Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

3 IoT (Internet of Things) Cyber Threats to Privacy in Your Home That Might Surprise You

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Most people freely attach devices to the Internet throughout their home without contemplating any privacy risk, but a recent home inspection of “network-attached storages (NAS), Smart TVs, router, Blu-ray player” by Kaspersky Lab security analyst David Jacoby proved otherwise.  As a result of this inspection a report was issued entitled “Hacking a Living Room: Kaspersky Lab Finds Multiple Vulnerabilities in Popular Connected Home Entertainment Devices” which included these three vulnerabilities:

1. Remote code execution and weak passwords: The most severe vulnerabilities were found in the network-attached storages. Several of them would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords, lots of configuration files had the wrong permissions and they also contained passwords in plain text. In particular, the default administrator password for one of the devices contained just one digit. Another device even shared the entire configuration file with encrypted passwords to everyone on the network.

2. Man-in-the-Middle via Smart TV: While investigating the security level of his own Smart TV, the Kaspersky researcher discovered that no encryption is used in communication between the TV and the TV vendor’s servers. That potentially opens the way for Man-in-the-Middle attacks that could result in the user transferring money to fraudsters while trying to buy content via the TV. As a proof of concept, the researcher was able to replace an icon of the Smart TV graphic interface with a picture. Normally the widgets and thumbnails are downloaded from the TV vendor’s servers and due to the lack of encrypted connection the information could be modified by a third party. The researcher also discovered that the Smart TV is able to execute Java code that, in combination with the ability to intercept the exchange of traffic between the TV and Internet, could result in exploit-driven malicious attacks.      

3. Hidden spying functions of a router: The DSL router used to provide wireless Internet access for all other home devices contained several dangerous features hidden from its owner. According to the researcher, some of these hidden functions could potentially provide the ISP (Internet Service Provider) remote access to any device in a private network. What’s more important is that, according to the results of the research, sections of the router web interface called “Web Cameras”, “Telephony Expert Configure”, “Access Control”, “WAN-Sensing” and “Update” are “invisible” and not adjustable for the owner of the device. They could only be accessed via exploitation of a rather generic vulnerability making it possible to travel between sections of the interface (that are basically web pages, each with own alphanumeric address) by brute forcing the numbers at the end of the address.

What IoT cyber risks do you have in your home?  If you do not know, you probably have a problem!

John Doe Can Remain Anonymous and Not Be Deposed in Pre-Litigation Discovery

Posted in Anonymous Internet Activity, eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Since the plaintiff did not a file a lawsuit against John Doe, the Texas trial court had no jurisdiction to allow the plaintiff to take the deposition of “Trooper,” an anonymous blogger who launched on on-line attack on the CEO of a company who lives in Houston. In the case of In Re John Doe a/k/a “Trooper” on August 29, 2014 the Texas Supreme Court ruled 5-4 the pre-litigation discovery seeking John Doe’s identity is unacceptable in Texas, and the discovery to learn the identity of John Doe can only proceed if a lawsuit is filed.

The Supreme Court said that under “Rule 202 the Texas Rules of Civil Procedure allows “a proper court” to authorize a deposition to investigate a potential claim before suit is filed” however if the court does not have “personal jurisdiction over the potential defendant, or if not, the rule violates due process guaranteed by the Fourteenth Amendment.”

The Trooper’s blogs were critical of Houston resident Robert T. Brockman, CEO of Reynolds & Reynolds Co. “a privately held company, headquartered in Ohio with offices in Texas and elsewhere, that develops and markets software for use by auto dealerships.”

The Court recited these facts in the case:

To discover Trooper’s identity Brockman and Reynolds (whom we refer to collectively as Reynolds) filed a Rule 202 petition in the district court in Harris County, seeking to depose Google, Inc., which hosts the blog. The petition requests that Google disclose the name, address, and telephone number of the owner of the blog website and the email address shown on the site. The petition states that Reynolds “anticipate[s] the institution of a suit” against the Trooper.

Reynolds says it will sue for libel and business disparagement, and, if the Trooper is a Reynolds employee, for breach of fiduciary duty. With the court’s permission, Reynolds gave the Trooper the notice of the petition required by Rule 202 by sending it to the blog email address.

Google does not oppose Reynolds’ petition, but the Trooper does, appearing through counsel as John Doe, without revealing his identity. The Trooper filed a special appearance, asserting that his only contact with Texas is that his blog can be read on the Internet here. He argues that because he does not have minimal contacts with Texas sufficient for a court in this State to exercise personal jurisdiction over him, there is no “proper court” under Rule 202 to order a deposition to investigate a suit in which he may be a defendant. The Trooper also moved to quash the discovery on the ground that he has a First Amendment right to speak anonymously.

Since a lawsuit had not been filed against John Doe, John Doe could not make a Special Appearance under Rule 120a to defend the lack of jurisdiction.  

