Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Over 1 billion views of RT (Russian News channel) on YouTube since 2013!

Posted in Cyber

The New York Times report is about “723 Internet Years Old” (think 4 human years) that a YouTube VP joined a state-backed Russian news channel “RT anchor in a studio, where he praised RT for bonding with viewers by providing “authentic” content instead of “agendas or propaganda.””  The October 23, 2017 report entitled “Russia’s Favored Outlet Is an Online News Giant. YouTube Helped” included these comments:

…now, as investigators in Washington examine the scope and reach of Russian interference in United States politics, the once-cozy relationship between RT and YouTube is drawing closer scrutiny.

YouTube — the world’s most-visited video site, owned by one of the most powerful and influential corporations in America — played a crucial role in helping build and expand RT, an organization that the American intelligence community has described as the Kremlin’s “principal international propaganda outlet” and a key player in Russia’s information warfare operations around the world.

Also Senator Mark Warner, Democrat of Virginia and vice chairman of the Senate Intelligence Committee, which is investigating Russia’s exploitation of social media platforms based in the United States made these statements:

More than half of American adults say they watch YouTube, and younger viewers are moving to YouTube at staggering numbers,”

YouTube is a target-rich environment for any disinformation campaign — Russian or otherwise — that represents a long-term, next-generation challenge.

This is hardly startling given YouTube’s role in Internet!

New law may require Google and Facebook to disclose political advertising

Posted in Anonymous Internet Activity, eCommerce

The New York Times reported about a new “bill would require internet companies to provide information to the election commission about who is paying for online ads.” The October 19, 2017 report entitled “Senators Demand Online Ad Disclosures as Tech Lobby Mobilizes” included these comments:

Senator John McCain and two Democratic senators moved on Thursday to force Facebook, Google and other internet companies to disclose who is purchasing online political advertising, after revelations that Russian-linked operatives bought deceptive ads in the run-up to the 2016 election with no disclosure required.

After initially resisting requests to turn over Russian-linked ads, Facebook has provided them to a congressional committee investigating Russian meddling in the 2016 election. But Google has yet to do so, and neither company has made the ads public.

This new law may place an interesting pall on social media!

Supreme Court will consider a 1986 law about phone records and how it applies to emails in 2017 outside the US

Posted in eCommerce, Internet Access, Internet Privacy

The New York Times reported that the US Supreme Court will consider a case against Microsoft to “decide whether federal prosecutors can force technology companies to turn over data stored outside the United States.”  In 1986 Congress passed the Stored Communications Act (SCA) to control telephone records long before the Internet we know today, but the SCA is the main law that Internet companies rely to protect users’ content and in 1986 in passing the SCA “Congress focused on providing basic safeguards for the privacy of domestic users.”

The New York Times October 16, 2017 article entitled “Justices to Decide on Forcing Technology Firms to Provide Data Held Abroad” included this background on the case:

The case, United States v. Microsoft, No. 17-2, arose from a federal drug investigation. Prosecutors sought the emails of a suspect that were stored in a Microsoft data center in Dublin. They said they were entitled to the emails because Microsoft is based in the United States.

A federal magistrate judge in New York in 2013 granted the government’s request to issue a warrant for the data under a 1986 federal law, the Stored Communications Act. Microsoft challenged the warrant in 2014, arguing that prosecutors could not force it to hand over its customer’s emails stored abroad.

A three-judge panel of the United States Court of Appeals for the Second Circuit, in Manhattan, ruled that the warrant in the case could not be used to obtain evidence beyond the nation’s borders because the 1986 law did not apply extraterritorially. In a concurring opinion, Judge Gerard E. Lynch said the question was a close one, and he urged Congress to revise the 1986 law, which he said was badly outdated.

The result of this case may change how Internet jurisdiction, privacy, or lead to congressional changes to the SCA.

Did Facebook delete Russian bought ads because of a bug?

Posted in Cyber

The Washington Post wrote that Facebook “it has merely corrected a “bug” that allowed [Jonathan] Albright, who is research director of the Tow Center for Digital Journalism at Columbia University, to access information he never should have been able to find in the first place.”  The October 12, 2017 article entitled “Facebook takes down data and thousands of posts, obscuring reach of Russian disinformation” included these comments:

Social media analyst Jonathan Albright got a call from Facebook the day after he published research last week showing that the reach of the Russian disinformation campaign was almost certainly larger than the company had disclosed.

While the company had said 10 million people read Russian-bought ads, Albright had data suggesting that the audience was at least double that — and maybe much more — if ordinary free Facebook posts were measured as well.

But the deletion of the posts and the related data struck Albright as a major loss for the world’s understanding of the Russian campaign

Was it really a bug?

Google confesses that Russia bought Google Search and YouTube ads to influence the 2016 election!

Posted in Cyber

The Washington Post reported that Google admitted that it “found that tens of thousands of dollars were spent on ads by Russian agents who aimed to spread disinformation across Google’s many products, which include YouTube, as well as advertising associated with Google search, Gmail, and the company’s DoubleClick ad network.” The October 9, 2017 report entitled “Google uncovers Russian-bought ads on YouTube, Gmail and other platforms” included reason for the investigation:

Google launched an investigation into the matter, as Congress pressed technology companies to determine how Russian operatives used social media, online advertising, and other digital tools to influence the 2016 presidential contest and foment discord in U.S. society.

And also Google admitted that:

Some of the ads, which cost a total of about $100,000, touted Donald Trump, Bernie Sanders and the Green party candidate Jill Stein during the campaign, people familiar with those ads said. Other ads appear to have been aimed at fostering division in United States by promoting anti-immigrant sentiment and racial animosity.

