Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

GUEST BLOG: Are you surprised to hear that Equifax’s security chief doesn’t have a degree in technology, rather majored in music?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.

 

Oops! Malware distributed with antivirus software to more than 2.27 million users!

Posted in Cyber

My good friend Kevin Campbell (SVP/CIO at Hunt Consolidated, Inc.) shared this bad news that “Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.”  This news was reported by The Register on September 18, 2017 entitled “Downloaded CCleaner lately? Oo, awks… it was stuffed with malware” which included this observation:

The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.

Thanks to Kevin for sharing this terrible news!

GUEST BLOG: Neither Rain, nor Sleet, nor Dark of Night Shall Stay the Application of HIPAA Regulations…

Posted in Cyber, Internet Privacy

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who focuses on HIPAA, PHI, cyber security, PCI compliance, PII, eCommerce, and related complex contract negotiations and litigation. Eric has received the Certified Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals (“IAPP”).

It is beyond dispute that Hurricanes Harvey and Irma caused catastrophic levels of property damage to individuals and businesses in Texas, Florida and the rest of the Gulf Coast. In the midst of this devastation, however, the Office of Civil Rights (OCR) recently made a point to identify a particular type of property that cannot, under any circumstances, be permitted to be damaged by natural disaster: electronic protected health information (e-PHI).

Per OCR, the HIPAA Security Rule is not suspended at all during a national or public health emergency. Covered entities and business associates are required, under the Security Rule, to protect against any reasonably anticipated threats or hazards to the security or integrity of e-PHI that they create, receive, maintain or transmit. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities and potentially business associates must have contingency plans, including disaster recovery and emergency mode operation plans, which establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI. In other words, companies that obtain, store and/or use e-PHI must take steps to ensure that all such e-PHI is accessible before, during and after an emergency, including backing up the data to the cloud or another secure location (one that will not be impacted by the emergency afflicting the covered entity).

Parts of the HIPAA Privacy Rule may be waived during a national or public health emergency. If the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, including the requirement to distribute a notice of privacy practices and the patient’s right to request privacy restrictions or confidential communications. If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration, and (2) to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements that protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.

Judge Posner who relied on Wikipedia retires at 78

Posted in Social Media

Judge Richard Posner served for 35 years and was famous for his reliance on Wikipedia as legal authority for the past 10 years was known for his “restless intellect, withering candor and superhuman output made him among the most provocative figures in American law in the last half-century.”  The New York Times September 11, 2017 article entitled “An Exit Interview With Richard Posner, Judicial Provocateur” included these observations about the retirement of Judge Posner (US 7th Circuit Court of Appeals):

The immediate reason for his retirement was less abstract, he said.

He had become concerned with the plight of litigants who represented themselves in civil cases, often filing handwritten appeals.

Their grievances were real, he said, but the legal system was treating them impatiently, dismissing their cases over technical matters.

Before his appointment to the bench he was a well-respected law professor at the University of Chicago where many of my friends have reflected about his great teaching prowess.

Equifax confessed that it failed to protect personal data of 143+MILLION CUSTOMERS!

Posted in Cyber, eCommerce, Internet Privacy

The New York Times reported “that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.”  The September 7, 2017 report entitled “Equifax Says Cyberattack May Have Affected 143 Million Customers” included the bad news:

Potentially adding to criticism of the company, three senior executives, including the company’s chief financial officer, John Gamble, sold shares worth almost $1.8 million in the days after the breach was discovered.

The report included these comments:

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

Hopefully this is a wake-up call about cyber risk and the need for cyber insurance and incidence response plans.

Yahoo loses a court battle and a class action will proceed for massive cyber breaches in 2013-16!

Posted in Cyber

Reuters reported that “Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.” On August 30, 2017 US District Judge Lucy Koh (Northern District of California- San Jose) in the case of In Re: Yahoo! Inc. Customer Data Security Breach Litigation ruled in favor of the class since:

All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information.

The Reuters August 31, 2017 report entitled “Yahoo must face litigation by data breach victims: U.S. judge” included this background:

The breaches occurred between 2013 and 2016, but Yahoo was slow to disclose them, waiting more than three years to reveal the first. Revelations about the scope of the cyber attacks prompted Verizon to lower its purchase price for the company.

With this ruling many are speculating that Verizon, who recently bought Yahoo for $4.76 billion, will ultimately settle this class action rather than go to trial.

Google spent $19 million lobbying last year, is that good or bad?

Posted in eCommerce

Kenneth Vogel (no relation) reported in the New York Times that Google “ helped organize conferences at which key regulators overseeing investigations into the company were presented with pro-Google arguments, sometimes without disclosure of Google’s role.” The August 30, 2017 article entitled “Google Critic Ousted From Think Tank Funded by the Tech Giant” included these comments:

Google is very aggressive in throwing its money around Washington and Brussels, and then pulling the strings,

People are so afraid of Google now.

Some tech lobbyists, think tank officials and scholars argue that the efforts help explain why Google has mostly avoided damaging regulatory and enforcement decisions in the United States of the sort levied by the European Union in late June.

What do you think about Google’s lobbying efforts?

Less than 50% US businesses have cyber insurance, so what can they do to avoid a cyber disasters?

Posted in Cyber

Darkreading reported “some organizations refuse to buy cyber insurance out of the misguided notion that they don’t “need” to worry about being hacked, this mindset isn’t entirely at fault….many enterprises have been left high and dry by cyber-insurance policies that didn’t fully protect them after a major cyber attack.” The August 21, 2017 article entitled “The Pitfalls of Cyber Insurance” included these 10 strategies to protect all business from cyber criminals:

  1. Keep all software and operating systems updated (remember, WannaCry and NotPetya both attacked older versions of Windows)
  2. Run robust, up-to-date antivirus software
  3. Maintain compliance with industry and regulatory standards like HIPAA and PCI-DSS
  4. Continually monitor networks for suspicious activity, 24 hours a day, 365 days a year
  5. Have in-house and/or remote security staff on hand at all times to respond to anomalies and attacks
  6. Have a comprehensive, written cybersecurity policy that is regularly reviewed and updated
  7. Train all employees on cybersecurity best practices, such as how to spot phishing emails
  8. Control physical access to sensitive areas on its premises, such as server rooms
  9. Utilize other controls, such as firewalls, network segmentation, and encryption as appropriate
  10. Perform regular backups so that systems can be restored in the event of a ransomware attack, or even a natural disaster like a fire or flood

What will you to help help avoid cyber disasters?

Gates gives cellphone advice to help avoid the destruction of a generation!

Posted in Internet Access

Melinda Gates (think Bill & Microsoft) wrote a perspective in the Washington Post that she & Bill “don’t allow cellphones at the dinner table” which lead to “amazing conversation.” The August 24, 2017 perspective is entitled “Melinda Gates: I spent my career in technology. I wasn’t prepared for its effect on my kids” and included this background:

I spent my career at Microsoft trying to imagine what technology could do, and still I wasn’t prepared for smartphones and social media.

Like many parents with children my kids’ age, I didn’t understand how they would transform the way my kids grew up — and the way I wanted to parent.

I’m still trying to catch up.

The pace of change is what amazes me the most.

The challenges my younger daughter will be facing when she starts high school in the fall are light-years away from what my elder daughter, who’s now in college, experienced in 2010.

My younger daughter’s friends live a lot of their lives through filters on Instagram and Snapchat, two apps that didn’t even exist when my elder daughter was dipping a toe in social media.

Gates applauded the January 2017 French law allowing employees the “Right to Disconnect” after work hours.

Watch out! ‘Fancy Bear’ may be ready to steal your data while using hotel wifi!

Posted in Cyber, Internet Access

Wired reported about a “Russian espionage campaign has used those Wi-Fi networks to spy on high-value hotel guests, and recently started using a leaked NSA hacking tool to upgrade their attacks.” Wired’s August 11, 2017 report was entitled “Russia’s ‘Fancy Bear’ Hackers Used Leaked NSA Tool to Target Hotel Guests” which included FireEye’s report that:

…it first saw evidence that Fancy Bear might be targeting hotels in the fall of last year, when the company analyzed an intrusion that had started on one corporate employee’s computer.

The company traced that infection to the victim’s use of a hotel Wi-Fi network while traveling; 12 hours after the person had connected to that network, someone connected to the same Wi-Fi network had used the victim’s own credentials to log into their computer, install malware on their machine, and access their Outlook data.

That implies, FireEye says, that a hacker had been sitting on the same hotel’s network, possibly sniffing its data to intercept the victim’s credentials.

Maybe you should avoid hotel wifi!!!!