Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Red Flags Employers Should Know about Rogue Employees

Posted in eCommerce

A recent Infoworld story included 7 Red Flags about employees regarding “someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you.”  The March 2, 2015 story entitled “7 warning signs an employee has gone rogue” including “Red flag No. 6: Never takes vacation” which should be a dead give-away given these comments:

I once worked with a woman who had been at the company for more than four decades. She was a hard worker, loved by everyone, although a bit cranky at times. She also never took a vacation, even when threatened. I was her boss for five years. At every annual review I would note that she didn’t take a vacation and I would cajole her to take one. She would say something nice or funny in response and say she would soon. But the next year would roll around and still no vacation.

The third year I threatened to fire her if she wouldn’t take a vacation. I even marked down her review score and reduced her bonus. Still she did not take a vacation, but I couldn’t follow through with the threat. She had been with the company so long, and I had a soft spot for her, as everyone did.

In the fifth year we forced her to take a week’s vacation. Lo and behold she continued to show up during the week to “see how things were going” in her absence. I physically had to escort her off the premises. I was truly worried about her health given how much she worked.

Then the checks started to arrive — it turned out she was getting kickback checks from all sorts of telco-related companies for more than 20 years. She had also given her son a job doing telco in the company, one for which he never showed up, and the company was paying for both their cars. In total, she had stolen more than half a million dollars over the course of 20 years.

Here is the entire list of Red Flags:

Red flag No. 1: Unexpectedly fails background check

Red flag No. 2: Says past employers didn’t trust them

Red flag No. 3: Knows information they shouldn’t

Red flag No. 4: Says they can hack a coworker or company systems

Red flag No. 5: Switches screens away from company assets as you walk up

Red flag No. 6: Never takes vacation

Red flag No. 7: Leaves the company angry

Obviously all employers should be alert to rogue employees and this list should be self-apparent!

More Cyber Criminals Targeting your Identity, Including Bad Guys in China!

Posted in eCommerce, Internet Privacy

According to a recent report groups in “China continue to target Western interests, but there has been a shift in focus from the theft of intellectual property to identity information” according to BusinessInsurance.com which drew these conclusions from a February 23, 2015 recent HP report entitled “HP Security Research, Cyber Risk Report 2015” which also stated:

Activity in the cyber underground primarily consists of cyber crime involving identity theft and other crimes that can be easily monetized.

The 7 key themes of the HP Report are:

Theme #1: Well-known attacks still commonplace – Based on our research into exploit trends in 2014, attackers continue to leverage well-known techniques to successfully compromise systems and networks. Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old.

Theme #2: Misconfigurations are still a problem – The HP Cyber Risk Report 2013 documented how many  vulnerabilities reported were related to server misconfiguration.

Theme #3: Newer technologies, new avenues of attack – As new technologies are introduced into the computing ecosystem, they bring with them new attack surfaces and security challenges.

Theme #4: Gains by determined adversaries  – Attackers use both old and new vulnerabilities to penetrate all traditional levels of defenses.  They maintain access to victim systems by choosing attack tools that will not show on the radar of anti-malware and other technologies.

Theme #5: Cyber-security legislation on the horizon – Activity in both European and U.S. courts linked information security and data privacy more closely than ever. As legislative and regulatory bodies consider how to raise the general level of security in the public and private spheres, the avalanche of reported retail breaches in 2014 spurred increased concern over how individuals and corporations are affected once private data is exfiltrated and misused.

Theme #6: The challenge of secure coding – The primary causes of commonly exploited software vulnerabilities are consistently defects, bugs, and logic flaws.

Theme #7: Complementary protection technologies – In May 2014, Symantec’s senior vice president Brian Dye declared antivirus dead and the industry responded with a resounding “no, it is not.” Both are right. Mr. Dye’s point is that AV only catches 45 percent of cyber-attacks —a truly abysmal rate.

No surprises in this HP report!

Watch Out! Your Computer Probably has Spyware Courtesy of the US Government!

Posted in Internet Privacy

Apparently the US National Security Agency (NSA) “has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives”  as reported by Reuters on February 16, 2015.  Reuters relied on a former NSA employee who confirmed the allegations which were presented in Kaspersky Lab’s report entitled “Equations Group: Questions and Answers” which stated that this malware has been around since 1996 and that the:

The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

The report identified victims in more than 30 countries including the US in these categories:

  • Governments and diplomatic institutions
  • Telecommunication
  • Aerospace
  • Energy
  • Nuclear research
  • Oil and gas
  • Military
  • Nanotechnology
  • Islamic activists and scholars
  • Mass media
  • Transportation
  • Financial institutions
  • Companies developing cryptographic technologies

Cannot image any other category so I guess that means everyone on earth, what do you think?

Senator Express Concerns about IoT Privacy and that “Big Brother” is Listening!