Hardly a surprise given Google’s Internet dominance, but alarming nevertheless!

Do you trust Equifax? Apparently IRS believes a new $7.25 million contract with Equifax is a good idea!

Posted in Cyber, eCommerce

Gizmodo reported that IRS supports its new $7.25 million contract with Equifax as a “no bid sole source” contract “to help verify US taxpayers’ identities” …and without which “would have prevented thousands of hurricane victims from obtaining much needed…. tax information.”  The October 5, 2017 story entitled “IRS Chief Says Aborting Equifax Contract Could Harm Hurricane Victims” included IRS chief John Koskinen’s argument “that the circumstance was unavoidable” since Equifax existing contract expired on September 30, 2017, and was challenging an award to another vendor which will not be resolved before October 16.

CNBC reported that 7 “members of the Senate Banking Committee are asking the Internal Revenue Service to rescind a $7.25 million contract with Equifax” saying that:

…the awarding of the contract shows a clear disregard for millions of Americans who had their personal information stolen.

How can IRS trust Equifax since at least 143 million people don’t?

Surprised? Equifax learned about its cyber exposure in March, but failed to do anything!

Posted in Cyber, eCommerce

Rueters reported that former Equifax CEO Richard Smith (who retired suddenly last week) provided written testimony that “Equifax was alerted to the breach by the U.S. Homeland Security Department on March 9,…, but it was not patched.”  The October 2, 2017 report entitled “Equifax failed to patch security vulnerability in March: former CEO” included these comments about the testimony provided to the Energy and Commerce Committee:

On March 15, Equifax’s information security department ran scans that should have identified any systems that were vulnerable to the software issue but did not, the testimony said.

As a result, “the vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “It was this unpatched vulnerability that allowed hackers to access personal identifying information.”

In his testimony, Smith said it appears the first date hackers accessed sensitive information may have been on May 13. He said “between May 13 and July 30, there is evidence to suggest that the attacker(s) continued to access sensitive information.”

Smith said security personnel noticed suspicious activity on July 29 and disabled the web application on July 30, ending the hacking. He said he was alerted the following day, but was not aware of the scope of the stolen data.

On Aug. 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

We will likely continue to see bad news in the aftermath of Equifax’s confession of exposing more than 143 million individuals personal data.

GUEST BLOG: Will cyber disasters finally be the reason that IT folks learn to speak English rather than Geek Talk (think Technology)?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

For many years I have said that “anybody that’s good with computers is incapable of having a meaningful relationship with another human,” so I was pleased to see Eddie’s blog:

Translation services available

When I was a penetration tester I struggled to adequately express the importance of the vulnerabilities I identified.  For some reason, I couldn’t convince the business and legal teams that the vulnerabilities had to be mitigated and that the business had to spend time and money on the effort.

Like many young and excitable IT and security people, I couldn’t understand why no one could grasp why this was important.  “Are they idiots?”, “Don’t they get it?”, “They just don’t care about security!”

It turns out it wasn’t their failure, but mine.  I wasn’t speaking in the right language.

I dropped out of the security world for three years and went to law school.  When I enrolled, my goal was not to become a lawyer, but to learn to think and write like a lawyer.  I enjoyed law school and took full advantage of the opportunities presented to me.  I was able to work as a research assistant for one of the legal research and writing professors (Thanks Mike!), serve on the editorial board of the Law Journal, earned a fellowship in the Center for Terrorism Law, and leveraged my IT skills to get a job in the Westlaw lab.

I really enjoyed law school.

After law school I returned to security, this time with a different language under my belt and a better understanding of how to present my concerns.  I couldn’t think in terms of security vulnerabilities anymore.  I had to speak another language.

My big discovery was:

  • Security thinks about vulnerabilities;
  • Executives think about risk; and
  • Lawyers think about liability.

While they sound similar, they are distinct ways of approaching a decision.  In order to communicate the importance of security to different audiences, I had to adapt to them and not expect them to adapt to me.

So need additional funding for a security project?  Write up your proposals geared toward the audience and how they think.  Does the lack of a security control create risk to the organization?  Will the organization breach a duty and become liable under a contract, law, or regulation?

These subtle shifts in thinking may help drive the discussion forward and lead to better understanding and better security.

Poor cyber security equals +1.9 billion records exposed in the first 6 months of 2017!

Posted in Cyber

Gemalto issued a report that “identity theft breaches continues to remain high and result in many records being stolen shows that organizations are still not adequately addressing this threat.” The September 2017 report entitled “2017 Poor Internal Security Practices Take a Toll” included these comments:

A large portion of accidental loss are the result of poor internal security practices or unsecure databases.

One of the main takeaways from the findings is that security needs to be comprehensive, not only including tools such as network protection and access controls, but data encryption and multi-factor authentication as well so in the event of a breach cyber criminals will not be able to doing anything with the stolen information.

Gemalto’s “Data breach statistics 2017: First half results are in” about the report stated:

  • The huge international data breach problem becomes palpable when you consider that Gemalto has discovered 1,901,866,611 compromised data records in just the first half of 2017.
  • In fact, IDC predicts that by 2020, more than 1.5 billion people, or roughly a quarter of the world’s population, will be affected by data breaches.
  • The United States has been continuously the world leader in data breach incidents.
  • Of the 918 breaches, 801 of them occurred in the US. The UK places a distant second with 40 incidents, and Canada’s third with 26.

No surprises, but these are pretty gloomy prospects for the future!

GUEST BLOG: Are you surprised to hear that Equifax’s security chief doesn’t have a degree in technology, rather majored in music?

Posted in Cyber, IT Industry

My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.