Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Cybercriminals demand ransomware from Apple, or else they will wipe 300 million iPhones!

Posted in Cyber, eCommerce

Forbes reported that “a hacker group calling itself Turkish Crime Family…reported having access to 300 million Apple accounts” and demanded “$75,000 in crypto-currency (either Bitcoin or Ethereum) or $100,000 in iTunes gift cards, and the data would be deleted.”  The March 22, 2017 report entitled “Hackers Threaten To Wipe 300M iPhones, iCloud Accounts Unless Apple Pays” included these comments from Apple:

There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

This may be the beginning of the end if Apple cybercriminals succeed!

Blockchain is what makes Bitcoin work, and is the real deal to change the world!

Posted in eCommerce, IT Industry

McKinsey’s interviewed Don Tapscott who defined Blockchain as an “immutable, unhackable distributed database of digital assets” which is a “giant, global spreadsheet that runs on millions and millions of computers.”  The May 2016 article entitled “How blockchains could change the world” included these comments about Bitcoin:

Most blockchains—and Bitcoin is the biggest—are what you call permission-less systems.

We can do transactions and satisfy each other’s economic needs without knowing who the other party is and independent from central authorities.

These blockchains all have a digital currency of some kind associated with them, which is why everybody talks about Bitcoin in the same breath as the blockchain, because the Bitcoin blockchain is the biggest.

Tapscott offered that Blockchain could change the music industry:

What if the new music industry was a distributed app on the blockchain, where I, as a songwriter, could post my song onto the blockchain with a smart contract specifying how it is to be used?

Maybe as a recording artist posting my music on a blockchain music platform, I’ll say, “You listen to the music, it’s free. You want to put it in your movie? It’s going to cost you this much, and here’s how that works. You put it in the movie, the smart contract pays me.” Or how about using it for a ring tone? There’s the smart contract for that.

This is not a pipe dream. Imogen Heap, who’s a brilliant singer-songwriter in the United Kingdom, a best-selling recording artist, has now been part of creating Mycelia, and they’re working with an amazing company called Consensus Systems, that’s all around the world, blockchain developers, using the Ethereum platform; Ethereum is one blockchain. She has already posted her first song onto the Internet. I fully expect that many big recording artists will be seriously investigating a whole new paradigm whereby the musicians get compensated for the value that they create.

Bitcoin is important, but clearly all businesses need to understand the prospects of Blockchain!

Electronic Health Record (EHR) databases worth $500,000 to cybercriminals!

Posted in Cyber, eCommerce

Trend Micro’s conducted a study to learn more about “how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them” and use “Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.”  The February 21, 2017 report entitled “Cybercrime and Other Threats Faced by the Healthcare Industry” explained why EHR is better for cybercriminals than stealing credit cards which “can only use the stolen credit cards before the card expires, is maxed out or cancelled”:

…an EHR database containing PII that do not expire—such as Social Security numbers—can be used multiple times for malicious intent. Stolen EHR can be used to acquire prescription drugs, receive medical care, falsify insurance claims, file fraudulent tax returns, open credit accounts, obtain official government-issued documents such as passports, driver’s licenses, and even create new identities.

A DarkingReading article about the Trend Micro Report entitled “Stolen Health Record Databases Sell For $500,000 In The Deep Web” included these observations:

Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

Unfortunately this cyber vulnerability is not news, which the healthcare community is well aware.

Spearphising by the Russian Federal Security Service (FSB) was part of Yahoo cyber attack!

Posted in Cyber, eCommerce

Huge headlines about the Yahoo cyber indictment by the FSB should be a wake call to all businesses, however what has not been promoted by the media was the use of spearphishing which was highlighted in paragraph 17 of the Indictment:

In some instances, the conspirators used email messages known as “spear phishing” messages to trick unwilling recipients into giving the co-conspirators access to their computers and accounts. Spear phishing messages typically were designed to resemble emails from trustworthy senders, and to encourage the recipient to open attached files or click on hyperlinks in the messages. Some spear phishing emails attached or linked to files that, once opened or downloaded, installed “malware”-malicious code or programs-that provided unauthorized access to the recipient’s computer (a “backdoor”). Other spear phishing emails lured the recipient into providing valid login credentials to his or her account(s), thereby allowing the defendants to bypass normal authentication procedures.

It’s clearly time for all businesses to learn how to be better protected from cyber attacks including spearphishing!

GUEST BLOG: Just what no one wants to hear – new insecurities are found on private cloud devices!

Posted in Cyber, eCommerce

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Eddie Block Dec 2 2016

Bugs in the clouds

Western Digital claims it’s My Cloud Pro Series PR4100 has these features:

With space to keep virtually everything, the My Cloud Pro Series offers your creative team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you’re able to protect your content regardless of OS. And with all photos, videos and files organized in one place, your team has all it needs to streamline its creative workflow.

Amir Etemadieh (Zenofex) of Exploitee.rs has a great write up on a series of vulnerabilities in the Western Digital My Cloud storage appliances.  Zenofex is an amazing vulnerability researcher and all around good guy.

I’m not singling out Western Digital.  I think they make some good products.  The types of flaws that Zenofex found in this appliance are the same type that many IoT and personal “cloud” appliances contain.  The devices are made to be super easy for a consumer to setup and they allow the owner to connect to them from anywhere (many times with a smartphone app).

This ease of setup and access, though, means that they really should be hardened and secured like real commercial production system.  Hardening these types of systems should include changing passwords, closing unnecessary ports, validating and testing interfaces, using encryption at rest and in transit, etc.

This type of hardening is well beyond the average consumer and things like validating web applications for injection attacks is beyond many security professionals.