Posted in Internet Privacy

Florida Senator Bill Nelson expressed his concern that “Big Brother may really be listening…recently, we learned that Samsung’s privacy policy for its voice-activated ‘Smart TV’ informed consumers that their indoor conversations can be recorded by the television and sent to a third party,…” during a hearing of the Senate Committee on Commerce, Science, & Transportation on February 11, 2015.

Justin Brookman , the Director of Consumer Privacy Project at Center for Democracy & Technology (CDT) testified that “the very nature of some devices (such as health wearables) is to track a user’s data for that user’s benefit — certain data practices seriously threaten individuals’ security and right to privacy.” Here are the broad topics covered by Mr. Brookma

  • The transformative potential of the Internet of Things
  • There are currently insufficient security protections in place to regulate IoT data collection.
  • Sensitive personal data may be collected contrary to consumer wishes and expectation
  • Device connectivity and intelligence could diminish user autonomy over the devices they bu
  • Our government access and intelligence laws must be reformed

Of course with all the news about IoT there were no surprises at the hearing.

Big Surprise! – There will be no Privacy in the Future, and IoT is Part of the Problem!

Posted in Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

Pew research report “The Future of Privacy” indicated by 2025 that 55% of the 2,211 respondents no one should really expect any privacy and that the IoT (Internet of Things) will make things worse.  Here are the themes reported on December 18, 2014 by those surveyed that there will not be a widely accepted privacy infrastructure by 2025 including IoT:

1) Living a public life is the new default. It is not possible to live modern life without revealing personal information to governments and corporations. Few individuals will have the energy or resources to protect themselves from ‘dataveillance’; privacy will become a ‘luxury.’

2) There is no way the world’s varied cultures, with their different views about privacy, will be able to come to an agreement on how to address civil liberties issues on the global Internet.

3) The situation will worsen as the Internet of Things arises and people’s homes, workplaces, and the objects around them will ‘tattle’ on them. The incentives for businesses to monetize people’s data and governments to monitor behavior are extremely potent.

4) Some communities might plan and gain some acceptance for privacy structures, but the constellation of economic and security complexities is getting bigger and harder to manage.

Among the 2,551 respondents to the survey was “a father of the Internet” Vint Cerf (Google vice president and chief Internet evangelist) who made these comments:

The public will become more sophisticated about security and safety.

They will demand much more transparency of the private sector and, especially, their governments. Privacy conventions will evolve in online society—violations of personal privacy will become socially unacceptable.

Of course, there will be breaches of all these things, but some will be accompanied by serious social and economic downsides and, in some cases, criminal charges.

By 2025, people will be much more aware of their own negligent behavior, eroding privacy for others, and not just themselves. The uploading and tagging of photos and videos without permission may become socially unacceptable.

As in many other matters, the social punishment may have to be accompanied by legislation—think about seat belts and smoking by way of example.

We may be peculiarly more tolerant of lack of privacy, but that is just my guess.

As far as I can tell no surprises in Pew’s report, what do you think?

Cybercrime report should be alarming to every Internet user in the world!

Posted in eCommerce

A recent report analyzing cybercrime that infected over 500,000 PCs pointed out that while “the primary targets appear to be financial accounts and online banking information, the group also has a range of options for further monetization of the infected computers.”  The Proofpoint October 2014 report entitled the “Analysis of a Cybercrime Infrastructure” concludes that “the recent targeting online banking credentials for banks in the United States and Europe “appear to be a Russian cybercrime group whose primary motivation is financial.”

Here are some of the key facts from the Proofpoint analysis:

  • Russian-speaking cybercrime group targeted primarily US-based systems and online banking accounts.
  • Qbot (aka Qakbot) botnet of 500,000 infected systems sniffed ‘conversations’ – including account credentials – for 800,000 online banking transactions, with 59% of the sniffed sessions representing accounts at five of the largest US banks.
  • The attackers compromised WordPress sites using purchased lists of administrator logins, with which they were able to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these WordPress sites also run newsletters, which the attackers leverage to distribute legitimate but infected content.
  • Windows XP clients comprised 52% of the infected systems in the cybercrime group’s botnet, even though recent estimates place the Windows XP install base at  20-30% of business and consumer personal computers. Microsoft ended patch and update support for Windows XP in April 2014.
  • The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups. The service turns infected PCs into an illicit ‘private cloud’ as well as infiltration points into corporate networks.

Given recent $2+ trillion valuation of cybercrime I hope that Proofpoint’s report is a wakeup call!

Does Current Cyber Crime Really Cause $2+ Trillion in Damages?

Posted in eCommerce

The conventional wisdom 20 years ago, before the Internet took over the business world, was that only about 10% of cyber crime was reported since companies did not want to admit they had been hacked.  Obviously the current Internet business environment makes it almost impossible to keep cyber hacks from the public.

Recent estimates are that “the cost of cyber crime to businesses worldwide range from around US$445 billion (£291 billion) to US$2 trillion a year (£1.3 billion)” according to a February 2, 2015 report from ITProPortal entitled “Here’s why the cyber insurance industry is worth £55.6 billion” which included current estimates:

…merely the tip of a vast unreported mountain of cybercrime that has been growing over the last few years.” 