9 Common Reasons Cloud Systems Crash to Remember When Negotiating Cloud Contracts

Posted in eCommerce, IT Industry

TexasBarToday_TopTen_Badge_Small (1)

My 2011 eCommerce Times column “Cloud Computing – New Buzzword, Old Legal Issues” reminded many folks that “the technology concept behind cloud computing has been around for more than 50 years, and the legal issues are equally old.”  Obviously the reasons Cloud systems crash are equally old news, so it would be wise to negotiate Cloud contracts with these 9 common reasons in mind thanks to eWeek’s report on August 13, 2014:

  1. Human Error.  This is by far the No. 1 cause for cloud downtime. Even with perfect applications, cloud environments are only as good as the people who manage them. This means ongoing maintenance, tweaking and updating must be worked into standard operational procedures. One bad maintenance script can—and will—bring down mission-critical applications. 
  2. Application Bugs. While the cloud does introduce a new level of complexity, application failure still trumps cloud provider issues as a leading cause for downtime. More often than not, such failures are unrelated to the cloud infrastructure running your applications. Traditional IT practices still apply, except that you are continuously developing, testing and deploying your application in the cloud.
  3. Cloud Provider Downtime. Cloud failures are routine. Whether it’s an instance, an availability zone or an entire region, applications should plan for these failures. This means routinely checking performance and spinning up new instances to replace terminated machines. Amazon Web Services, for one example, enables users to spread and load-balance an application across several availability zones so that when one does fail, the application does not suffer.
  4. Quality of Service. As far as consumers are concerned, streaming videos that freeze up mean your cloud is not working. They don’t really care (or even know) that the application is technically speaking still running. That means accommodating for network latency, fluctuating demand and shifting customer requirements.
  5. Extreme Spikes in Customer Demand. This is actually a great example of cloud superiority. If customer demand exceeds capacity, there’s not much you can do with an on-premise IT infrastructure. In a public cloud environment, you can respond to fluctuations in customer demand by automatically scaling capacity during peaks and backing down when demand levels off.
  6. Security Breaches.  Security is often raised as a red flag when it comes to hosting critical applications in the public cloud. Much like on-premise environments, it’s up to you to comply with regulatory and security concerns. However, the cloud does make it easier to check off a list of security requirements, since cloud providers have addressed these concerns repeatedly with hundreds of enterprise customers.
  7. Third-Party Service Failures.  The whole is greater than the sum of its parts, but all it takes to bring your cloud down is one third-party app that isn’t working. This could happen to any type of infrastructure application (sustaining, garbage collecting, security and so on) in yours or another supplier’s data center. It’s up to you to continuously monitor these applications as well and have a contingency plan in place for a rainy day.
  8. Storage Failures.  In a recent disaster recovery survey, storage failure was listed as a top risk to system availability. The cloud still depends on physical storage, which routinely fails. Much like overall service availability and quality, storage issues can lead to serious performance issues. This means planning for these failures by setting up dedicated cloud storage applications that maintain data resiliency and meet data retrieval requirements
  9. Lack of Cloud Disaster Recovery Procedures.  Although disaster recovery has been a common practice for decades in physical data centers, cloud DR only recently has come under scrutiny. Few realize that it’s the customers who are solely responsible for application availability. Cloud providers can help you develop failover and recovery procedures, but it’s up to you to integrate them into your applications.

Look at your Cloud contracts and make sure you are properly protected to avoid these Cloud disasters.

$19 Million Settlement for Droid App Charges between Google and FTC

Posted in eCommerce

TexasBarToday_TopTen_Badge_Small (1)

Unsuspecting children downloaded apps from the Google Play store with “unlimited in-app charges without Google requiring entry of a password or other account holder involvement to obtain the account holder’s consent before the charges were incurred” according to FTC (Federal Trade Commission) Chair Edith Ramirez.  On September 4, 2014 the settlement between Google and the FTC was announced that:

Google Inc. has agreed to settle a Federal Trade Commission complaint alleging that it unfairly billed consumers for millions of dollars in unauthorized charges incurred by children using mobile apps downloaded from the Google Play app store for use on Android mobile devices.

Under the terms of the settlement, Google will provide full refunds – with a minimum payment of $19 million – to consumers who were charged for kids’ purchases without authorization of the account holder.

Google has also agreed to modify its billing practices to ensure that it obtains express, informed consent from consumers before charging them for items sold in mobile apps.

Google is not the only app store violator, on January 15, 2014 Apple agreed to refund $32.5 million for similar charges “incurred by children in kids’ mobile apps without their parents’ consent” and on July 10,2014 the FTC filed suit against Amazon for similar claims for sales to children at the Amazon App Store for the  Kindle and Droid.