So, again, I’ll harp on manufacturers.  They need to build in security by default.  They need to test and validate their apps.

Folks like Zenofex do all of us a great service by finding these types bugs in consumer products, but it should not be up to a curious researcher.  It is the responsibility of the vendors to sell products that are safe for deployment.

Consumer protection & privacy paramount at the FTC Forum on Artificial Intelligence (AI) and Blockchain

Posted in eCommerce

The Federal Trade Commission (FTC) hosted its third FinTech Forum which was “designed to bring together industry participants, consumer groups, researchers, and government representatives, to examine the ways in which these technologies are being used to offer consumers services, the potential benefits, and consumer protection implications as these technologies continue to develop.”  The March 9, 2017 FTC program entitled “FinTech Forum: Artificial Intelligence and Blockchain” included these comments about AI and Blockchain:

Artificial intelligence focuses on the capability for machines to mimic human thinking or actions, including learning and problem solving. The technology may be used, for example, to provide personalized financial services for consumers, including providing money management tools.

Blockchain technology involves a distributed digital ledger for recording transactions that can be shared widely. It first emerged as the foundation for digital currency, and it is now being explored for other consumer-focused uses including payment systems and “smart contracts.”

Since AI and Blockchain affect all businesses and consumers it’s great that the FTC held this Forum.

Is Uber’s Greyball a VTOS (Violation of Terms Of Service) or Deception?

Posted in eCommerce

The New York Times reported that Uber’s Greyball “uses data collected from the Uber app and other techniques to identify and circumvent officials who were trying to clamp down on the ride-hailing service.”  The March 3, 2017 article entitled “How Uber Deceives the Authorities Worldwide” said that Uber used Greyball:

…to evade the authorities in cities like Boston, Paris and Las Vegas, and in countries like Australia, China and South Korea.

The program, including Greyball, began as early as 2014 and remains in use, predominantly outside the United States. Greyball was approved by Uber’s legal team.

Greyball and the VTOS program were described to The New York Times by four current and former Uber employees, who also provided documents. The four spoke on the condition of anonymity because the tools and their use are confidential and because of fear of retaliation by Uber.

Uber responded to these allegations:

This program denies ride requests to users who are violating our terms of service — whether that’s people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret ‘stings’ meant to entrap drivers.

It will be interesting to follow what happens next with these allegations.

Was there a Cyber intrusion on the Amazon Cloud, or did one keystroke cause the outage?

Posted in Cyber, eCommerce

Amazon is the largest cloud provider in the world, and so I doubt Amazon would ever admit a cyber intrusion caused any serious cloud outage. So February 28, 2017 following a serious cloud outage Amazon blamed on a typing error by a “Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected.”

I for one an not persuaded that 3+ hour outage wasn’t caused by a cyber intrusion.

Be my guest and read the Amazon Summary Report entitled “Summary of the Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) Region”and see if you believe Amazon.

10 Recommendations to reduce cyber risk in the cloud, including being mindful of the law of where the data is hosted

Posted in Cyber

Bitdefender surveyed 250 US IT decision makers who concluded that  about “34 percent of companies were breached in the past 12 months, while 74 percent of IT decision makers don’t know how the company was breached” and “Two-thirds of companies would pay an average of $124k to avoid public shaming scandals after a breach. Some 14 percent would pay more than $500k.”  The Bitdefender report entitled “Virtualization makes CIOs role key (A survey on US IT decision makers)” included this recommendation about #3 “Be mindful of geographical jurisdiction and data handling storing laws”:

When choosing a cloud service provider, it’s vital that the datacenter physically reside in a region or country in which data handling and storing legislation is favorable to your company’s business interests. Any datacenter, regardless of the data it stores, falls under the data privacy and protection laws of the country it’s built in. Consequently, it’s vital that any company that plans to use a cloud service provider that has datacenters outsider its borders read and abide by the local data protection laws. Otherwise, the organization may risk judicial repercussions that could involve both financial and reputational damages.

Here are all 10 recommendations:

  1. Define the criteria on which you store on-premise or in-the-cloud data. Perform risk management.
  2. Keep your cloud private.
  3. Be mindful of geographical jurisdiction and data handling storing laws
  4. Perform due diligence on the cloud service provider and stipulate damages.
  5. Encrypt data both locally and in transit
  6. Backup cloud data
  7. Use secure and multiple authentication mechanisms
  8. Limited number of employees that can access sensitive data
  9. Prevent DDoS attacks
  10. Create, define and implement fast security response procedures

Good advice from the IT leaders, but how many companies will follow this advice?

I CHALLENGE YOU to find life on 7 planets using Big Data and Artificial Intelligence that are 40 light years away!

Posted in IT Industry

I think it would be really great if you could figure out how to use Big Data and Artificial Intelligence to find life on the newly discovered “seven Earth-size planets that could potentially harbor life have been identified orbiting a tiny star not too far away, offering the first realistic opportunity to search for signs of alien life outside the solar system.”  The New York Times February 22, 2017 article entitled “7 Earth-Size Planets Orbit Dwarf Star, NASA and European Astronomers Say”  explained that the “planets orbit a dwarf star named Trappist-1, about 40 light-years, or 235 trillion miles, from Earth” and included these comments:

One or more of the exoplanets in this new system could be at the right temperature to be awash in oceans of water, astronomers said, based on the distance of the planets from the dwarf star.

Sara Seager (an astronomer at the Massachusetts Institute of Technology) said:

The Trappist-1 planets make the search for life in the galaxy imminent,…

For the first time ever, we don’t have to speculate. We just have to wait and then make very careful observations and see what is in the atmospheres of the Trappist planets.

Who wants to take on my challenge?