Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

7 Flavors of CyberCrimeware as a Service (CaaS) includes Ransomware as a Service (RaaS)!

Posted in Cyber, eCommerce

Darkreading reported that inexpensive CaaS include malware “botnets, phishing and backdoors are all offered on the cheap as subscription. These days even crime is in the cloud.”  The June 13, 2017 Darkreading report was entitled “The Rising Tide of Crimeware-as-a-Service” included these comments about RaaS:

The incipient rise of ransomware has occurred in lockstep with the increasing occurrence of ransomware-as-a-service. One of the first cropped up in 2015; Tox was remarkable for its unique business model. It was offered up on a profit-sharing basis. Its writers asked no up-front fee but did request 20% for any ransom paid by victims to its users. Tox dropped off the scene fairly early on, but its been followed by plenty of copycats. The profit-sharing must be lucrative for everyone involved because malware writers have significantly upped their vig. According to reports last summer, Cerber authors were charging a 40% cut in ransoms paid to users of their services.

Here are all 7 CaaS flavors:

  1. Shadow Broker Service
  2. Services Costs Meet Market Demands
  3. IoT Botnet Rental
  4. Modularized Malware Services
  5. Ransomware-as-a-service
  6. Phishing-as-a-Service
  7. Backdoor-as-a-Service

No doubt cybercriminals will continue to proliferate versions of CaaS  so watch out!

IBM Blockchain & AIG team up for “Smart Insurance”

Posted in eCommerce

Reuters reported that “AIG and IBM completed a pilot of a so-called “smart contract” multi-national policy for Standard Chartered Bank PLC which the companies said is the first of its kind using blockchain’s digital ledger technology.” The June 15, 2017 report entitled “AIG teams with IBM to use blockchain for ‘smart’ insurance policy” included this explanation:

The Standard Chartered policy uses blockchain to facilitate sharing of real-time information for a main policy written in the United Kingdom, where the bank is headquartered, and three local policies in the United States, Singapore and Kenya.

Surely we will see more Blockchain insurance as Blockchain becomes more mainstream!

GUEST BLOG: Pacemakers (Think IoT) are not Cybersecure, does that bother you?

Posted in Cyber

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

We have to do better: Pacemaker security

Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers.  In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.

These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries.  While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered.  Unfortunately the patches for these vulnerabilities are not uniformly applied.

This is a common problem with embedded devices, internet-of-things things, and industrial control systems.  The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.

Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords.  The researches have been able to verify hardcoded credentials in three of the four devices tested.

We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment.  Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.

No surprise about cyber risks in V2V (Vehicle to Vehicle) – Think “Driverless Cars”!

Posted in Cyber

A New York Times report that protecting driverless cars from cyber attacks is the “primary challenge will be preventing hackers from getting into the heart of the car’s crucial computing system, called a CAN (or computer area network).” The June 7, 2017 report entitled “Electronic Setups of Driverless Cars Vulnerable to Hackers” included this proposal from the National Highway Traffic Safety Administration

…that V2V equipment be installed in all cars in the future. But that channel, and all the equipment involved, open millions more access points for would-be attackers.

Also the New York Times made these predictions:

It will be five to 10 years — or even more — before a truly driverless car, without a steering wheel, hits the market. In the meantime, digital automobile security experts will have to solve problems that the cybersecurity industry still has not quite figured out.

Protecting V2V from cyber attacks will clearly be a challenge!

Cyber criminal’s phishing leads to 4+ years in prison for stealing airline tickets, which employee training could have avoided!

Posted in Cyber, eCommerce

Darkreading reported a 4+ year jail sentence for stealing airline tickets by using “phishing campaigns targeted customers of Travelport and Sabre, causing phishing emails to be delivered to their customers for the purpose of obtaining and stealing their unique log-in credentials.”  On June 5, 2017 the Department Justice issued a press release entitled “West African computer hacker sentenced to Federal Prison” included these details:

Eric Donys Simeu, a/k/a Martell Collins, a citizen of Cameroon extradited from France, has been sentenced to four years, ten months in federal prison for a series of “phishing campaigns” which targeted clients of Global Distribution Systems.

Also Darkreading reported:

He then resold the tickets to mainly customers in West Africa at steeply discounted prices, or would use the tickets for his own personal travel.

Reporting about this crime should help focus on more employee training to avoid falling for phishing!

Cyber attack probably caused BA to strand 75,000 passengers, but BA claims it just lost electricity! Haha!