5 Reasons to Read “Big Data Analytics for Dummies”

Posted in eCommerce, IT Industry

Wikipedia describes “Big Data” as a broad term “for any collection of data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.”  Forbes identified these “5 Things Managers Should Know About The Big Data Economy” which are great reasons to read IBM’s Dummies book:

1. We Now Create Knowledge Without Expertise
2. We Can Attain “Scale Without Mass”
3. Data Is The New Capital
4. Privacy Will Become A Brand Value
5. The Semantic Economy

“Big Data” analytics can be critical for competitive advantages and are considered by many businesses to be “one of the world’s most valuable resources” as explained in the IBM Limited Edition of “Big Data Analytics Infrastructure for Dummies” published in 2014 which includes a description of 3 V’s of Big Data and Analytics (BD&A):

Volume.  The first attribute of Big Data is volume. Big Data projects tend to imply terabytes to petabytes of information. However, some smaller industries and organizations are likely to deal with mere gigabytes or terabytes of data.

Velocity.  The second attribute of Big Data is velocity — the speed at which information arrives, is analyzed, and is delivered. The velocity of data moving through the systems of an organization varies from batch integration and loading of data at predetermined intervals to real-time streaming of data. The former can be seen in traditional data warehousing. The latter is in the world of technologies such as complex event processing (CEP), rules engines, text analytics, inferencing, and machine learning.

Variety. The third attribute of Big Data is variety. In the past, enterprises had only to deal with a manageable number of data sources. Times have changed. Today’s business environment   includes not only more data but also more types of data than ever before. Disparate data is data from a variety of data sources and in a variety of formats, and is a major challenge that business  business analytics and Big Data projects must contend with.

As Big Data expands it will impact every business, so everyone needs to understand Big Data.

VIDEO: Cyberethics in the Work Place

Posted in eCommerce, Internet Privacy, IT Industry

TexasBarToday_TopTen_Badge_Small (1)

Wikipedia describes cyberethics as “the philosophic study of ethics pertaining to computers, encompassing user behavior and what computers are programmed to do, and how this affects individuals and society.”  To learn more about cyberethics in business, please watch my recent video entitled “CyberEthics: A Growing Business Challenge.” The video interview by Financial Management Network (& parent SmartPros Ltd.) is part of a series of educational videos provided for accounting, finance, and IT professionals.

Cyberethics are very old news as the “Ten Commandment of CyberEthics” were created in 1992 by Computer Ethics Institute (according to Wikipedia):

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people’s computer work.
  3. Thou shalt not snoop around in other people’s computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people’s intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

More updated to the Internet, Wikipedia lists these examples of cyberethical questions:

  • Is it OK to display personal information about others on the Internet (such as their online status or their present location via GPS)?
  • Should users be protected from false information?
  • Who owns digital data (such as music, movies, books, web pages, etc.) and what should users be allowed to do with it?
  • How much access should there be to gambling and pornography online?
  • Is access to the Internet a basic right that everyone should have?

No doubt Cyberethics will continue be a challenge for all businesses.

“BYOD Bill of Rights” May Help Concerns about Privacy

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

A recent survey about BYOD (“Bring Your Own Device”) resulted in the finding that “78% of employees use their own mobile devices for work” and “the use of personal technology to access corporate data can be solved by better communication between both parties regarding security, data and privacy concerns.”  On July 10, 2014 Webroot issued its BYOD Security Report entitled ” Fixing the Disconnect Between Employer and Employee for BYOD (Bring Your Own Device)” which included these key findings:

  • Although 98% of employers have a security policy in place for mobile access to corporate data, 21% allow employee access with no security at all.
  • Over 60% of IT managers surveyed reported the use of personal devices by their employees and 58% indicated they were ‘very’ or ‘extremely’ concerned about the security risk from this practice.
  • Most employee devices are lacking real security with only 19% installing a full security app and 64% of employees limited to using only the security features that came with their devices.
  • Over 60% of employers indicated they seek employee input on mobile device security policies, but over 60% also said employee preference has little or no influence on mobile security decisions.
  • Top concerns from employees regarding a company-mandated security app include employer access to personal data, personal data being wiped by an employer, and employers tracking the location of the device. Other concerns included impact on device performance and battery consumption.
  • 46% of employees using personal devices said they would stop using their devices for business purposes if their employer mandated installation of a specific security app.

Webroot proposed these BYOD Bill of Rights: 

1. Privacy over their personal information

2. Be included in decisions that impact their personal device and data

3. Choose whether or not to use their personal device for work

4. Stop using their personal device for work at any time

5. Back up their personal data in the case of a remote wipe

6. Operate a device that is unencumbered by security that significantly degrades speed and battery life

7. Be informed about any device infections, remediation, or other activity that might affect their device’s performance or privacy

8. Download safe apps on their personal device

BYOD  privacy issues continues as headline news, which is likely to continue given the increasing use of BYOD by employees.

