Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Supreme Court will consider a 1986 law about phone records and how it applies to emails in 2017 outside the US

Posted in eCommerce, Internet Access, Internet Privacy

The New York Times reported that the US Supreme Court will consider a case against Microsoft to “decide whether federal prosecutors can force technology companies to turn over data stored outside the United States.”  In 1986 Congress passed the Stored Communications Act (SCA) to control telephone records long before the Internet we know today, but the SCA is the main law that Internet companies rely to protect users’ content and in 1986 in passing the SCA “Congress focused on providing basic safeguards for the privacy of domestic users.”

The New York Times October 16, 2017 article entitled “Justices to Decide on Forcing Technology Firms to Provide Data Held Abroad” included this background on the case:

The case, United States v. Microsoft, No. 17-2, arose from a federal drug investigation. Prosecutors sought the emails of a suspect that were stored in a Microsoft data center in Dublin. They said they were entitled to the emails because Microsoft is based in the United States.

A federal magistrate judge in New York in 2013 granted the government’s request to issue a warrant for the data under a 1986 federal law, the Stored Communications Act. Microsoft challenged the warrant in 2014, arguing that prosecutors could not force it to hand over its customer’s emails stored abroad.

A three-judge panel of the United States Court of Appeals for the Second Circuit, in Manhattan, ruled that the warrant in the case could not be used to obtain evidence beyond the nation’s borders because the 1986 law did not apply extraterritorially. In a concurring opinion, Judge Gerard E. Lynch said the question was a close one, and he urged Congress to revise the 1986 law, which he said was badly outdated.

The result of this case may change how Internet jurisdiction, privacy, or lead to congressional changes to the SCA.

Did Facebook delete Russian bought ads because of a bug?

Posted in Cyber

The Washington Post wrote that Facebook “it has merely corrected a “bug” that allowed [Jonathan] Albright, who is research director of the Tow Center for Digital Journalism at Columbia University, to access information he never should have been able to find in the first place.”  The October 12, 2017 article entitled “Facebook takes down data and thousands of posts, obscuring reach of Russian disinformation” included these comments:

Social media analyst Jonathan Albright got a call from Facebook the day after he published research last week showing that the reach of the Russian disinformation campaign was almost certainly larger than the company had disclosed.

While the company had said 10 million people read Russian-bought ads, Albright had data suggesting that the audience was at least double that — and maybe much more — if ordinary free Facebook posts were measured as well.

But the deletion of the posts and the related data struck Albright as a major loss for the world’s understanding of the Russian campaign

Was it really a bug?

Google confesses that Russia bought Google Search and YouTube ads to influence the 2016 election!

Posted in Cyber

The Washington Post reported that Google admitted that it “found that tens of thousands of dollars were spent on ads by Russian agents who aimed to spread disinformation across Google’s many products, which include YouTube, as well as advertising associated with Google search, Gmail, and the company’s DoubleClick ad network.” The October 9, 2017 report entitled “Google uncovers Russian-bought ads on YouTube, Gmail and other platforms” included reason for the investigation:

Google launched an investigation into the matter, as Congress pressed technology companies to determine how Russian operatives used social media, online advertising, and other digital tools to influence the 2016 presidential contest and foment discord in U.S. society.

And also Google admitted that:

Some of the ads, which cost a total of about $100,000, touted Donald Trump, Bernie Sanders and the Green party candidate Jill Stein during the campaign, people familiar with those ads said. Other ads appear to have been aimed at fostering division in United States by promoting anti-immigrant sentiment and racial animosity.

Hardly a surprise given Google’s Internet dominance, but alarming nevertheless!

Do you trust Equifax? Apparently IRS believes a new $7.25 million contract with Equifax is a good idea!

Posted in Cyber, eCommerce

Gizmodo reported that IRS supports its new $7.25 million contract with Equifax as a “no bid sole source” contract “to help verify US taxpayers’ identities” …and without which “would have prevented thousands of hurricane victims from obtaining much needed…. tax information.”  The October 5, 2017 story entitled “IRS Chief Says Aborting Equifax Contract Could Harm Hurricane Victims” included IRS chief John Koskinen’s argument “that the circumstance was unavoidable” since Equifax existing contract expired on September 30, 2017, and was challenging an award to another vendor which will not be resolved before October 16.

CNBC reported that 7 “members of the Senate Banking Committee are asking the Internal Revenue Service to rescind a $7.25 million contract with Equifax” saying that:

…the awarding of the contract shows a clear disregard for millions of Americans who had their personal information stolen.

How can IRS trust Equifax since at least 143 million people don’t?

Surprised? Equifax learned about its cyber exposure in March, but failed to do anything!

Posted in Cyber, eCommerce

Rueters reported that former Equifax CEO Richard Smith (who retired suddenly last week) provided written testimony that “Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9,…, but it was not patched.”  The October 2, 2017 report entitled “Equifax failed to patch security vulnerability in March: former CEO” included these comments about the testimony provided to the Energy and Commerce Committee:

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.

As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said “between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.”

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

We will likely continue to see bad news in the aftermath of Equifax’s confession of exposing more than 143 million individuals personal data.

