Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Net Neutrality on trial again, and the outcome will impact every Internet user

Posted in eCommerce, Net Neutrality

The Washington Post reported that a hearing is set on December 4, 2015 to consider the “government’s net neutrality rules banning telecom and cable companies from unfairly discriminating against new or potential rivals.”  One of the three judges who will hear the case at the DC Circuit Court of Appeals is Judge David Tatel who authored the case of Verizon v. FCC that led to the current FCC Net Neutrality in 2014:

…that the FCC misused its powers to impose net neutrality on Internet providers. But they never explicitly said what the FCC should do to get on the right side of the law. That has led to a furious debate over the court’s ruling. Partisans on both sides say the court laid out a very clear road map for the FCC; it’s just that each side disagrees on what that road map actually said.

Net Neutrality is a legal concept that will not go away and impacts everyone.

#Spearphishing Attacks are headed your way even though they appear to be messages from your boss!

Posted in Cyber, eCommerce

TexasBarToday_TopTen_Badge_Small (1)

Infoworld recently highlighted spearphishing which is “a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros.”  The November 9, 2015 report was entitled “10 reasons why phishing attacks are nastier than ever” including the fact that spearphising is sent by some you know which is very different that the Nigerian prince:

They often appear to be from a boss, team leader, or some other authority figure up the management chain to ensure the victim opens the email and is more likely to do whatever the email says.

The email could be from an outside, sound-alike email account meant to resemble the authoritative person’s personal email account. After all, who hasn’t received a work-related email from a co-worker who accidentally used his or her personal account? We accept it as a common mistake.

It might arrive from a sound-alike account name from a popular public email server (Hotmail, Gmail, and so on), with the sender claiming to be using this previously unknown account because they are locked out of their work email. Again, who hasn’t been through this before?

But more likely than not, the fake phishing email appears to arrive from the other person’s real work email address, either because the phishing organization is able to send fake email origination addresses from the outside, or it has successfully compromised the other person’s email account. The latter is becoming the most popular attack method — who wouldn’t click on a link sent by their boss?

The better prepared and educated the less likely that employees will fall prey to phishing and spearphishing, but when you read the list maybe training will not help:

  1. The attack is handcrafted by professional criminals
  2. The attack is sent by someone you know
  3. That attack includes a project you are working on
  4. Your attacker has been monitoring your company’s email
  5. Your attacker can intercept and change emails as needed
  6. Your attacker uses custom or built-in tools to subvert antivirus software
  7. Your attacker uses military-grade encryption to tunnel your data home
  8. Your attacker covers their tracks
  9. Your attacker has been in your environment for years
  10. Your attacker is not afraid of getting caught

Phishing and spearphishing are growing so being better educated is critical to protect all businesses.

Phishing is in the Top Ten Cyberthreats

Posted in Cyber, eCommerce, IT Industry

Neustar Engineering reported that there are millions of phishing emails every day since most “email servers don’t actually block email that may be spoofed and may even fail authentication at some level.” The August 20, 2015 blog entitled “Ten Cyberthreats Outside the Firewall” included the following comments about phishing and about the importance of training because “Not opening the email in the first place is your best bet”:

A user that falls for a phishing email may expose a network to malware or spyware. Malicious emails may contain links to ‘look-a-like’ sites that fool visitors into exposing credentials or passwords. This may be the first step towards a broader cyberattack. Once again, training is critical. Firewalls and Recursive DNS servers can be used to block users from reaching malicious websites. Anti-virus software that checks all attachments can also be an effective measure against poisoned attachments.

Here’s the list of all Ten Cyberthreats:

  1. Social Exploits
  2. Phishing
  3. TLD Hijacking
  4. Domain Hijacking
  5. UDP Flood
  6. Slow and Low Denial of Service Attacks
  7. SYN Floods
  8. Click Fraud
  9. Registration Fraud
  10. WiFi Snooping

No surprises in this list, but apparently solving these problems is not easy since they persist.

