Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

More Bad Cybersecurity News – Top-Tier Malware Regin Used for Spying Since 2008

Posted in eCommerce, Internet Privacy, IT Industry

Symantec reported the discovery of new malware named Regin whose main purpose “is intelligence gathering and it has been implicated in data collection operations against government organizations, infrastructure operators, businesses, academics, and private individuals.”  On November 24, 2014 Symantec issued a report entitled “Regin: Top-tier espionage tool enables stealthy surveillance” which is a “back door-type Trojan, …a complex piece of malware whose structure displays a degree of technical competence rarely seen” which has “been used in systematic spying campaigns against a range of international targets since at least 2008.”  The report identifies the following Regin infections by sector in these 10 countries Saudi Arabia, Russia, Pakistan, Afghanistan, India, Mexico, Ireland, Belgium and Austria:

48% Privacy individuals and small businesses

28% Telecoms backbones

9% Hospitality

5% Energy

5% Airline

5% Research

Also Symantec stated that the “Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards.”

The New York Times reported:

The multi-staged design of the malware is akin to that of other espionage tools that security researchers believe were the work of nation states, notably Flame, Stuxnet and Duqu — three pieces of malware that were used to spy on computers in Iran and were believed to be a joint effort by the United States and Israel.

Back door Trojan malware is a reality of life, and businesses need to be vigilant to protect their systems and data.

Challenge to Uber’s Customer Privacy Policies Including its “God view”

Posted in eCommerce, Internet Privacy

Senate Al Franken asked Uber for clarification about an apparent “troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data.”  On November 19, 2014 Senator Franken sent a letter to Uber CEO Travis Kalanick about a tool known as “God view” which is:

… “widely available to most Uber corporate employees” and allows employees to track the location of Uber customers who have requested car service.

In at least one incident, a corporate employee reportedly admitted to using the tool to track a journalist. The journalist’s permission had not been requested, and the circumstances of the tracking do not suggest any legitimate business purpose. Indeed, it appears that on prior occasions your company has condoned use of customers’ data for questionable purposes

Senator Franken also had serious concerns:

…about the scope, transparency, and enforceability of Uber’s policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced.

The letter included these 10 questions about the Uber Privacy Policies:

1.      Mr. Michael, a senior executive, is reported to have made statements—suggesting that Uber might use private information to target journalists or others who have critiqued the company—that your company has since stated are flatly contrary to company policies. To what do you attribute such a failure at your company’s highest level to heed your own policies?

2.      What Mr. Michael is reported to have said sounds like it was intended to have a chilling effect on journalists covering Uber. Was any disciplinary action taken as a result of Mr. Michael’s statements?

3.      Where in your privacy policy do you address the “limited set of legitimate business purposes” that may justify employees’ access to riders’ and drivers’ data, including sensitive geolocation data?

4.      To whom is the so-called “God view” tool made available and why? What steps are you taking to limit access?

5.      Your privacy policy states that you may share customers’ personal information and usage information with your “parent, subsidiaries and affiliates for internal reasons.” On what basis do you determine what constitutes legitimate “internal reasons”? Why aren’t these standards set out for customers?

6.      Your privacy policy states that you may share “non-personally identifiable information” with third parties for “business purposes.” What does that mean exactly? Why aren’t customers asked to affirmatively consent to this use of their information? At a minimum, may they opt out of this information sharing?

7.      Your policies suggest that customers’ personal information and usage information, including geolocation data, is maintained indefinitely—indeed even after an account is terminated. Why? What limits are you considering imposing? In particular, when an account is terminated, why isn’t this information deleted as soon as pending charges or other transactional disputes are resolved?

8.      What training is provided to employees, as well as contractors and affiliates, to ensure that your company’s policies, as well as relevant state and federal laws, are being followed? In light of Mr. Michael’s recent comments, how do you plan to improve this training?

