Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

FTC sues IoT manufacturer for failure to secure devices from cyberattacks!

Posted in Cyber, eCommerce

The Federal Trade Commission (FTC) filed a lawsuit against “D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.” The Complaint filed on January 5, 2017 in the US District Court in the Northern District of California includes these allegations against D-Link:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

The FTC press release entitled “FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras” included these comments from Jessica Rich (Director of the FTC’s Bureau of Consumer Protection):

Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,…

When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.

This lawsuit was the FTC’s stern message to other IoT manufacturers, and surely we will see more such lawsuits!

Cyber challenge to secure IoT home devices

Posted in Cyber, eCommerce

The Federal Trade Commission (FTC) “it is challenging the public to create an innovative tool that will help protect consumers from security vulnerabilities in the software of home devices connected to the Internet of Things.”  The FTC announcement on January 4, 2017 was entitled “Challenge to Combat Security Vulnerabilities in Home Devices” included these statements:

The Internet of Things, an array of billions of everyday objects sending and receiving data over the internet, is expanding rapidly with the adoption of applications such as health and fitness monitors, home security devices, connected cars and household appliances. It holds many potential benefits for consumers, but also raises numerous privacy and security concerns that could undermine consumer confidence.

So FTC is “offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for up to three honorable mention winner(s).”

If you are interested check out the IoT Home Inspector Challenge in which:

contestants to develop a tool that would address security vulnerabilities caused by out-of-date software in IoT devices. An ideal tool might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface.  Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.

Sounds like a great idea!

New email law which gives employees an after hour a ‘right to disconnect’ – good or bad idea?

Posted in eCommerce

Computerworld reported that the “French law took effect Jan. 1 and requires firms with more than 50 employees to negotiate a “disconnection” rule governing after-hour and vacation communications.”  The January 6, 2017 report entitled “Why France’s new ‘right to disconnect’ law matters” included this comment that emails “arriving at night, on weekends and during vacation can create stress and interrupt family life” which is part of the reason that France established the law.

The report also included these comments about Daimler AG (German automotive giant) which now:

…has an optional email feature called “Mail on Holiday.” It automatically deletes incoming emails during time off. An auto reply offers alternative contacts or suggests resending messages once the employee returns. It’s available to 100,000 workers in Germany.

And the Daimler Health management and occupational safety employee guide states:

This prevents congestion in the electronic in-boxes, relieves the pressure of having to read emails during vacations, and the email in-box is empty when the employee returns to work.

However not everyone thinks that the ‘right to disconnect’ is so great including James W. Gabberty (Associate Dean and Professor of Information Systems at New York’s Pace University) who “says the email rule will only erode productivity” which is:

Not confined to a 9-to-5 work regimen, inspiration — the mother’s milk driving innovation that underpins R&D — depends on spontaneously capturing creative thinking,…these fleeting moments of genius” in an email “even when they occur after dinner or in the middle of the night.

What do you think?

BIG SURPRISE! – Fraud and identity theft a real problem for online dating sites!

Posted in eCommerce, Internet Privacy

The FBI announced that “John Edward Taylor allegedly trolled dating websites to find unsuspecting women for his ‘romance’ scam, designed to steal their money.”  The January 3, 2017 FBI news release entitled “Alleged Confidence Man Charged With Luring Victims Through Matchmaking And Networking Sites To Commit Fraud And Identity Theft” included these comments about Taylor’s behavior:

While masquerading as a millionaire businessman with romantic and professional interest in his victims, Taylor was in reality an alleged con artist.  When confronted by some of his victims for looting their bank accounts, Taylor took his insidious crime another step further, allegedly threatening to release sexually explicit photos of them.

Here are some details from the Complaint and Indictment:

JOHN EDWARD TAYLOR, a/k/a “Jay Taylor,” a/k/a “Josie Reeser,” stole, or attempted to steal, money, credit, and personal information from more than a dozen women (the “Victims”) in cities across the country, including New York City, Chicago, Atlanta, and Philadelphia.

TAYLOR contacted Victims using online matchmaking and networking websites, such as Match.com, eHarmony, Craigslist, and Seeking Arrangement.  TAYLOR typically introduced himself as “Jay” and often falsely described himself as a wealthy businessman with oil and land interests in North Dakota.  To some Victims, TAYLOR feigned interest in hiring the Victims to work on a new business TAYLOR purported to be creating.  To other Victims, TAYLOR expressed an interest in a romantic and personal relationship.  To most Victims, TAYLOR purported to be interested in both a personal and a professional relationship.

