Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

GUEST BLOG: Great idea – Develop a Ransomware Defense Plan to avoid Cyber disasters!

Posted in Cyber, eCommerce

My Guest Blogger John Ansbach is General Counsel of General Datatech, L.P. (“GDT”), and John is a seasoned attorney with a broad range of experience developed over more than 18 years of practicing law including as a corporate generalist, his background includes experience in contracts; cyberlaw; intellectual property; real estate; human resources; corporate governance; regulatory and compliance; and, litigation. He’s also developed experience as a legislative advocate and technologist, advocating for GDT and its industry partners in areas relating to cloud and cybersecurity, the Internet of Things (IoT), tax policy and patent reform.

Version 3Anshbach background

TO RESIST TOP BUSINESS CYBERTHREAT RANSOMWARE, IT’S ALL ABOUT PREVENTION

Well, the results are in and we have a winner…ransomware wins first place for the top global cybersecurity threat of 2016.

According to a recent report by cybersecurity company SonicWall, ransomware attacks (malware that prevents or limits users from accessing their system or data unless a ransom is paid) soared in 2016, up 167 times the number recorded in 2015. (Source: Computerworld, “Ransomware soars in 2016, while malware declines,” by Matt Hamblen, February 7, 2017, citing the SonicWall report). “Ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016…SonicWall theorized that ransomware was easier to obtain in 2016 and that criminals faced a low risk of getting caught or punished…Ransomware was the ‘payload of choice for malicious email campaigns and exploits,’ SonicWall said.” (Source: Id).

“…ransomware attacks soared, up 167 times the number recorded in 2015.”

The report concluded that in 2016, “the most popular malicious email campaigns were based on ransomware [ ] which was deployed in more than 500 million total attacks throughout the year.” It also indicated that, “No industry was spared: the mechanical and industrial engineering industry got 15% of the ransomware hits, while pharmaceuticals and financial services companies each got 13%, while real estate companies got 12%.” (Source: Id.).

So, if you are a business leader in one of these (or any other) sectors, what can you do to resist the onslaught of ransomware cyberattacks? Focus on prevention. “Most security experts agree that it is almost impossible to recover data that might have been encrypted in a ransomware attack without access to the decryption keys, or to a backup copy of the affected data. So the focus has to be on prevention.” (Source: DARKReading, “Here’s How To Protect Against A Ransomware Attack,” by Jai Vijayan, February 4, 2016).

According to experts, there are a good number of actions (technical and non technical) leaders can take to prevent ransomware. Here are my top three:

  • Have Backup. “Having a robust data backup process can go a long way in blunting the threat posed by ransomware. In fact, it is often the only way to recover data if you are unwilling to pay the ransom demanded by an extortionist.” (Source: Id.)

“Recovering data encrypted by a ransomware attack is next to impossible, so prevention offers the better approach.”

  • Develop a Response Plan. “Time is critical for an organization faced with a ransomware deadline. Online extortionists typically give organizations a very specific time limit within which to pay…They deliberately don’t give enough time for an organization to figure out if it can try and unlock the data without paying any ransom. So it is important to have a plan in place describing what needs to happen in the event of a ransomware attack. ‘The last thing you want is to be doing a Google search for a local forensics experts at 2am on a Saturday morning.’” (Source: Id.)
  • Train (Test and Re-Train) Employees. There may be no better non-technical defense against ransomware than training and empowering employees to recognize and resist emails used to deliver ransomware malware. But ‘train, fire and forget’ won’t cut it. “Raising awareness about ransomware by educating staff about the dangers of clicking on attachments or links in emails is clearly important as a baseline security measure. But it only takes one employee to lower their guard on one occasion for an organization to be compromised…companies such as PhishMe provide technology to help keep employees on their toes by sending them simulated malicious emails on an ongoing basis; if an employee clicks on a simulated malicious link, they get feedback to help ensure that they don’t fall victim to a similar email again.” (Source: eSecurity Planet, “How to Stop Ransomware,” by Paul Rubens, January 31, 2017).

Ransomware has clearly been the chief cyberthreat for business in the last year, and if the first month or so of 2017 is any indication, this year will be no different. (See, “Ransomware expected to dominate in 2017,” ComputerWeekly.com, by Warwick Ashford January 6, 2017). Business leaders will have to face the ransomware cybersecurity threat head on, and do so deliberately, methodically and purposefully. Only by taking this threat seriously, and preparing a business and its employees accordingly, will leaders prevail in this fight. And only then, when an organization can access and protect its information and that of its customers, will leaders be able to focus on the myriad of other day-to-day efforts to make their business truly great.

For a more complete list of action items and methods that can be used to combat and resist ransomware, both technical and non-technical, check out the DARKReading.com article, as well as the eSecurity Planet article.

GUEST BLOG: User training is the best way to protect against Cyber Phishing, is that so hard to understand?

Posted in Cyber, Internet Privacy

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

Since every business operates on the Internet it’s imperative that employees get proper training to avoid Phishing not to mention SpearPhishing which is why I say Phishing still king. 2016 proved that phishing lead the charge in most data breaches.  According to the latest phishme “2016 Enterprise Phishing Susceptibility and Resiliency Report” 91% of data breaches begin with spearphishing.  This is supported by the 2016 Verizon Data Breach Report.

Both companies warn that phishing attacks are a significant threat, potentially the most significant.

Phishing has reportedly been at the heart of many high profile data breaches including AnthemJP Morgan, and others.

Unfortunately there are not great technological solutions to prevent phishing.  Spam tools or anti-virus may help, but phishers continually evolve their messages and approaches.

Training, in my opinion, is still the best way to prevent phishing or any type of social engineering.  Through targeted training and testing, organizations have the ability to reduce a persistent threat

D-Link opposes the FTC lawsuit that its routers and baby cameras are exposed to cyberattacks!

Posted in Cyber, Internet Privacy

The Cause of Action Institute (CoA Institute) filed D-Link’s Motion to Dismiss in response to the FTC lawsuit which claims are based on D-Link’s “failure to secure devices from cyberattacks!”  The  CoA Institute Motion was filed on January 31, 2017 and is set for a hearing on March 9, 2017 and stated that the FTC claims were merely “government overreach…without any evidence of consumer injury”  and states that the FTC failed to support its allegations of that D-Linked to take reasonable steps to security routers and IP cameras, nor identify any specific security data breaches.  As well the Motion contained this summary about the FTC’s lawsuit:

Pleading legal conclusions couched as hypothetical, speculative factual allegations requiring unwarranted deductions, as the FTC has done here, is insufficient.

This case will continue no matter what since the FTC now has an opportunity to file a Response to the CoA Institute’s Motion to Dismiss to which the CoA Institute will likely file a Reply.  Even if the Motion to Dismiss is granted it is likely the federal judge will allow the FTC to refile its Complaint.

Wow! Uber fined $20 Million and confesses it exaggerated potential drivers’ earnings!

Posted in eCommerce

The Federal Trade Commission (FTC) sued Uber alleging that it “misled prospective drivers with exaggerated earning claims and claims about financing through its Vehicle Solutions Program.”  The January 19, 2017 lawsuit filed in the US District Court for the Northern District of California FTC v. Uber Technologies, Inc. requested a permanent injunction and includes claims violations of Section 5 of the FTC Act for: Deceptive Income Claims, Deceptive Auto Finance Claims, and Deceptive Unlimited Mileage Claims. The FTC News Release entitled “Uber Agrees to Pay $20 Million to Settle FTC Charges That It Recruited Prospective Drivers with Exaggerated Earnings Claims” included these allegations in about the lawsuit:

The FTC alleges that Uber claimed on its website that uberX drivers’ annual median income was more than $90,000 in New York and over $74,000 in San Francisco.

The FTC alleges, however, that drivers’ annual median income was actually $61,000 in New York and $53,000 in San Francisco.  In all, less than 10 percent of all drivers in those cities earned the yearly income Uber touted.

The FTC also alleges that Uber made high hourly earnings claims in job listings, including on Craigslist, but that the typical Uber driver failed to earn those advertised hourly amounts in various cities.

The complaint also alleges that Uber claimed its Vehicle Solutions Program would provide drivers with the “best financing options available,” regardless of the driver’s credit history, and told consumers they could “own a car for as little as $20/day” ($140/week) or lease a car with “payments as low as $17 per day” ($119/week), and “starting at $119/week.”

Despite Uber’s claims, from at least late 2013 through April 2015, the median weekly purchase and lease payments exceeded $160 and $200, respectively, the FTC alleges.

Uber failed to control or monitor the terms and conditions of the auto financing agreements through its program and in fact, its drivers received worse rates on average than consumers with similar credit scores typically would obtain, according to the FTC’s complaint.

In addition, Uber claimed its drivers could receive leases with unlimited mileage through its program when in fact, the leases came with mileage limits, the FTC alleges.

Jessica Rich (Director of the FTC’s Bureau of Consumer Protection) made these comments in the News Release:

Many consumers sign up to drive for Uber, but they shouldn’t be taken for a ride about their earnings potential or the cost of financing a car through Uber.

This settlement will put millions of dollars back in Uber drivers’ pockets.

Uber’s confession is significant and hopefully will influence other companies who make fraudulent claims to potential workers.

$3.2 million HIPAA fine for violations since 2006!

Posted in Cyber, Internet Access, Internet Privacy

The Office for Civil Rights (OCR) issued a Final Notice that Children’s Medical Center of Dallas among other things failed “to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media.” The OCR news release on February 1, 2017 entitled “Lack of timely action risks security and costs money” about the Notice of Final Determination for the fine of $3.217 million for violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) included these statements:

OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. 

Despite Children’s knowledge about the risk of maintaining unencrypted ePHI [electronic protected health information] on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013. 

Hopefully this Final Determination will be a wake-up call to other HIPAA covered entities.

Eliminating Net Neutrality likely to raise the cost of using the Internet!