WEBCAST: What Every Lawyer Needs to Know About Cybercrime

Posted in Cyber

I will moderate this important live TexasBarCLE webcast on November 17, 2015 with Thomas Petrowski (Chief Division Counsel from the Dallas Office of the FBI) and Nick Akerman (former US Attorney and partner at Dorsey & Witney in New York who has the Computer Fraud/Data Protection blog).  Please register for the State of Texas webcast for the live broadcast. Here are the topics covered in the webcast:

  • Cyber  Intrusion & Crime
  • Role of the FBI
  • FBI/Private Sector Partnerships
  • Department of Justice
  • Attorney Generals
  • Computer Fraud and Abuse Act
  • Phishing Ring Story
  • eDiscovery and ESI

Every lawyer needs to know and appreciate the scope of cybercrime.

More Impact from Snowden as Court Rules that NSA Bulk Phone Record Collection Violates the Constitution

Posted in Internet Privacy

Only weeks before the US Patriot Act will be replaced with the USA Freedom Act a federal judge ruled that National Security Agency (NSA) Bulk Telephone Metadata Program which was revealed by Edward Snowden in 2013 that systematically collects Americans’ domestic phone records in bulk “likely violates the Constitution.” After waiting 2 years on the Circuit Court to rule, on November 9, 2015 US District Judge Richard J. Leon (District of Columbia) issued a 43 page Memorandum Opinion 20 days before the NSA Bulk Telephone Metadata Program was to end to cease collecting metadata calls of a California lawyer and his law firm as the Judge stated “…because of the loss of constitutional freedoms for even one day is significant harm.”  Judge Leon wrote:

…that the constitutional issues were too important to leave unanswered in the history of the disputed program, which traces back to the aftermath of the Sept. 11 terrorist attacks and came to light in 2013 in leaks by Edward J. Snowden, the former intelligence contractor.

Under the program, the N.S.A. has been collecting Americans’ phone records in bulk from telephone companies. It uses the data to analyze social links between people to hunt for hidden associates of terrorism suspects.

The New York Times reported that it is unclear if the replacement system even works at all:

At a surveillance conference at the Cato Institute on Oct. 21, an NSA official said the agency had not yet begun testing the replacement system.

Privacy vs security will continue to be front page news given the reports of terrorist attacks around the globe.

Cyber Risk Lessons Learned about Information Security

Posted in Cyber, IT Industry

After more than 50 data security settlement agreements with various companies, the FTC (Federal Trade Commission) issued its Guide that recommending that companies “consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved.”  The “Start with Security: A Guide for Business” was part of a day long program on November 5, 2015 in Austin and will be repeated in Seattle on February 9, 2016.  The 1st of the 10 practical lessons about Start with Security includes these 3 important pieces of advice:

Don’t collect personal information you don’t need.

Hold on to information only as long as you have a legitimate business need.

Don’t use personal information when it’s not necessary.

Here is the list of all 10 practical lessons in the Guide:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Great advice for all businesses to follow from lessons learned the hard way.

MaaS (Malware-as-a-Service) – the Cybercrime Cloud Service NO ONE Wants to Think about

Posted in Cyber, eCommerce

According to the 2015 Threat Report  about MaaS is that the “ average price for exploit kits is usually between $800- $1,500 a month, depending on the features and add-ons” and the “price is likely to remain low due to increased competition.”  The Websense Report was issued in April 2015 and included these trends in two categories (1) Human Behavioral Trends and (2) Technique-based Trends:

Human Behavioral Trends

  • Cybercrime just got easier
  • Avoid the Attribution Trap
  • Elevating the IQ of IT
  • Insight on the Insider

Technique-based Trends

  • Building on a Brittle Infrastructure
  • Something New or Déjà Vu?
  • IoT: The Threat Multiplier?
  • Digital Darwinism: Surviving Evolving Threats

It’s imperative that all business be aware of MaaS so that IT can help avoid cyber disasters.

Advice about Cybersecurity Blind Spots Including Cloud Access

Posted in Cyber, Internet Access

A report from Tenable Network Security identifies that blind spots “can increase legal risk because information retention policies designed to limit legal liability are very unlikely to be applied to electronically stored information (ESI) contained on unauthorized cloud, mobile and virtual assets.” Tenable Network Security’s April 15, 2015 report entitled “Eliminating Cybersecurity Blind Spots” includes these three continuous activities:

  1. Passive Network Monitoring
  2. Active Scanning
  3. Event Log Analysis

Here are more details on Passive Network Monitoring from the Report which includes detection of access cloud connections:

Passive network monitoring continuously analyzes network traffic at the packet layer to build a model of active devices and applications on the network. Because passive detection operates 24/7, it will detect transitory assets that may only be occasionally and briefly connected to the network and can send alerts when new assets are detected.

