Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Clouds Are Not Really Very Safe! – Here are 9 Security Threats Everyone Needs to Understand

Posted in Cyber, eCommerce

A report explained from the  Cloud Security Alliance (CSA) explained how the cloud is not as safe as many people think it is based on “nine major categories of threats that face cloud technologies” which organizations “must weigh these threats as part of a rigorous risk assessment, to determine which security controls are necessary.” CDW issued a White Paper entitled “Playbook: Overcoming Cloud Security Concerns” which explained how to deal with the 9 CSA threats and explained the difference between data loss and data breach:

Data loss is sometimes confused with data breach. Unlike a data breach, which always involves an unauthorized party gaining access to sensitive data — an exploitation of confidentiality — data loss simply means that an organization’s data has been deleted or overwritten, a failure of availability.

Here are the 9 CSA Threats with CDW’s comments included:

1. Data Breaches. Major data breaches have been reported at every type of organization: businesses, educational institutions, government agencies and others. Each data breach involves one or more unauthorized parties gaining access to portions of the organization’s sensitive data.

2.  Data Loss. Data loss generally occurs when data that has not been properly duplicated and secured to protect its availability is lost, deleted or otherwise made unavailable. Unfortunately, data loss has become more prevalent in cloud environments because many IT managers operate under the false assumption that the cloud inherently provides superior protection for availability.

3.  Account or Service Traffic Hijacking. This threat involves the practice of gaining unauthorized access to a user account or service, such as stealing a user’s password and logging into a system as that user, or exploiting vulnerability in a service to gain access to that service. Hijacking is most often performed to gain access to sensitive data to which a user or service has access, or to perform actions under the user’s or service’s privileges.

4.  Insecure Interfaces. Software interfaces, such as application programming interfaces (APIs), provide access to cloud-based services by allowing commands to be issued against the service. Generally, some parts of an API allow for service usage, while other parts allow for service management. An insecure API can lead to compromises of both service usage and management, causing data breaches, data loss and other serious problems.

5.  Denial of service. Denial of Service (DoS) attacks have been a threat against applications and services for many years. These attacks work by consuming resources, thus preventing legitimate users from accessing those resources.

6.  Malicious Insiders. Malicious insiders are authorized personnel — users and administrators — who intentionally violate organizational policy for personal reasons, such as financial gain or revenge. Because they already have access to sensitive data, malicious insiders may readily cause data breaches, data losses and other negative effects. For example, an insider may copy a sensitive database onto a flash drive, then use the information stored on it to commit identity theft.

7.  Abuse of Cloud Services. Abuse of cloud services involves parties taking advantage of cloud services to perform malicious acts, such as cracking passwords or launching attacks against other systems. Abuse of cloud services is a threat primarily affecting cloud service providers, not cloud customers.

8.  Insufficient Due Diligence. Organizations that are considering the adoption of cloud technologies must fully understand the risks inherent in this step. An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise.

9.  Shared Technology Vulnerabilities. Vulnerabilities within the cloud infrastructure itself, such as hypervisor weaknesses or an application or service shared by cloud users from different organizations, also represent a threat. The risk of these vulnerabilities is that an attacker can exploit a weakness in one piece of software to gain unauthorized access to data and services for multiple cloud customers.

Of course with proper planning most of these threats can be eliminated.

Cybersecurity Planning & Training High on the List for Cyberinsurance Under New Regulatory Principals

Posted in Cyber, eCommerce

The National Association of Insurance Commissioners (NAIC) adopted 12 principles for “direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them” on April 17, 2015.  The NAIC’s 12 “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” included these Principles:

Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

Time will only tell if these Principles are adopted and they help cyberinsuranced insureds.

Google’s 92% of the Search Engine Market in the EU –Because it’s the Best Search Engine? or Anticompetitive?

Posted in eCommerce

Since 1992 Pew Research has reported that more than 90% of adults use search engines daily, but it is likely because the users like the search results not because of anticompetitive behavior.  The New York Times April 15, 2015 report stated that the EU filed claims against Google which “focused on accusations that Google diverts traffic from competitors rivals to favor its own comparison shopping site.”

Google denied the EU’s allegations in a blog “The Search for Harm” which included this statement:

While Google may be the most used search engine, people can now find and access information in numerous different ways—and allegations of harm, for consumers and competitors, have proved to be wide of the mark.

Google and the EU will likely settle, but only time will tell and this will be interesting to follow.

