Tag Archives: Sanctions

News Bites for the Week Ending Nov 2, 2018

Follow on to Google+ Breach and Notification

I recently reported about Google getting in trouble for hiding a breach discovered in March.

The first thing to point out is that it is unlikely that Google broke any laws.  The current breach notifications laws in the U.S. give a company the wiggle room not to disclose a breach if they reasonably think that the risk of harm to breach victims is low.  Each state words that differently, but obviously Google figured that they could wiggle their way out of this and they did until they were outed by none other than that bastion of big business – the Wall Street Journal.

Whether the fox should be making that decision regarding henhouse security or not is a separate issue, but that is the state of breach laws currently in the U.S.  They say that is so that we don’t over tax people’s brains, but I don’t particularly believe that.

The second point is more interesting.  Google made the determination that no one would be harmed by looking at TWO WEEKS worth log data because in a very un-Google style strategy, they only kept two weeks worth of log data.  So a bug that had been around for years had to be analyzed using two weeks worth of log data.

All of this points to the challenges that all businesses have when it comes to breach notification issues, both in the U.S. and internationally.

Mikrotik Routers susceptible to Stealing Your Data

In May Mikrotik announced a bug (and a patch) that allowed an UNauthenticated user to download the password file which was not encrypted.  What kind of a problem could that cause anyway?  Of course, most users who buy a $49 plastic box at Best Buy and shove it in a corner are likely to patch it right away when Mikrotik announces on their blog that a patch is available. (hint: not).  But Mikrotik also makes enterprise routers that are also susceptible.  Hopefully at least some of those are patched.

Last month Mikrotik announced another bug where authenticated users could take over the router and run any software that they wanted, effectively eavesdropping on all inbound and outbound traffic or running a cryptomining operation on your machine.  Several hundred thousand routers have not installed the first patch and thousands have already been compromised.

The moral of the story is patch your router and especially do that if your router has a Mikrotik logo on it. (Source: The Hacker News)

Cathay Pacific Loses Info on 9.4 Million

Cathay Pacific admitted to losing control of records on 9.4 million passengers six months ago.  The good news is that the event occurred prior to the effective date of GDPR, so the fines will be much smaller.  The bad news is that they are based in Hong Kong, China, so there could be other “penalties”.

The South China Morning Post says that the Chinese government is not happy about the breach (maybe they are jealous that they didn’t do it?).

Among the data stolen was name, address, phone number, email address, nationality, travel history and passport information .

Cathay Pacific has hired Experian to provide credit monitoring services.  This may be a good choice because Experian has had so many breaches of their own that 9 million people who’s information was just stolen would be happy to give more of that information to a company that gets hacked on a regular basis (I am guessing not).

Apparently it has been trying to figure out who’s data was stolen since May (call it 100+ days).  Remember that GDPR gives you 3 days, so they are kind of on the wrong side of that number by 97+ days.

As breach notification laws become stricter and the fines get higher (If this were a California business and CCPA was already in effect, a class action asking for $750 x 9.4 million = $7 billion would already have been filed), businesses need to get  much better about their incident response programs.  You need to be able to figure who got in, when they got in, what they took and who you are going to engage very quickly.  Source: CNN ,

Russian Spy Gathered Info On Non-Profit’s Cybersecurity Defenses as a Student in the US
Accused Russian spy Maria Butina, waiting to stand trial in Virginia, is also accused of working on a project at American University where her cover was as a student.  The project examined cybersecurity defenses of organizations such as the Electronic Frontier Foundation and while there is no direct evidence that she funneled that data back to Moscow, it is highly unlikely that she was part of that project for the fun of it.  The non-profits thought the University vetted the students;  the University thought the State Department vetted them.  In the end, no one did and she now is facing trial for spying on us.  Source: The Daily Beast .