Obviously people going to matchmaking sites and using social media need to aware of this type of criminal behavior!

Privacy Laws will likely cause conflicts with Big Data in 2017

Posted in eCommerce, Internet Privacy

Privacy concerns regarding big data were highlighted by the Federal Trade Commission report entitled “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues” in January 2016 and will grow in importance given the predicted growth of big data reported by Infoworld which included a report that market research and advisory firm “Ovum estimates the big data market will grow from $1.7 billion in 2016 to $9.4 billion by 2020.”  Infoworld’s report entitled “8 big data predictions for 2017” included these comments from lawyers Miriam Wugmeister and Andrew Serwin (co-chairs of the global privacy + data security group at Morrison & Foerster) about prediction #3 regarding pressure to keep data local:

Expect more data localization laws following recent developments such as the first enforcement of Russia’s data localization law being upheld by Russian courts, and China recently passing its own data localization law. Other countries will follow in the year ahead,

Here are all 8 big data predictions:

  1. Data scientist demand will wane
  2. Making data science a team sport will become a top priority
  3. There will be more pressure to keep data local
  4. Enterprises will struggle to monetize data
  5. Data lakes will finally become useful
  6. M&A activity will accelerate
  7. Demand for IoT architects will soar
  8. Streaming analytics will be reborn

Clearly privacy will continue to be an important facet of big data given the scope of growth and use of big data!

Cybersecurity Report Card for 2016: Overall “C-“ but bad news since the Cloud gets a “D-“ and Mobile gets an “F”!

Posted in Cyber, IT Industry

Tenable Network Security surveyed “700 security practitioners across seven key industry verticals and nine countries” that produced “a single report card score that represents overall confidence levels of security practitioners that the world’s cyber defenses are meeting expectations.”  The “2017 Global Cybersecurity Assurance Report Card” from Tenable with research partner CyberEdge Group included these comments about the Cloud Darkening:

Cloud software as a service (SaaS) and infrastructure as a service (IaaS) were two of the lowest scoring Risk Assessment areas in the 2016 report. SaaS and IaaS were combined with platform as a service (PaaS) for the 2017 survey and the new “cloud environments” component scored 60% (D-), a seven point drop compared to last year’s average for IaaS and SaaS.

The Report Card included these comments about Mobile Morass:

Identified alongside IaaS and SaaS in last year’s report as one of the biggest enterprise security weaknesses, Risk Assessment for mobile devices once again dropped eight points from 65% (D) to 57% (F).

Here are all 10 takeaways:

  1. Risk Assessment
  2. Cloud Darkening
  3. A Mobile Morass
  4. New Challenges Emerge – Two new IT components were introduced for 2017 — containerization platforms and DevOps environments.
  5. Web App Security: Room for Improvement?
  6. Security Assurance Steady
  7. India Claims the Top Spot -New to the 2017 Global Cybersecurity Assurance Report Card, India debuted with the highest overall score at 84% (B), while last year’s leader, the United States, fell two points to second place with 78% (C+).
  8. Japan Lacking Confidence
  9. Education and Government Behind the Pack – Of the seven industries analyzed in the 2016 study, Education and Government earned the lowest overall scores. These two industries placed near the bottom again in the 2017 study, with Education remaining steady at 64% (D) and Government dropping three points to 63% (D).
  10. Retail Takes the Lead Over Financial Services and Telecom

Hopefully 2017 will be better, but given the daily headlines of cyber intrusions that’s probably unlikely!

CYBER & TECHNOLOGY Ups and Downs in 2016 – Encryption a Big Success, but Fake News a Big Failure

Posted in Cyber, eCommerce

The New York Times reported the best and worse technology from “exploding smartphones and hoverboards to the proliferation of fake news on social media, many of our tech hardware, software and web products suffered embarrassing failures.”  The December 14, 2016 article entitled  “Biggest Tech Failures and Successes of 2016” included these observations of the successes with Encryption:

Tensions between tech companies and the government reached a fever pitch during Apple’s face-off with the F.B.I. early this year over privacy and security. The F.B.I. had demanded that Apple weaken its iPhone encryption so that it could gain access to the contents of a phone belonging to a gunman in the San Bernardino, Calif., mass shooting. Apple refused, arguing that weakening its software system for a single investigation would create vulnerabilities that might put all customers at risk. The F.B.I. eventually withdrew its demand after figuring out how to break into the iPhone without Apple’s help.