Yikes! Cybercrime is Directed at Your Androids, Homes, and Electric Vehicles

Posted in Cyber

TexasBarToday_TopTen_Badge_Small (1)

Dell released a report which reinforced what we all know that cybercrimes “are alive and well on the global stage and will continue to be pervasive as long as organizations delay taking the necessary defense measures to stop threats from slipping through the cracks.”  The 2015 Dell Security Annual Threat Report was released on April 13, 2015 and included these 8 threats based on 2014 cybercrime and take notice of numbers 5, 7, and 8:

  1. A surge took place in POS (Point of Sale) malware variants and attacks targeting payment card infrastructures.
  2. More companies were exposed to attackers hiding in plain sight as a result of SSL/TLS encrypted traffic.
  3. Attacks doubled on SCADA (supervisory control and data acquisition) systems.
  4. More organizations will enforce security policies that include two-factor authentication (2FA).
  5. Sophisticated, new techniques will thwart Android malware researchers and users, and more highly targeted smartphone malware will emerge. In connection, the first wave of malware targeting wearable devices via smartphones will emerge.
  6. Digital currencies including Bitcoin will continue to be targets of mining attacks.
  7. Home routers and home network utilities will become targets and will be used to assist large distributed denial-of-service (DDoS) attacks.
  8. Electric vehicles and their operating systems are targeted.

It’s never too soon to take responsibility for self-protection from cybercrime, and this Dell Report should be a wake-up call.

Lax Password Management – Survey Results Show that 1 in 5 Employees Admit they Share Passwords!

Posted in Cyber, eCommerce

TexasBarToday_TopTen_Badge_Small (1)

A recent survey “uncovered a widespread level of employee indifference towards protecting sensitive corporate data, including personal information of customers.” In January 2015 SailPoint’s reported the results of its 7th Annual Market Pulse Survey which also include these comments from Kevin Cunningham (President and Founder of SailPoint):

Employees may have moved away from the post-it note password list, but using the same password across personal and work applications exposes the company,…

Just think of the major breaches that occurred in 2014 requiring users to change their passwords on social media. If those were the same passwords being used to access mission-critical applications, it’s very easy for hacking organizations to take advantage and get into more valuable areas.

It’s time to get serious about password management since amazingly enough the survey also indicated that 1 in 7 employees admitted that they would sell their passwords to a third party for as little as $150!

April 1st White House Executive Order to Combat Cyberattacks, for Real or April Fools’ Joke?

Posted in Cyber, eCommerce

The President made the following statement about the Executive Order “Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit.”  The Executive Order was entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” and the same day Michael Daniel (Special Assistant to the President and the Cybersecurity Coordinator) posted a blog “Our Latest Tool to Combat Cyber Attacks: What You Need to Know” which described what the Executive Order covered:

  • Harming or significantly compromising the provision of services by entities in a critical infrastructure sector
  • Significantly disrupting the availability of a computer or network of computers, including through a distributed denial-of-service attack
  • Misappropriating funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
  • Knowingly receiving or using trade secrets that were stolen by cyber-enabled means for commercial or competitive advantage or private financial gain
  • Attempting, assisting, or providing material support for any of the harms listed above

However my friend Nick Akerman at Dorsey and Whitney in New York (an expert on cybersecurity and privacy) was interviewed by PCWorld and asked:

What standard of proof are agencies going to use?…It’s not always clear who the hackers are.

The PCWorld article went to say that Nick Akerman:

…praised the Obama administration for calling cyberattacks a “national emergency,” saying such recognition is long overdue, but he questioned how targeted groups will challenge the sanctions.

He also questioned how the Treasury Department and other agencies involved would determine an attack was serious enough to impose sanctions. “Are we just taking the word of the company that was hacked, or are they just going after a competitor overseas?” he said.

Although the Executive Order looks pretty good and well-targeted, and hopefully it will reduce cyberintrusions and cyberattacks.  But signing the Executive Order on April 1 date does not sound like the ideal date to issue such an Executive Order particularly given the comments from Nick Akerman…so maybe it will be an April Fools’ Joke after all. But time will tell!

GUEST BLOG: How Will the Proposed Laws Help Fight Cybercrime?

Posted in Cyber, eCommerce

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.

Nick Akerman3 Nick Page3

New Tools for Companies Against Cybercrime

 

On January 2015, the Obama administration announced a series of proposals to strength­en the country’s response to cyberattacks­ including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA).  These changes are not only significant to the cyber­ crime-fighting efforts of federal prosecutors, but also to private companies.  This is because the CFAA allows compa­nies victimized by violations of the statute to bring civil actions against the perpetrators.  18 U.S.C. 1030(g).  The CFAA, among other things, makes it a crime when an individual “accesses” a computer “without authorization or exceeds authorized access” to steal data.

“Without authorization” typically relates to an outside hacker, whereas “exceeds authorized access” typically relates to a company insid­er, like any employee who has authority to access the company computer but exceeds that authorized access.  There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access.  The Fourth  Circuit (fol­lowing the  Ninth  Circuit), for  example, in WEC Carolina  Energy  Solutions  v. Miller, nar­rowly interpreted “exceeds authorized  access” not  to apply to employees who are “authorized to access a computer  when his employer approves or sanctions his admission to that computer.”  In contrast, the Seventh Circuit in International Airport Ctrs. v. Citrinapplied the CFAA to an employee who accessed the company computer for the purpose of “further[ing] interests that are adverse to his employer,” i.e. stealing company data to take to a competitor.  The Fifth and Eleventh cir­cuits follow this interpretation.

The administration’s proposal would set­tle this split in the circuits in favor of apply­ing the CFAA to employees by redefining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in such computer (A) that the accesser is not entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner.”  Thus, the proposed law would cover employees who steal data from company com­puters and would incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

VALUING DAMAGE

From the standpoint of private employers, another significant change would be the addi­tion of a requirement that “the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000.”  This requirement would be in addition to the juris­dictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in “loss,” a term defined by the statute to include costs of “responding to any offense” and “conse­quential damages incurred because of interrup­tion of service.”  The $5,000 minimum would not constrain criminal prosecutions directed at a computer “owned or operated by or on behalf of a government entity.”  Thus, a case like United States v. Teague, in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama’s record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation “was committed in furtherance of any felony violation of the laws of the United States or of any state.”  Thus, if an employee steals his employer’s trade-secrets data in violation of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden on the employer to show that the value of the trade secrets exceeded $5,000.  Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a min­imum value of $5,000 and felony violations directly addresses the concerns expressed by the Ninth Circuit in United States v. Nosal that the CFAA could be interpreted “to criminalize any unauthorized use of information obtained from a computer.”  Also, the proposed changes in the law would address the additional con­cern of the Nosal court that the CFAA could “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”  Thus, the Obama proposal adds the requirement of willfulness to the statute, defining it to mean “intentionally to undertake an act that the person knows to be wrongful.”

With respect to trafficking in passwords, the proposed law would limit the crime to instanc­es where the violator knew or had reason “to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking.”  With an eye to changing technologies, the proposed statute also would expand on passwords to include “any other means of access” to a computer.

Finally, the proposed amendments would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and Corrupt Organizations statute, 18 U.S.C. 1961.  This proposed amendment to RICO is long overdue.  RICO was enacted in 1970, years before the advent of the information age in which computers have become ubiquitous and the targets and instruments of criminals.  Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance the ability of companies to fight cybercriminals.

No Surprise – Cyberattacks are Regularly Directed at Lawyers

Posted in Cyber, eCommerce

Cybercrime estimated losses are as much as $2 trillion so it is no surprise that most law firms who hold client data and intellectual property are reluctant “to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry” according to a recent internal report from Citigroup’s cyberintelligence center as reported by the New York Times.  The March 26, 2015 article entitled “Citigroup Report Chides Law Firms for Silence on Hackings” includes these examples of law firms that have had cyberattacks in 2012:

Fried Frank was the victim of a so-called watering hole attack in 2012 in which hackers infected its website with malware, an intrusive program that can be transferred to visitors to the site.

Covington & Burling, a large firm based in Washington, was used in a phishing campaign that appears to have been orchestrated by a “China-based group” of hackers. The report said the campaign, which typically involves sending fake but realistic looking email, may have been an effort to learn more about the law firm’s prominent corporate clients given its work for military contractors and energy companies, including its work on several solar energy projects at the time.

However Fried Frank responded that it data network had “never been breached and client information has never been compromised.”

Until lawyers learn how to communicate with IT and understand their risks these cyberattacks will continue even though the American Bar Association has established a Cybersecurity Task Force which published an excellent Handbook.

How Will Google Respond to Renewed Antitrust Claims in the EU & US?

Posted in eCommerce

Estimates are that Google controls 90% of the search engine market in the EU so it is no surprise about a recent report that the “EU’s antitrust investigation into Google’s business practices [focuses on] what have been identified as potential competition issues in the European markets.”  The eweek report stated that the EU was interested because if the FTC investigation that was dropped in 2013 after 19 months and now:

A European lawmaker has called on EU regulators to bring formal antitrust charges against Google after a document surfaced this week showing that the U.S. Federal Trade Commission had harbored strong concerns about the company’s business practices two years ago.

Google continues to grow as does the threat of antitrust actions.

Truste Pays $200,000 Fine for Breaching Contracts to Verify Privacy on 1,000+ Websites & FTC Oversight

Posted in eCommerce, Internet Privacy

“The Federal Trade Commission [FTC] has approved a final order resolving the Commission’s complaint against TRUSTe, Inc. for deceiving consumers about its privacy seal program”as posted on the FTC website on March 18, 2015.  FTC also stated that the Order the FTC will have oversight for 20 years and in particular making sure that Truste complies with the Children’s Online Privacy Protection Act (COPPA):

…requires the company in its role as a COPPA safe harbor to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. Each of these provisions represents an increase in the reporting requirements laid out under the COPPA Rule for safe harbor programs.

Our privacy is not what it appears given Truste’s confession and payment of the $200,000 fine, and it is unfortunate that so many have relied on Truste’s privacy promises.