US Continues Attack on China to Stop Stealing Our Stuff

Not only are the Russians after us, as the item above points out, but so are the Chinese.  In fact, the Chinese are way more blatant about it.  In two moves to try and counteract that, the DoJ indicted almost a dozen Chinese spies for stealing aviation related secrets.  The theft went on between 2010 and 2015, so the indictment comes 8 years after the theft began.  I would think the Chinese would think that this is an OK return on investment.  Since these people will never face a trial, it is a somewhat meaningless gesture and coming 8 years after the attack started also points out that our ability to detect and stop these folks is somewhat lame.  I say that they won’t come to trial, but a Russian spy was recently lured to Belgium where he was arrested, so you never know. Source: WaPo

In a second action, the U.S. issued sanctions against Chinese semiconductor manufacturer Fujian Jinhua which prevents them from buying parts from the U.S.  While this hurts Jinhua, it also hurts U.S. companies that sell to them.  The Feds are worried that Jinhua will flood the U.S. market with cheap DRAM chips driving U.S. manufacturers out of the business and forcing DoD contractors, who already have massive supply chain security problems, to buy even more parts from China.  I am not sure that there is anything to stop China from creating a new company with the stolen technology and move on, but you have to try.  Source: Computing .


Facebooktwitterredditlinkedinmailby feather

Trump Considers Executive Order Declaring National Security Emergency

President Trump is considering signing an executive order asserting a national security emergency using the International Emergency Economic Powers Act (IEEPA).

While every president since Jimmy Carter has used the IEEPA to impose sanctions on governments that we don’t like, no president has ever used it to tell private companies who they should buy parts from and who they should do business with.

This is all based on concerns from some people on both sides of the aisle that Chinese components (and Chinese products) have the potential to present national security issues.  Trump used national security as the reason to impose tariffs on imported steel and aluminum.  While that argument has drawn a lot of critics, it seems likely that IF the president decides to try and force businesses to stop buying parts and products and stop foreign investment in U.S. businesses, there may be less complaints.

Except, that is, for companies that have to shut down, lay off workers and go out of business because the only source for the components that they use to make their products has been banned or the money that they need to keep operating is no longer available.

That is the challenge that the president has to sort out.

Very few chips that are the guts of everything from dishwashers to computers are made in the United States.  Many are made in China, but others are made in Japan, Korea and a small number of other countries.

In general, there is very little overlap.  A chip that is made in China is likely not made elsewhere, so for companies building products that use those chips, they will have stop building and selling those products and also, possibly more importantly, possibly stop fixing ones that people have already bought.  They likely could re-engineer those products, source new and different parts, rework the assembly lines and then restart production.  For large companies, that is possible.  Smaller companies will just go bankrupt and layoff all of their employees.  Since most American companies are small businesses, it could, possibly, have significant impact on the U.S. workforce, depending.

It is also not clear whether this is like the tariffs in the sense that products that are made outside the U.S. would be banned because they contain Chinese parts.  None of this has been sorted out yet, but it is likely that if that happens, those countries would retaliate and ban U.S. products.  That would turn the U.S. into an island.

The whole thing is a bit of a mess.

The government also considered using this same law to implement restrictions on foreign investment in the United States, but instead used a different law, CFIUS, to achieve the same goals.  In both cases, the result is that U.S. businesses that want to expand and create more jobs won’t be able to do that – at least not with certain foreign investments.  This EO could further restrict foreign investment in the U.S. above and beyond what is possible with CFIUS.

Interestingly, two companies that the EO would target are Huawei and ZTE, both of whom are the subject of major Department of Commerce sanctions right now. Trump has been trying to negotiate a deal where ZTE pays the U.S. a lot of money and would then be no longer considered a national security threat.  You can’t have it both ways.  Either they are or they are not.  To be continued.

This is at the same time that Facebook admitted to sharing information on users with 52 companies, including Chinese companies like Huawei, Lenovo, Alibaba and Qualcom.  One assumes that in Facebook’s case, it was a matter of money – probably not direct cash, although it may have included some of that, but rather to lock those vendors into the Facebook Kool-Aid in one way or another.

In light of admitting to doing this, likely illegally since they did not get user’s permission to share the data, Facebook now says that they have ended 38 of those relationships and will end the rest of them soon.

Facebook says that it forgot to mention these data sharing relationships because they had shifted to sharing data using a different method – the way they shared data with Cambridge Analytica.  I am not sure that is any better, but who knows.

All in all, there are some real issues here, but also, given the global economy, it is not clear that there is an easy answer.  We have already seen that some of the countries that we have hit with tariffs on Steel and Aluminum have imposed their own tariffs, and all that has not played out yet.

Information for this post came from The Washington Post and The Hill.




Facebooktwitterredditlinkedinmailby feather