Amid Apple’s feud with the F.B.I., many big tech companies expanded encryption in their products. Facebook, WhatsApp and Google put the encryption protocol from Signal, a widely lauded secure messaging service, in their messaging services. Though none of the encrypted messaging services are perfect, this year marked significant progress toward offering tools that strengthened consumer privacy.

The other successes included: WiFi, Virtual Reality, and Streaming Live Video.

While the failures in 2016 included: Batteries (think Samsung and hoverboards), and Virtual Assistants (“including Google’s Assistant, Apple’s Siri and Amazon’s Alexa, continued to be subpar this year”).

The history of 2016 should provide insight to 2017, because history always teaches us something.

Another Cyberattack at Southwest Airlines?

Posted in Cyber, eCommerce

Southwest’s website was down for about 3 hours so Southwest tweeted that “We are aware and investigating current issues with our website, and we have implemented flexible accommodations for those being affected.” The Dallas News report from December 21, 2016 entitled “Southwest Airlines suffers website outage; airport operations unaffected” stated that the 3 hours service outage was restored around 5pm and also included this quote from Facebook’s post:

We are currently experiencing issues with some of Southwest.com’s functionality.

For those currently traveling, check in is available at airport kiosks and ticket counters, we are working hard to resolve the issue.

We appreciate our customers’ patience as we work behind the scenes to get full functionality back to our website, and we have implemented flexible accommodations for those being affected.

Although Southwest has not admitted to the cyberattack it seems very likely given the July cyberattack that cancelled 700 Southwest flights and cyberattack in August that caused Delta to cancel 858 flights!

GUEST BLOG: In the wake of Yahoo’s CONFESSION it’s time for you learn about 2-factor authentication!

Posted in Cyber, eCommerce

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.

Eddie Block Dec 2 2016

Last week Yahoo announced that over 1 billion user accounts had been breached, exposing usernames and passwords. This account information has been available to attackers since 2013.

Passwords as a means for secure authentication are anything but secure. Analysis of passwords from network breaches shows that most people choose simple, easy to guess passwords. WordPress Engine has an in depth paper title “Unmasked: What 10 million passwords reveal about the people who choose them” which describes how people pick passwords and how that gives an attacker insight into cracking passwords.

Even worse is password reuse. The security community has been educating people for years to use long, complex passwords. People can’t remember long, complex passwords easily so they either write them down or memorize one and use it everywhere. Unfortunately, reusing passwords everywhere means that a breach of one website, like Yahoo, exposes the same password on all websites where it is used.

The passwords in the Yahoo breach were also associated with usernames and email addresses. Many people will use the same username or email address on multiple sites, allowing the attacker to exploit multiple accounts with the same credentials.

For more advanced protection people should use 2-factor authentication on any sites that support it.

2-factor authentication requires 2 types of information to let you in:

  • Something you know (like a password),
  • something you are (like a fingerprint), or
  • something you have (like your cell phone).

Google, PayPal, Amazon, and, yes, Yahoo allow the consumer to enable 2-factor authentication. It usually isn’t on by default, though, so the user has to affirmatively turn it on.

Amazon explains how 2-factor works, you can quickly enable 2-factor authentication with a video entitled “About Two-Step Verification.” After 2-factor is enabled, each time the user logs into Amazon they will be prompted for their password as normal, then receive a text message with a random 6 digit number they have to enter into their web browser. Thus they have used 2 factors: something they know (their password) and something they have (the ubiquitous cell phone).

2-factor authentication does add a step to logging into a website, but it also means that an attacker cannot login unless they know the password AND have access to the user’s text messages. For sites that store or handle financial, personal, or confidential data this additional step is well worth the extra minute or two to use the second factor. In cases like the Yahoo breach, this step implemented on sites other than Yahoo would prevent the attacker from using their stolen credentials.

 

Take a minute and read Yahoo’s 238 word CONFESSION about the Cyber theft of 1+ billion user accounts!

Posted in Cyber, eCommerce, Internet Privacy

Yahoo’s public confession entitled “Important Security Information for Yahoo Users”  about the August 2013 theft of “data associated with more than one billion user accounts” including “the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” follows:

As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.

Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

 Yahoo’s also encourages “ users to visit our Safety Center page for recommendations on how to stay secure online:”

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

However since the theft occurred in 2013 it’s hard to believe that this advice will solve many user problems.