  One example is  Heartbleed, which affected the server side of the connection and may have compromised the private half of the SSL lock and key for millions of servers.  Many servers have fixed the problem but many did not bother to create new private keys.  Many have not fixed it.

Next is the problem of revoked certificates.  After Heartbleed was fixed, hundreds of thousands of certificates were revoked because they may have been compromised.  The CRL (certificate revocation list) infrastructure was not and is not designed to handle that.  Firefox uses OCSP, the Online Certificate Status Protocol, but by default, it will accept a certificate if it does not get a speedy response to its request to find out if the certificate is valid.  Some browsers just ignore the CRL question entirely.

Which leads us to my pet peeve.

I looked inside Firefox on my Windows PC today and found HUNDREDS of certificate authorities loaded into the browser.  The Certificate Authority or CA is the (supposedly) trusted organization which certifies that your little SSL padlock – the one that says you are you – is really you.  So who is in the list?  China Telecom.  Hong Kong Telecom. Definitely trust China!  Not!  Actually I did until I deleted their records.  Korea (I hope that would be South and not North).  Many other somewhat friendly countries.  And many that are probably from the U.S. but whom I have never heard of.  I deleted probably 50 of them off Firefox today and there are still more than a hundred active.

Chrome and Internet Explorer use a different CA list than Firefox does.  Apple has their CA list.  If you delete it from your home computer that does not delete it from your phone.  Or your tablet.  Or your laptop.  Think of all the devices that your family uses and you are probably talking well over 1,000 trusted CAs (of course there is a bunch of overlap, but that doesn’t really matter, because even if you tell your desktop you don’t trust China Telecom, you also have to separately tell your phone and your tablet and if you use Chrome and Firefox both, you have to tell each of them separately, even on the same device).

If I had my way, I would have 4 or 5 entries in there and kiss the rest goodbye.

Of course, there is not a decent user interface to manage that and I don’t know, but would not be surprised, if after firefox does an update, China is back.   I will have to test that theory.

Many people agree that SSL is hopelessly broken.  Here is an article from The Register on the subject.  I Googled “is SSL broken” and got 12,400,000 hits.

The bad news is that no one is working on a replacement and even if they did, it would take years to get everyone to agree to it and then we would need to figure out how to do the transition.

Which is why the merchants all cross their fingers behind their backs and say “sure;  it’s secure”.



Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed