Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Attorney General Attacks Google for “having no corporate conscience”

Posted in eCommerce, Internet Privacy

The Attorney General of Mississippi complained in a letter to Google that “In my ten years as Attorney General, I have dealt with a lot of large corporate wrongdoers. I must say that yours is the first I have encountered to have no corporate conscience for the safety of its customers, the viability of its fellow corporations or the negative economic impact on the nation which has allowed your company to flourish.” The New York Times reported that Jim Hood (Mississippi Attorney General) issued a “79-page subpoena to Google, asking for records related to its advertisements and search results for controlled substances, fake IDs and stolen credit card numbers.”

Also the New York Times reported that after Google paid a $17 million fine in 2013 to settle a Privacy case that Jon Bruning (Attorney General of Nebraska) complained about Google:

These guys have profited from illegal activity that they promoted in their search engines for years.

There is a culture at Google of sell anything to anyone. By no means do they wear the white hat in this debate.

These complaints are not limited to the US as there are other governments who are complaining about Google, and in particular in the EU.

Cyberintrusions Lead to 81+ Million Records Exposed in 2014

Posted in eCommerce, Internet Privacy

The Identity Theft Resource Center (ITRC) defines data breaches when an incident put a risk of exposure of an individual’s “name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included).”  The ITRC Data Breach Report is published every Tuesday and on December 9, 2014 the Report identified 720 breaches of 81,597,485 in these categories:

Banking/Credit/Financial -41 breaches of 1,182,492 records

Business: – 237 breaches of 64,731,975 records

Educational: -54 breaches of: 1,243,622 records

Government/Military: -84 breaches of: 6,494,683 records

Medical/Healthcare: -304 breaches of: 7,944,713 records

Given the scope and size of cyber intrusions and crime it is unlikely these number of personal records will ever be smaller.

Coming to your Computer Soon? Ransonware which Locks your Files and Demands Payment

Posted in eCommerce

TexasBarToday_TopTen_Badge_Small (1)

Alarms are going off around the Internet with an apparent increase of ransomware which “immediately makes its presence known by encrypting files and demanding payment for the keys to unlock them.” The Department of Homeland Security (DHS) issued an Alert on October 22, 2014 that included this description:

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

DHS discourages paying the ransom:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

However in November 2014 the Dickson County (Tennessee) Sheriff paid a Bitcoin ransom to get back files.

Bromium recently released a report entitled “Understanding Crypto-Ransomware” which started with this introduction:

This threat is called crypto-ransomware (ransomware) and includes at least a half-dozen variants, including CryptoLocker and CryptoWall. Ransomware shows no sign of abating since traditional detection-based protection, such as antivirus, has proven ineffective at preventing the attack. In fact, ransomware has been increasing in sophistication since it first appeared in September 2013, leveraging new attack vectors, incorporating advanced encryption algorithms and expanding the number of file types it targets.

With the extensive growth of malware the odds continue to increase that ransomware will end up on almost everyone’s computer.

Companies Slow to Get CyberInsurance Coverage Even as CyberAttacks Increase

Posted in eCommerce, IT Industry

A recent report showed a slight increase from 10% to 26% of companies with cyber insurance coverage between 2013 and 2014, and stated that most US companies are deficient in “keeping the data breach response plan up-to-date, conducting risk assessments of areas vulnerable to a breach, continuous monitoring of information systems to detect unusual and anomalous traffic and investing in technologies that enable timely detections of a security breach.”  In September 2014 the Ponemon Institute LLC issued a report entitled “Is Your Company Ready for a Big Data Breach?” which was sponsored by Experian Data Breach Resolution and stated that cyber insurance policies and incident response (IR) awareness are becoming more important:

In 2013, only 10 percent of respondents said their company purchased a policy. This year, the percentage more than doubled to 26 percent. Further, the use of standard or model contract terms with third parties, vendors or business partners increased. In 2013, 65 percent of respondents said their organizations had these in place and this year it increased to 70 percent of respondents.

Here are topics reported by Ponemon about cyber problems and IR planning:

More companies have data breach response plans and teams in place. In 2013, 61 percent of companies had such a plan in place. This increased to 73 percent in this year’s study. More companies have teams to lead data breach response efforts. In the 2013 study, 67 percent of respondents said they had a data breach response team. This increased to 72 percent.

Data breaches have increased in frequency. In 2013, 33 percent of respondents said their company had a data breach. This year, the percentage has increased to 43 percent. Sixty percent say their company experienced more than one data breach in the past two years. This increased from 52 percent of respondents in 2013.

Most companies have privacy and data protection awareness programs. Ponemon Institute research has revealed that mistakes made by employees are a frequent cause of data breach. While we believe all companies should have such a program, it is a good sign that the existence of training programs increased. In this year’s study, 54 percent say they have privacy and data protection awareness training for employees and other stakeholders who have access to sensitive personal information. This increased from 44 percent in 2013.

There was very little change in the training of customer service personnel. When companies lose customer data, very often it is customer service that must field questions from concerned customers. In 2013, 30 percent of respondents said they provided training on how to respond to questions about a data breach incident. This increased slightly to 34 percent of respondents in 2014.

Informationworld Darkreading also reported:

Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new study.

Hopefully more companies will understand their risk and do a better job to protect with cyber insurance and IR

Amazon Fails to Dismiss FTC Claim for Unlawfully Billing Children

Posted in eCommerce

The Judge found “that the FTC does not bring this suit under a new legal principle, and that it alleges sufficient facts to create a plausible claim for relief under Section 5 of the FTC [Federal Trade Commission] Act.” On December 1, 2014 US District Judge John Coghenour (Western District of Washington) denied Amazon’s motion to dismiss the FTC suit filed in July 2014 in which the FTC wanted a court order requiring refunds to consumers for the unauthorized charges and permanently banning the company from billing parents and other account holders for in-app charges without their consent.

When the suit was filed the FTC press release included these comments:

Amazon offers many children’s apps in its appstore for download to mobile devices such as the Kindle Fire. In its complaint, the FTC alleges that Amazon violated the FTC Act by billing parents and other Amazon account holders for charges incurred by their children without the permission of the parent or other account holder. Amazon’s setup allowed children playing these kids’ games to spend unlimited amounts of money to pay for virtual items within the apps such as “coins,” “stars,” and “acorns” without parental involvement.

Now that the Judge has denied Amazon’s motion to dismiss it is likely Amazon will pay a fine, and sign a consent decree to end this dispute.

Google Search Results Protected by the First Amendment

Posted in eCommerce

A Judge agreed with Google that “search results were protected by the First Amendment and could not be penalized” in spite of claims that Google “monopolizes the search-engine business, has caused grievous harm to, an arts, entertainment, cultural, and travel web site that also includes the San Francisco Restaurant and Dining Guide.”  US News reported that on November 13, 2014 in the case of S. Louis Martin v. Google, Inc., that Judge Ernest J. Goldsmith (San Francisco Superior Court in California) granted Google’s Special Motion to Strike the lawsuit of Dr. Martin.

The US News also offered these comments regarding Google’s challenges in the EU:

The problem faced by Google is that the First Amendment does not exist in European nations. Goldsmith’s decision shows the stark contrast between legal views of Google and search engines like Yahoo in not just the European Union but other nations like Japan and Australia where the tech company has lost cases that determined its search results were defamatory or violated privacy rights.

Since courts outside the US have ruled against Google whether autocomplete may be libelous, it is unclear if Judge Goldsmith’s order will have much impact.

Congress May Pass New Cybersecurity Laws

Posted in eCommerce, Internet Privacy

A recent article evaluating the new Congress indicated it may “allow information about civilians to go directly to the National Security Agency, or some other federal agency such as Homeland Security, before going to the NSA.”  On November 23, 2014 Judge Greenwald wrote an article in Business Insurance entitled “Cyber breaches could prompt cooperation in Congress” in which she indicated the “long-stalled cyber security legislation finally stands a strong chance of gaining approval by Congress and being signed into law.”

The article included comments by said Larry Clinton (President and CEO of, Internet Security Alliance):

There also may be incentives put in place to “promote the wider use” of the National Institute of Standards and Technology’s [NIST] proposed voluntary cyber security framework.

However there are concerns about privacy that must be balanced with any new cybersecurity laws.

More Bad Cybersecurity News – Top-Tier Malware Regin Used for Spying Since 2008

Posted in eCommerce, Internet Privacy, IT Industry

Symantec reported the discovery of new malware named Regin whose main purpose “is intelligence gathering and it has been implicated in data collection operations against government organizations, infrastructure operators, businesses, academics, and private individuals.”  On November 24, 2014 Symantec issued a report entitled “Regin: Top-tier espionage tool enables stealthy surveillance” which is a “back door-type Trojan, …a complex piece of malware whose structure displays a degree of technical competence rarely seen” which has “been used in systematic spying campaigns against a range of international targets since at least 2008.”  The report identifies the following Regin infections by sector in these 10 countries Saudi Arabia, Russia, Pakistan, Afghanistan, India, Mexico, Ireland, Belgium and Austria:

48% Privacy individuals and small businesses

28% Telecoms backbones

9% Hospitality

5% Energy

5% Airline

5% Research

Also Symantec stated that the “Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards.”

The New York Times reported:

The multi-staged design of the malware is akin to that of other espionage tools that security researchers believe were the work of nation states, notably Flame, Stuxnet and Duqu — three pieces of malware that were used to spy on computers in Iran and were believed to be a joint effort by the United States and Israel.

Back door Trojan malware is a reality of life, and businesses need to be vigilant to protect their systems and data.

Challenge to Uber’s Customer Privacy Policies Including its “God view”

Posted in eCommerce, Internet Privacy

Senate Al Franken asked Uber for clarification about an apparent “troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data.”  On November 19, 2014 Senator Franken sent a letter to Uber CEO Travis Kalanick about a tool known as “God view” which is:

… “widely available to most Uber corporate employees” and allows employees to track the location of Uber customers who have requested car service.