Posted in Internet Access, Net Neutrality, Uncategorized

Senator Al Franken issued a letter to Ajit Pai (new Chair of the Federal Communications Commission – FCC) after Commissioner Pai stated his opposition to Net Neutrality which letter ended with this comment that “Net neutrality is the First Amendment issue of our time, and I will fight to protect it every step of the way.”  The Senator’s January 30, 2017 press release about the letter was entitled “Sen. Franken Presses New FCC Chairman to Protect Net Neutrality”  and his letter included these comments about the background on why Net Neutrality should be retained:

Two years ago, American consumers and businesses celebrated the FCC’s landmark vote to preserve a free and open internet by reclassifying broadband providers as common carriers under Title II of the Communications Act.

The vote came after the FCC received nearly four million public comments, the majority of which supported strong net neutrality rules, making it the most commented-on FCC issue by three times.

Consumers urged the Commission to protect their unfettered and affordable access to content; a wide range of advocacy organizations pressed the Commission to ensure all voices and ideas on the internet receive equal treatment from broadband providers, regardless of how deep any speaker’s pocket is; and small businesses asked that the internet remain a level playing field so that they can continue to compete with larger companies

I’ve been blogging about Net Neutrality since my first blog on August 1, 2008 “Proposed Net Neutrality Bill in the US Congress” and the debate about the cost of Internet usage continues!

GUEST BLOG: Wanna keep up with pending Cyber legislation?

Posted in Cyber, eCommerce

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.

Eddie Block Dec 2 2016

The Texas Legislature is considering a number of proposed cyber laws and my JurisHacker blog has an interactive “Information security and Privacy Bill Tracker.” For those you who don’t know that the Texas Legislature meets for 140 days every 2 years, which many Texans say is “140 days too long!”

During the Texas Legislative sessions those 140 days things move pretty quickly; a budget must be drafted and passed, any new bills must be submitted, reviewed and adopted, and state agencies face scrutiny. All-in-all it can be a whirlwind.  In order to keep up with the pace of the session, you’re welcome to follow my blog tracking information security, cybersecurity, and privacy bills.

These potential laws may show in other states or in Washington, DC at some point, so you may want to track what’s going on this Spring.

Uber will likely get smarter since they hired Google’s former head of search!

Posted in eCommerce

The New York Times reported that Uber hired “Amit Singhal, a 15-year Google veteran and a former senior vice president for search …to join Uber as senior vice president for engineering. At Uber, he will work to build out the software and infrastructure that are the foundation of the company’s ride-hailing services.”  The January 20, 20117 article entitled “Uber Hires Google’s Former Head of Search, Stoking a Rivalry” included these comments:

In his new position, Mr. Singhal will report to Travis Kalanick, Uber’s chief executive, and will lead the company’s mapping division as well as a unit that runs the dispatching, marketing and pricing of Uber cars.

Mr. Singhal will also advise Anthony Levandowski, who runs the company’s self-driving automobile efforts.

The hiring of Mr. Singhal, who left Google last year, is a coup for Uber, which has publicly stated its intention to fight Google’s substantial head start in autonomous-vehicle research.

Stay tuned to see what happens at Uber!

Do you want China to control cyber and IT news? Think about this – China Oceanwide is acquiring news media giant IDG

Posted in Cyber, eCommerce, Internet Privacy, IT Industry

Computerworld announced that “tech journalism pioneer International Data Group [IDG], publisher of Computerworld, PCWorld and hundreds of other tech publications worldwide” is being acquired by China Oceanwide for a price of “less than $1 billion.” The January 19, 2017 report entitled “China Oceanwide, IDG Capital to acquire Computerworld-parent IDG” included this background about “IDG, a privately held company, operates in 97 countries. It was founded in 1964” and IDG is also the parent company of the IDG News Service and the IDG brands include, without limitation:

  • CIO,
  • Macworld,
  • InfoWorld,
  • CSO,
  • Network World, and
  • IDG.tv.

The purchaser China Oceanwide:

…is a privately held international conglomerate founded by Chairman Zhiqiang Lu in 1985. The company operates businesses in the financial services, real estate assets, media, technology, and strategic investment markets, and it has more than 12,000 employees globally.

Such a purchase required US governmental approval which has already completed:

The deal, expected to close in the first quarter of this year, has received approval from the Committee on Foreign Investment in the United States (CFIUS), a U.S. government body, the companies said.

Should you be concerned about China controlling cyber and IT news?

FTC sues IoT manufacturer for failure to secure devices from cyberattacks!

Posted in Cyber, eCommerce

The Federal Trade Commission (FTC) filed a lawsuit against “D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.” The Complaint filed on January 5, 2017 in the US District Court in the Northern District of California includes these allegations against D-Link:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

The FTC press release entitled “FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras” included these comments from Jessica Rich (Director of the FTC’s Bureau of Consumer Protection):

Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,…

When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.

This lawsuit was the FTC’s stern message to other IoT manufacturers, and surely we will see more such lawsuits!