9.      Your spokeswoman has represented that your “policy is … clear that access to data is monitored and audited by data security specialists on an ongoing basis.” Where in your company policies is this discussed? How is this monitoring conducted? How frequently are audits completed? Are customers informed if their information has been inappropriately accessed?

10. Under what circumstances would an employee face discipline for a violation of Uber’s privacy policies? Have any disciplinary actions been taken on this basis?

It will be interesting to see how Uber responds and how federal agencies will follow-up on these alleged privacy issues

Privacy at the Heart of Colossal Cybersecurity Mistakes

Posted in Internet Privacy, IT Industry

Infoworld reported that for Information Technolgoy (IT) “Privacy has become one of the leading computer security issues today…Today’s systems track every access, and every employee should know that accessing a single record they don’t have a legitimate need to view is likely to be noticed and acted on.”  The November 17, 2014 Infoworld article entitled “10 security mistakes that will get you fired” includes these highlighted privacy mistakes by IT:

Colossal security mistake No. 1: Killing critical business functionality

Colossal security mistake No. 2: Killing the CEO’s access to anything

Colossal security mistake No. 3: Ignoring a critical security event

Colossal security mistake No. 4: Reading confidential data

Colossal security mistake No. 5: Invading privacy

Colossal security mistake No. 6: Using real data in test systems

Colossal security mistake No. 7: Using a corporate password on the Web at large

Colossal security mistake No. 8: Opening big “ANY ANY” holes

Colossal security mistake No. 9: Not changing passwords

Colossal security mistake No. 10: Treating every vulnerability like “the big one”

The report included the following example of Colossal security mistake No. 5: Invading privacy:

A friend worked at a hospital and once heard that a famous celebrity had checked in. The friend performed a quick SQL query and learned that the celebrity was in-house. They didn’t tell anyone or do anything.

A few days later someone in the primary care staff leaked to a popular media site that the celebrity was being treated in the hospital. Management asked for an audit of who accessed the celebrity’s records. The request came to my friend, who reported the results of the audit and self-reported their SQL query, though it had not been tracked by the information system. Management fired everyone who accessed the medical record without a legitimate reason. My friend, who would never have been caught if not for their aboveboard honesty, was fired without remorse.

Other important privacy mistakes were reported with with Colossal security mistake No. 6: Using real data in test systems:

When testing or implementing new systems, mounds of trial data must be created or accumulated. One of the simplest ways to do this is to copy a subset of real data to the test system. Millions of application teams have done this for generations. These days, however, using real data in test systems can get you in serious trouble, especially if you forget that the same privacy rules apply.

In today’s new privacy world, you should always create bogus test data to be used in your test systems. After all, test systems are rarely as well protected as production systems, and testers do not treat the data in test systems with the same mentality as they do data in production systems. In test systems, passwords are short, often shared, or not used at all. Application access control is often wide open or at least overly permissive. Test systems are rarely secure. It’s a fact that hackers love to exploit.

Most people do not realize how vulnerable their privacy is within IT systems, and this report reminds everyone that cybersecurity mistakes expose us all.

Darkhotel Cyberattacks Business Executives in Hotels

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Kaspersky identifies that Darkhotel is a group of attackers that “seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the Internet.”  The Kaspersky report issued on November 10, 2014 is entitled “THE DARKHOTEL APT A STORY OF UNUSUAL HOSPITALITY” and should be disturbing to everyone who travels, and particularly in Japan since “over 90% of it occurs in the top five countries: Japan, followed by Taiwan, China, Russia and Korea.”

eWeek reported that Darkhotel was a:

cyber-espionage group has compromised the computer systems of corporate executives by infecting the networks of the hotels where they typically stay and then serving up malware while they connected to the Internet.

Here is how Darkhotel spreads:

The Darkhotel APT’s precise malware spread was observed in several hotels’ networks, where visitors connecting to the hotel’s Wi-Fi were prompted to install software updates to popular software packages.

Of course, these packages were really installers for Darkhotel APT’s backdoors, added to legitimate installers from Adobe and Google. Digitally signed Darkhotel backdoors were installed alongside the legitimate packages.