In at least one incident, a corporate employee reportedly admitted to using the tool to track a journalist. The journalist’s permission had not been requested, and the circumstances of the tracking do not suggest any legitimate business purpose. Indeed, it appears that on prior occasions your company has condoned use of customers’ data for questionable purposes

Senator Franken also had serious concerns:

…about the scope, transparency, and enforceability of Uber’s policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced.

The letter included these 10 questions about the Uber Privacy Policies:

1.      Mr. Michael, a senior executive, is reported to have made statements—suggesting that Uber might use private information to target journalists or others who have critiqued the company—that your company has since stated are flatly contrary to company policies. To what do you attribute such a failure at your company’s highest level to heed your own policies?

2.      What Mr. Michael is reported to have said sounds like it was intended to have a chilling effect on journalists covering Uber. Was any disciplinary action taken as a result of Mr. Michael’s statements?

3.      Where in your privacy policy do you address the “limited set of legitimate business purposes” that may justify employees’ access to riders’ and drivers’ data, including sensitive geolocation data?

4.      To whom is the so-called “God view” tool made available and why? What steps are you taking to limit access?

5.      Your privacy policy states that you may share customers’ personal information and usage information with your “parent, subsidiaries and affiliates for internal reasons.” On what basis do you determine what constitutes legitimate “internal reasons”? Why aren’t these standards set out for customers?

6.      Your privacy policy states that you may share “non-personally identifiable information” with third parties for “business purposes.” What does that mean exactly? Why aren’t customers asked to affirmatively consent to this use of their information? At a minimum, may they opt out of this information sharing?

7.      Your policies suggest that customers’ personal information and usage information, including geolocation data, is maintained indefinitely—indeed even after an account is terminated. Why? What limits are you considering imposing? In particular, when an account is terminated, why isn’t this information deleted as soon as pending charges or other transactional disputes are resolved?

8.      What training is provided to employees, as well as contractors and affiliates, to ensure that your company’s policies, as well as relevant state and federal laws, are being followed? In light of Mr. Michael’s recent comments, how do you plan to improve this training?

9.      Your spokeswoman has represented that your “policy is … clear that access to data is monitored and audited by data security specialists on an ongoing basis.” Where in your company policies is this discussed? How is this monitoring conducted? How frequently are audits completed? Are customers informed if their information has been inappropriately accessed?

10. Under what circumstances would an employee face discipline for a violation of Uber’s privacy policies? Have any disciplinary actions been taken on this basis?

It will be interesting to see how Uber responds and how federal agencies will follow-up on these alleged privacy issues

Privacy at the Heart of Colossal Cybersecurity Mistakes

Posted in Internet Privacy, IT Industry

Infoworld reported that for Information Technolgoy (IT) “Privacy has become one of the leading computer security issues today…Today’s systems track every access, and every employee should know that accessing a single record they don’t have a legitimate need to view is likely to be noticed and acted on.”  The November 17, 2014 Infoworld article entitled “10 security mistakes that will get you fired” includes these highlighted privacy mistakes by IT:

Colossal security mistake No. 1: Killing critical business functionality

Colossal security mistake No. 2: Killing the CEO’s access to anything

Colossal security mistake No. 3: Ignoring a critical security event

Colossal security mistake No. 4: Reading confidential data

Colossal security mistake No. 5: Invading privacy

Colossal security mistake No. 6: Using real data in test systems

Colossal security mistake No. 7: Using a corporate password on the Web at large

Colossal security mistake No. 8: Opening big “ANY ANY” holes

Colossal security mistake No. 9: Not changing passwords

Colossal security mistake No. 10: Treating every vulnerability like “the big one”

The report included the following example of Colossal security mistake No. 5: Invading privacy:

A friend worked at a hospital and once heard that a famous celebrity had checked in. The friend performed a quick SQL query and learned that the celebrity was in-house. They didn’t tell anyone or do anything.

A few days later someone in the primary care staff leaked to a popular media site that the celebrity was being treated in the hospital. Management asked for an audit of who accessed the celebrity’s records. The request came to my friend, who reported the results of the audit and self-reported their SQL query, though it had not been tracked by the information system. Management fired everyone who accessed the medical record without a legitimate reason. My friend, who would never have been caught if not for their aboveboard honesty, was fired without remorse.

Other important privacy mistakes were reported with with Colossal security mistake No. 6: Using real data in test systems:

When testing or implementing new systems, mounds of trial data must be created or accumulated. One of the simplest ways to do this is to copy a subset of real data to the test system. Millions of application teams have done this for generations. These days, however, using real data in test systems can get you in serious trouble, especially if you forget that the same privacy rules apply.

In today’s new privacy world, you should always create bogus test data to be used in your test systems. After all, test systems are rarely as well protected as production systems, and testers do not treat the data in test systems with the same mentality as they do data in production systems. In test systems, passwords are short, often shared, or not used at all. Application access control is often wide open or at least overly permissive. Test systems are rarely secure. It’s a fact that hackers love to exploit.

Most people do not realize how vulnerable their privacy is within IT systems, and this report reminds everyone that cybersecurity mistakes expose us all.