“How to Stop Malware” – Strategies and Tools of Cyber Criminals

Posted in eCommerce

Dell’sAnatomy of a cyber-attack” focuses on malware because malware “comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults.”  This “how to” report from Dell makes the point that you “need to understand the enemy before you can defeat them” and includes these Attack Steps:

Attack step 1: Reconnaissance and enumerationCyber-criminals will do anything to find and exploit your weaknesses

Attack step 2: Intrusion and advanced attacks - A stealthy intruder can access every facet of your network systems.

Attack step 3: Malware insertionHidden malware gives your attacker the keys to your network.

Malware type 1: Nuisance malwareNuisance adware can render a system inoperable if not removed properly.

Malware type 2: Controlling malwareHidden malware gives your attacker the keys to your network.

Malware type 3: Destructive malwareViruses and worms can devastate your network—and your business.

Attack step 4: Clean-up – A skilled criminal can compromise your network without you ever knowing.

Cybercrime is daily front page news and although there is not one solution, Dell’s point is that it has a technology to help called Dell™ SonicWALL™ which “offers a comprehensive line of defenses against all forms of cyber attack and malware.”

BYOD Ruling Requires Employers to Reimburse for Work-Related Calls

Posted in eCommerce

How will BYOD other than cell phones be impacted by a California court ruling that “when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them”?  On August 12, 2014 in the case of Colin Cochran vs. Schwan’s Home Service, Inc. the California Court of Appeals reversed a Superior Court in Los Angeles County Court.

The Order discussed the purpose of the California Statute was to “‘to prevent employers from passing their operating expenses on to their employees.’” Specifically that:

Pursuant to section 2802, subdivision (a), “[a]n employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer[.]”

The threshold question in the case was:

Does an employer always have to reimburse an employee for the reasonable expense of the mandatory use of a personal cell phone, or is the reimbursement obligation limited to the situation in which the employee incurred an extra expense that he or she would not have otherwise incurred absent the job?

The Answer from the Court was “that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee.” The Court ruled:

Thus, to be in compliance with section 2802, the employer must pay some reasonable percentage of the employee’s cell phone bill. Because of the differences in cell phone plans and worked-related scenarios, the calculation of reimbursement must be left to the trial court and parties in each particular case.

Time will tell how BYOD tablets, laptops, and home computers are impacted by courts that follow the ruling in this case.

8 Issues of Cyber Insecurity which Lead to Cybercrime

Posted in eCommerce, IT Industry

A recent report concluded that the “cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect. Particularly worrisome are attacks by tremendously skilled threat actors that attempt to steal highly sensitive—and often very valuable—intellectual property, private communications, and other strategic assets and information.”  The June 2014 report was from a survey of 500 executives from US businesses, law enforcement services, and government agencies, was entitled “US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey.”  The US cybercrime report was issued by PriceWaterhouseCoopers and co-sponsored by The CERT® Division of the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the United States Secret Service.

The “8 cybersecurity issues that should concern you” in the report were as follows:

1. Spending with a misaligned strategy isn’t smart. Strategy should be linked to business objectives, with allocation of resources tied to risks.

38% prioritize security investments based on risk and impact to business

17% classify the business value of data

2. Business partners fly under the security radar.  Recent contractor data leaks and payment card heists have proved that adversaries can and will infiltrate systems via third parties, but most organizations do not address third-party security.

44% have a process for evaluating third parties before launch of business operations

31% include security provisions in contracts with external vendors and suppliers

3. A missing link in the supply chain.  Flow of data to supply chain partners continues to surge, yet they are not required to comply with privacy and security policies.

27% conduct incident-response planning with supply chain partners

8% have supply chain risk-management capability

4. Slow moves in mobile security.  Mobile technologies and risks are proliferating but security efforts are not keeping up.

31% have a mobile security strategy

38% encrypt devices

36% employ mobile device management

5. Failing to assess for threats is risky business.  Organizations typically include cyber risks in enterprise risk-management programs but do not regularly assess threats.

47% perform periodic risk assessments

24% have an objective third party assess their security program

6. It takes a team to beat a crook.  External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others.

25% participate in Information Sharing and Analysis Centers (ISACs)

15% work with public law enforcement agencies

7. Got suspicious employee behavior?  Cybersecurity incidents carried out by employees have serious impact, yet are not addressed with the same rigor as external threats like hackers.

49% have a formal plan for responding to insider events

75% handle insider incidents internally without involving legal action or law enforcement

8. Untrained employees drain revenue.  Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.

20% train on-site first responders to handle potential evidence

76% less is spent on security events when employees are trained, yet 54% do not provide security training for new hires.

Notwithstanding reports of this sort, cybercrime continues to dominate the news, and likely will continue indefinitely.