The most interesting thing about this delivery method is that the hotels require guests to use their last name and room number to login, yet only a few guests received the Darkhotel package. When visiting the same hotels, our honeypot research systems couldn’t attract a Darkhotel attack. This data is inconclusive, but it points to misuse of check-in information.

By the tone of this Kaspersky Report apparently many travelers are unaware of the privacy threats from the likes of Darkhotel.

Does P.F. Chang’s Have Cyber Insurance? Because the GCL Carrier Won’t Pay for Cyber Intrusions

Posted in eCommerce

A recent lawsuit by Travelers “that it is not obligated to defend or indemnify P.F. Chang’s under Commercial General Liability [GCL] insurance policies issued by Travelers.” Travelers alleged that among things P.F. Chang’s has “separate cyber liability insurance policy that Travelers did not issue” in its Declaratory Judgment Complaint  filed on October 2, 2014 in the US District Court in Connecticut.

My friend Judy Greenwald reported in

According to litigation filed against the restaurant chain, a breach occurred that involved seven million customer credit and debit cards began on Sept. 18, 2013, although P.F. Chang’s was not notified of it until June 10, 2014. One lawsuit has been filed in Washington and two in Illinois, according to the Travelers litigation, The Travelers Indemnity Company of Connecticut vs. P.F. Chang’s China Bistro Inc.

The litigation against the restaurant chain, which was filed in June and July and seeks class action status, accuses P.F. Chang’s of failure to prevent the breach, and states it could have been prevented. Charges against the chain include breach of implied contract.

It will be interesting to follow this case to see how the Court views the CGL coverage.

Privacy Policies Paramount in the Ten Commandments of BYOD

Posted in Internet Privacy, Social Media

IBM recently released a report about BYOD because of the “rapid proliferation of mobile devices entering the workplace feels like divine intervention to many…”  This fall MaaS360 by Fiberlink (an IBM company) released its Ten Commandment of BYOD which included asked these questions about privacy policies:

What data is collected from employees’ devices?

What personal data is never collected?

The report noted that some “state privacy laws prevent corporations from even viewing” BYOD data, so they recommended that privacy policies be communicated “to make it clear what data” the employer cannot collect from BYOD.

The report also included these comments about BYOD from:

Forrester’s study of US information workers revealed that 37% are doing something with technology before formal permissions or policies are instituted.

Further, a Gartner CIO survey determined that 80% of employees will be eligible to use their own equipment with employee data on board by 2016.

Here are the Ten Commandments of BYOD which clearly highlight privacy policy issues:

1. Create Thy Policy Before Procuring Technology

2. Seek The Flocks’ Devices

3. Enrollment Shall Be Simple

4. Thou Shalt Configure Devices Over the Air

5. Thy Users Demand Self-Service

6. Hold Sacred Personal Information

7. Part the Seas of Corporate and Personal Data

8. Monitor Thy Flock—Herd Automatically

9. Manage Thy Data Usage

10. Drink from the Fountain of ROI

With the proliferation of BYOD privacy policies issues will continue to be significant to employers and employees, and following the laws essential.

Supercookies Are Tracking +100 Million Cell Users, But Are Any Privacy Laws Being Violated?

Posted in eCommerce, Internet Privacy

Privacy advocates claim that Verizon is “silently modifying its users’ web traffic on its network to inject a cookie-like tracker… sent to every unencrypted website a Verizon customer visits from a mobile device.” According to the Electronic Frontier Foundation (EFF) Verizon’s “tracker, included in an HTTP header called X-UIDH” and the EFF explains how the supercookies work:

Like a cookie, this header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user’s device and the servers with which the user interacts.

Unlike a cookie, the header is tied to a data plan, so anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer.

That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising.

Forbes reports that AT&T is testing it supercookies and that there is “nothing ready to announce.”

The EFF is demanding that the FTC act on this, but if the Privacy Policies for Verizon and AT&T permit supercookies how can this violate any laws?