Maybe the $2+ trillion estimate is more realistic than the estimated $575 Billion in cyber crime from the Center for Strategic and International Studies and McAfee issued their June 2014 report entitled “Net Losses: Estimating the Global Cost of Cybercrime” with these comments about the impact on the world:

  • The cost of cybercrime will continue to increase as more business functions move online and as more companies and consumers around the world connect to the Internet.
  • Losses from the theft of intellectual property will also increase as acquiring countries improve their ability to make use of it to manufacture competing goods.
  • Cybercrime is a tax on innovation and slows the pace of global innovation by reducing the rate of return to innovators and investors.
  • Governments need to begin serious, systematic effort to collect and publish data on cybercrime to help countries and companies make better choices about risk and policy.

Clearly cyber crime will never be smaller, so businesses need to be more cognizant of their risks and carry the appropriate cyber insurance.

Cyber IT Risk Wake Up Time for Board Members!

Posted in eCommerce, IT Industry

TexasBarToday_TopTen_Badge_Small (1)

A former SEC Chair spoke at a Directors & Officers (D&O) insurance conference and said board members “should be knowledgeable about data inventories, where data is located and if it is protected, and use third-party services to test its safety” as reported by BusinessInsurance.com.  Mary L. Schapiro (SEC chairman from 2009-2012) currently serves on the board of General Electric and discussed cyber risks during her keynote address at the 2015 Professional Liability Underwriting Society D&O Symposium in New York where she stated that “boards really need to drive management on this issue” because of the potential fallout from cyber-related losses.

Ms. Schapiro “also said there now is pressure on Capitol Hill to codify the SEC’s guidance on companies’ disclosure of cyber threats, which was issued in 2011.”

As cyber intrusions continue to escalate it’s no surprise that Ms. Schapiro made these comments.

Cyber Privacy & Security Warning! – Watch out for the 25+ Billion of IoTs (Internet of Things)!

Posted in eCommerce, Internet Privacy

With billions IoT devices now in place, and growing exponentially, apparently IoT manufacturers have not given a great deal of thought to security so the FTC recently urged Best Practices to IoT manufacturers as “part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products.”  The January 27, 2015 press release from the FTC highlighted these 6 security recommendations:

  1. Build security into devices at the outset, rather than as an afterthought in the design process;
  2. Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  3. Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  4. When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  5. Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  6. Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

IoT security and privacy are huge problems, and cyber criminals clearly have recognized for years….so watch out!

GUEST BLOG: Finally! The Supreme Court Supports Trial Judges in Markman Rulings in Patents Cases

Posted in IT Industry

BARRY BARNETT GUEST BLOGGER

Barry Barnett has been a Guest Blogger in the past, his Blawgletter provides great thoughts, and insights. I read his blogs regularly. Over the years Barry and I have had a number of cases together and he is an outstanding trial partner at Susman Godfrey.

Barry Barnett Jan 2015Barry Barnett Masthead Jan 2015

Clear Error Test Governs Review of Patent Rulings, Supreme Court Holds

The U.S. Supreme Court held 8-2 today that the Federal Circuit may no longer ignore some rulings by trial court judges on how to construe patent claims. The outcome marks a major victory for parties that win the often-decisive battles over claim construction in Markman hearings in district court.

In Teva Pharmaceuticals USA, Inc. v. Sandoz, Inc., No. 13-854, slip op. at 4 (U.S. Jan. 20, 2015), the Court held that Rule 52(a)(6) governs review of “a district court’s resolution of subsidiary factual matters made in the courtse of its construction of a patent claim.”

The case turned on the meaning of “molecular weight” in a patent on a method for making a drug, Copaxone, that doctors prescribe for multiple sclerosis. The district court heard evidence on whether “a skilled artisan” in the field would know what the term meant, found that he or she would grasp it, and rejected Sandoz’s attack on the patent as invalid for indefinitess.

On appeal, the Federal Circuit reversed, ruling de novo that “molecular weight” had no definite meaning in the patent.

Justice Breyer’s majority opinion for the Court vacated the Federal Circuit’s decision and remanded for the lower court to reconsider in light of its obligation under Rule 52(a)(6) to uphold the district court’s fact findings unless Sandoz showed “clear error”.

Although the Court’s ruling applies both to infringement plaintiffs and infringement defendants, it as a practical matter helps plaintiffs more. Parties that claim infringement often have fewer resources than defendants do and must pursue claims — if at all — on a contingent-fee basis. For firms that handle infringement claims under a contingent-fee arrangement, winning in the trial court is crucial, and holding that victory on appeal is key.

By making trial courts’ Markman determinations less subject to appellate tinkering, the Court even-handedly leveled the playing field. But infringement plaintiffs and their contingent-fee counsel are the ones smiling the most.