Passive monitoring can frequently determine a device’s operating system and version using OS fingerprinting techniques that can also identify protocols and protocol versions. More importantly, passive monitoring can identify client applications used on the network, such as email clients, web browsers and chat programs. It can also detect FTP peer-to-peer file sharing, and connections to cloud services such as DropBox, YouSendIt and As described earlier, when protected/proprietary data is sent to unsanctioned cloud applications, organizations are frequently exposed to significant hidden risk. Sophisticated passive monitoring tools have the ability to examine unencrypted data sent to the cloud to determine if it contains protected/proprietary data that should not leave the premises.

Advanced passive monitoring tools can associate discovered operating systems, protocols and applications with known vulnerabilities, enabling organizations to prioritize remediation as vulnerabilities are discovered. These tools can also detect when systems are compromised based on application intrusion detection.

Advantages of passive network monitoring are: it identifies transient systems that may only be on the network a brief time; it does not perturb the network or devices on the network; it has visibility of Internet and cloud services being accessed from systems on the network; and it can identify vulnerabilities in real-time, 24/7, to eliminate gaps between active scans (described below) and accelerate threat remediation. The shortcoming of passive network monitoring is that passive detection sensors must be strategically deployed throughout the network so they can monitor all desired traffic, and if the network is reconfigured without reconfiguring or deploying additional passive sensors, devices and applications may not be detected.

All business should heed this advice about protecting the blind spots.

Cyber Intrusion Planning Should Include Training Employees about eMail

Posted in Cyber, eCommerce

Everyone should already know cyber intrusions are “when not if,”  so the Federal Communications Commission (FCC) prepare a tool which “is designed for businesses that lack the resources to hire dedicated staff to protect their business, information and customers from cyber threats.” The FCC’s “Small Biz Cyber Planner” was assembled with help from the Department of Homeland Security, the National Cyber Security Alliance, The Chamber of Commerce, Microsoft, Symatec, VISA, McAfee, and other organizations.

By way of example here are the Cyber Plan Action Items for eMail and in particular training employees which is critical:

1. Set up a spam email filter

2, Train your employees in responsible email usage

The last line of defense for all of your cyber risk efforts lies with the employees who use tools such as email and their responsible and appropriate use and management of the information under their control. Technology alone cannot make a business secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work, and when to seek assistance of professionals. Employee awareness training is available in many forms, including printed media, videos and online training.

Consider requiring security awareness training for all new employees and refresher courses every year. Simple efforts such as monthly newsletters, urgent bulletins when new viruses are detected, and even posters in common areas to remind your employees of key security and privacy to-do’s create a work environment that is educated in protecting your business.

3. Protect sensitive information sent via email

4. Set a sensible email retention policy

5. Develop an email usage policy

The Sections of the Planner are as follows:

Privacy and Data Security

Scams and Fraud

Network Security

Website Security


Mobile Devices


Facility Security

Operational Security

Payment Cards

Incident Response and Reporting

Policy Development, Management

Cyber Security Glossary

Cyber Security Links

No question that this good advice which every company should follow.

Cyber Intrusion Responsibility Shared by General Counsel & IT

Posted in Cyber, eCommerce, IT Industry

It is imperative that General Counsel learn IT technology and lingo- and that IT legal jargon given a recent survey identified that in almost 450 companies 31% rely on IT and 21% rely on General Counsel to be primarily responsible for assuring legal compliance when cyber intrusion occurs. Zurich sponsored Advisen’s recent white paper entitled “The Fifth Annual Survey on the Current State of and Trends in Information Security and Cyber Liability Risk Management” which “features the response of nearly 450 risk managers, insurance buyers, and other risk professionals, has further clarified the information security and cyber risk management picture” including:

Trends and attitudes continue to take shape and marketplace reactions to emerging issues continue to present themselves.

Increased cyber risk focus from boards and senior executives is translating into strategic cyber prevention and response initiatives in more organizations.

Exposures such as a data breach of customer records and reputational damage resulting from a data breach are high on the list of concerns.

Cyber intrusions help identify how important it is for all lawyers to know more about IT and IT learn more about law!