Facebook Sues Lawyers for Deceit and Malicious Prosecution for Representing Ceglia

Posted in eCommerce, Social Media

DLA Piper and a group of law firms are accused of conspiring “to file and prosecute a fraudulent lawsuit” on behalf of Paul Ceglia who fabricated evidence that he owned 84% of Mark Zuckerberg’s stock in Facebook. On October 20, 2014 Facebook and Mark Zuckerberg sued the group of lawyers in NY state court who represented Celia which began in 2010.

In 2012 the FBI arrested Geglia for alleged criminal violations regarding fabricating evidence that Zuckerberg and he signed a contract in 2004 for web design for Facebook. The Complaint filed for mail and wire fraud by the US Postal Service includes these allegations against Ceglia that he:

  • filed a federal lawsuit falsely claiming that he was entitled to at least a 50% interest in Facebook.
  • has deliberately engaged in a systematic effort to defraud Facebook and Zuckerberg and to corrupt the federal judicial process.
  • manufactured and destroyed evidence, for instance replacing a page of the original contract with a fraudulent one that made it look like Zuckerberg had offered Ceglia interest in the company.

The Litigation Daily reported that “DLA Piper general counsel Peter Pantaleo vowed to fight the suit and emphasized that his firm represented Ceglia for less than three months”:

This is an entirely baseless lawsuit that has been filed as a tactic to intimidate lawyers from bringing litigation against Facebook…

Given the target on Facebook to be sued, more lawsuits will surely follow so it will be interesting see what happens in this new lawsuit.

$10 Million Fines for Privacy Violations

Posted in Internet Privacy

The Federal Communications Commission (FCC) announced that it was issuing fines since “TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” However, the FCC stated in “their privacy policies, the two companies stated that they had in place ‘technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.’”

On October 24, 2014 the FCC issued a press release that this was the FCC’s “first data security case and the largest privacy action” based violations “from September 2012 through April 2013” when the companies:

…allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.

Travis LeBlanc, Chief of the FCC’s Enforcement Bureau stated:

Consumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,..When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.

The Washington Post reported that these privacy violation were detected:

When reporters for the Scripps Howard News Service stumbled on the data with a simple Google search, they reported on the lax security and notified the FCC

Company need to better protect customer data, and particularly when they promise to guard it from unauthorized access.

FTC Shuts Down Company that Made $2.5 Million Masquerading as Facebook & Microsoft

Posted in eCommerce

A court granted the FTC’s motion to “shut down a company that scammed computer users by tricking them into paying hundreds of dollars for technical support services they did not need, as well as software that was otherwise available for free.” In the case of FTC v. Pairsys, Inc. et al, the FTC persuaded a US District Judge in the Northern District of New York to issue an injunction to cease their operations. The FTC alleged that since 2012 the defendants made over $2.5 million with these scams:

Whether consumers were cold-called by the company or drawn in by deceptive ads, the FTC’s complaint notes that what followed was a deceptive and high-pressure sales pitch conducted by scammers in an overseas call center. The scammers would convince a consumer to allow them to have remote control over the individual’s computer, in order to analyze the supposed issues.

Once they had access to a consumer’s computer, the FTC alleges, the scammers would lead the consumer to believe that benign portions of the computer’s operating system were in fact signs of viruses and malware infecting the consumer’s computer. In many cases, they implied that the computer was severely compromised and had to be “repaired” immediately.

At that point, consumers were pressured into paying for bogus warranty programs and software that was freely available, usually at a cost of $149 to $249, though in some cases, the defendants charged as much as $600 for the supposed products. The FTC’s filings in the case allege that the company made nearly $2.5 million since early 2012.

Jessica Rich, director of the FTC’s Bureau of Consumer Protection stated:

The defendants behind Pairsys targeted seniors and other vulnerable populations, preying on their lack of computer knowledge to sell ‘security’ software and programs that had no value at all,

Although successful in shutting down these scammers, there are still many stealing monies from unsuspecting Internet users.