GUEST BLOG: Will cyber disasters finally be the reason that IT folks learn to speak English rather than Geek Talk (think Technology)?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

For many years I have said that “anybody that’s good with computers is incapable of having a meaningful relationship with another human,” so I was pleased to see Eddie’s blog:

Translation services available

When I was a penetration tester I struggled to adequately express the importance of the vulnerabilities I identified.  For some reason, I couldn’t convince the business and legal teams that the vulnerabilities had to be mitigated and that the business had to spend time and money on the effort.

Like many young and excitable IT and security people, I couldn’t understand why no one could grasp why this was important.  “Are they idiots?”, “Don’t they get it?”, “They just don’t care about security!”

It turns out it wasn’t their failure, but mine.  I wasn’t speaking in the right language.

I dropped out of the security world for three years and went to law school.  When I enrolled, my goal was not to become a lawyer, but to learn to think and write like a lawyer.  I enjoyed law school and took full advantage of the opportunities presented to me.  I was able to work as a research assistant for one of the legal research and writing professors (Thanks Mike!), serve on the editorial board of the Law Journal, earned a fellowship in the Center for Terrorism Law, and leveraged my IT skills to get a job in the Westlaw lab.

I really enjoyed law school.

After law school I returned to security, this time with a different language under my belt and a better understanding of how to present my concerns.  I couldn’t think in terms of security vulnerabilities anymore.  I had to speak another language.

My big discovery was:

  • Security thinks about vulnerabilities;
  • Executives think about risk; and
  • Lawyers think about liability.

While they sound similar, they are distinct ways of approaching a decision.  In order to communicate the importance of security to different audiences, I had to adapt to them and not expect them to adapt to me.

So need additional funding for a security project?  Write up your proposals geared toward the audience and how they think.  Does the lack of a security control create risk to the organization?  Will the organization breach a duty and become liable under a contract, law, or regulation?

These subtle shifts in thinking may help drive the discussion forward and lead to better understanding and better security.

Poor cyber security equals +1.9 billion records exposed in the first 6 months of 2017!

Posted in Cyber

Gemalto issued a report that “identity theft breaches continues to remain high and result in many records being stolen shows that organizations are still not adequately addressing this threat.” The September 2017 report entitled “2017 Poor Internal Security Practices Take a Toll” included these comments:

A large portion of accidental loss are the result of poor internal security practices or unsecure databases.

One of the main takeaways from the findings is that security needs to be comprehensive, not only including tools such as network protection and access controls, but data encryption and multi-factor authentication as well so in the event of a breach cyber criminals will not be able to doing anything with the stolen information.

Gemalto’s “Data breach statistics 2017: First half results are in” about the report stated:

  • The huge international data breach problem becomes palpable when you consider that Gemalto has discovered 1,901,866,611 compromised data records in just the first half of 2017.
  • In fact, IDC predicts that by 2020, more than 1.5 billion people, or roughly a quarter of the world’s population, will be affected by data breaches.
  • The United States has been continuously the world leader in data breach incidents.
  • Of the 918 breaches, 801 of them occurred in the US. The UK places a distant second with 40 incidents, and Canada’s third with 26.

No surprises, but these are pretty gloomy prospects for the future!

GUEST BLOG: Are you surprised to hear that Equifax’s security chief doesn’t have a degree in technology, rather majored in music?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.

 

Oops! Malware distributed with antivirus software to more than 2.27 million users!

Posted in Cyber

My good friend Kevin Campbell (SVP/CIO at Hunt Consolidated, Inc.) shared this bad news that “Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.”  This news was reported by The Register on September 18, 2017 entitled “Downloaded CCleaner lately? Oo, awks… it was stuffed with malware” which included this observation:

The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.

Thanks to Kevin for sharing this terrible news!

GUEST BLOG: Neither Rain, nor Sleet, nor Dark of Night Shall Stay the Application of HIPAA Regulations…

Posted in Cyber, Internet Privacy

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who focuses on HIPAA, PHI, cyber security, PCI compliance, PII, eCommerce, and related complex contract negotiations and litigation. Eric has received the Certified Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals (“IAPP”).

It is beyond dispute that Hurricanes Harvey and Irma caused catastrophic levels of property damage to individuals and businesses in Texas, Florida and the rest of the Gulf Coast. In the midst of this devastation, however, the Office of Civil Rights (OCR) recently made a point to identify a particular type of property that cannot, under any circumstances, be permitted to be damaged by natural disaster: electronic protected health information (e-PHI).

Per OCR, the HIPAA Security Rule is not suspended at all during a national or public health emergency. Covered entities and business associates are required, under the Security Rule, to protect against any reasonably anticipated threats or hazards to the security or integrity of e-PHI that they create, receive, maintain or transmit. Other provisions of the Security Rule require covered entities to implement security measures that specifically contemplate emergency conditions. For example, covered entities and potentially business associates must have contingency plans, including disaster recovery and emergency mode operation plans, which establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI. In other words, companies that obtain, store and/or use e-PHI must take steps to ensure that all such e-PHI is accessible before, during and after an emergency, including backing up the data to the cloud or another secure location (one that will not be impacted by the emergency afflicting the covered entity).

Parts of the HIPAA Privacy Rule may be waived during a national or public health emergency. If the President declares an emergency or disaster and the HHS Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, including the requirement to distribute a notice of privacy practices and the patient’s right to request privacy restrictions or confidential communications. If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration, and (2) to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements that protocol. Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.