Posted in Cyber, eCommerce

The Independent reported that Wallie Walsh (Chief of  British Airways’ owner International Airlines Group) broke his silence about BA’s IT failure last week that left 75,000 travelers stranded saying “it was not an IT failure, it was a problem caused by the failure of electrical power to our IT systems.” The June 1, 2017 report entitled “IAG chief Willie Walsh breaks silence to defend British Airway’s response to outage” seems silly that there could be a single point of failure by a company the size of BA….and given the 2016 apparent cyber attacks against Delta and Southwest.

Keep in mind the September 23, 2016 report in Darkreading was entitled “Advisory Body Calls For Stronger Cybersecurity Measures Across Airline Industry” and cited the RTCA (Radio Technical Commission for Aeronautics founded in 1935) which included:

…recommendations is on ensuring that manufacturers, carriers, maintenance facilities and airports maintain an adequate level of cyber preparedness on a routine, day-to-day basis.

The long-term goal is on ensuring not only that systems are properly secured up front when in development but also on making sure the systems are maintained that way during operations.

What do you think? Single point of failure or cyber intrusions?

Facebook lied to the EU about privacy & will pay a $122 million fine!

Posted in eCommerce, Internet Privacy

The Washington Post reported that “Facebook was not honest about its ability to identify users who had both Facebook and WhatsApp accounts and link those accounts” during Facebook acquisition in 2014.  The May 18, 2017 report entitled “Facebook will pay $122 million in fines to the E.U.” included these details:

When Facebook notified the acquisition of WhatsApp in 2014, it informed the Commission that it would be unable to establish reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts…

However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users’ phone numbers with Facebook users’ identities.

Moreover, regulators said, Facebook staff knew that matching accounts was technically possible at the time of the review…

What do you think about Facebook’s confession of privacy dishonesty to the EU?

Cyber breach costs Target more than $220 million!

Posted in Cyber, eCommerce

The New York Times reported that “Target will pay $18.5 million to 47 states and the District of Columbia as part of a settlement with state attorneys general over a huge security breach that compromised the data of millions of customers.” The May 23, 2017 report entitled “Target to Pay $18.5 Million to 47 States in Security Breach Settlement” includes that since the 2014 breach “Target has spent $202 million on legal fees and other costs since the breach” and that:

As part of the settlement, Target agreed to tighten its digital security, including maintaining software and encryption programs to safeguard people’s personal information.

The retailer will have to separate its cardholder data from the rest of its computer network and pay for an independent assessment of its security measures, according to Tuesday’s announcement.

On Dec. 19, 2013, during the biggest shopping season of the year, Target confirmed that credit and debit card information about 40 million customers had been stolen.

Several weeks later, the company said that other information for 70 million people, including email and mailing addresses, had also been exposed.

However I’m not sure that the consequences of the 2013 cyber intrusion are completely over for Target. What do you think?

Does Apple Pay infringe any patents?

Posted in eCommerce

The New York Times reported that Universal Secure Registry’s filed a lawsuit against Apple and Visa alleging that “Apple Pay digital payment technology violates its patents.”   The May 21, 2017 article in the New York Times was entitled “Apple Pay Violates Patents Held by Security Technology Inventor, Lawsuit Allege” and reported that Universal Secure Registry entered into a 10 year non-disclosure agreement with Visa in 2010 to share their pay technology, however this never led to a license.  Ultimately Visa went to Apple in 2014 to develop Apple Pay which was also released in 2014.  The report pointed out that Universal Security Registry’s lawyers Quinn Emanuel:

…represented Samsung Electronics in some of its long-running patent litigation with Apple over software in its Android-based smartphones

…and Universal Secure Registry chief executive, Kenneth P. Weiss hopes to reach a license with Apple and Visa.

Stay tuned to see how this plays out for Apple Pay!

Get Ready for Artificial Intelligence (AI) in the middle of Blockchain!

Posted in eCommerce

The eCommerceTimes column described combining “AI with blockchain allows for the secure, transparent review of data that is changed or moved over time, giving both the buyer and seller confidence in the validity, title and transfer of that bridge in Brooklyn.”  The May 18, 2017 column written by my Gardere colleagues Eric Levy, Eddie Block, and me and is entitled “Intertwining Artificial Intelligence With Blockchain” which describes Blockchain and includes a 1955 definition of AI from James McCarthy of Dartmouth College and a team of researchers as follows:

…the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it. An attempt will be made to find how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves.

Let us know what you think about our column.