And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

China Launches Massive Cross-Platform Cyber Attack

By Steven Caponi

514513823The very tool (cell phones) that has allowed millions of previously disconnected people to coordinate large civil protests in numerous countries is now being used to quash dissent in Hong Kong. If recent reports are proven correct, it appears that the cell phones of pro-democracy protesters in Hong Kong are deliberately being targeted with an app that is used as a “Trojan Horse” to infect protesters’ phones with spyware dubbed as Xsser mRAT. The spyware is intended to allow “someone” to monitor the communications of the protesters.

Specifically, the spyware is spread when anonymous messages are sent via WhatsApp to smartphones stating, “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!” Occupy Central denies any association with the app or sypware. Once the app is downloaded, it implants spyware capable of accessing personal information, such as passwords and bank information, spying on phone calls and messages, and even tracking the physical location of the infected phone. An examination of the code suggests that the program was created by Chinese-speaking attackers. Because the target audience is the Hong Kong protesters and the code was written in Chinese, it suggests that the Chinese government and/or the highly-skilled cyber warfare arm of its military are behind the attack.

Lacoon Mobile Security was instrumental in exposing the effort to suppress the pro-democracy protests in Hong Kong. As discussed by Lacoon, the attack is rare in that it was launched on both the Android and iOS platforms. On its September 30 blog post, Lacoon noted:

Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.

The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.

Attacking mobile devices instead of PCs should not come as a surprise in light of our increased dependence on smartphones. As these devises become the hub through which a vast majority of our daily communications flows, they will increasingly be targeted by those who wish to spy on or disrupt our communications. Governments may be early adopters of smartphone-based cyber attacks, but those engaged in for-profit hacks will not be far behind—especially if mobile payment systems such as Apple Pay and those promoted by Visa/MasterCard gain in popularity.

The Celebrity Hacking Scandal and You: 3 Takeaways for Everyone

By Steven Caponi

By now we all know a hacker accessed the personal iCloud accounts of dozens of A-list celebrities and leaked nude photos of stars such as Jennifer Lawrence, Kate Upton, Kirsten Dunst, and Victoria Justice. The anonymous hacker[s] posted the nude images first on 4Chan, but, the photographs spread quickly and went viral.

This cyber-incident has sparked a significant debate on various topics, ranging from our privacy laws, to speculation over who may have committed this deplorable act, to emotionally charged disagreements over whether the celebrities themselves should bear some of the blame. The scattershot debate has left the average person wondering “what does this mean for me?” and “what can I do to protect myself?” Below are three takeaways everyone should consider.

1. You Can’t Un-Ring the Bell

Unfortunately, for individuals who find their embarrassing moments, confidential information, or indiscretions strewn across the Internet, there is little hope of putting the genie back in the bottle. As much as we talk about the Internet as a singular object, it is in an amalgamation of millions of computers, servers, and websites, all controlled by different people located across the globe. As a result, the Internet has a long memory that is impossible to erase.

…there is little hope of putting the genie back in the bottle.

Compounding these structural difficulties is a cultural/legal mindset in the U.S. that generally values the free flow of information over personal privacy. The First Amendment allows the free flow of information, while relying on tort law, primarily libel, and invasion of privacy, to protect individuals’ rights. Search engines and Internet providers enjoy robust protections from liability for the content they provide unless they have direct knowledge it is false or violates copyright law. As a result, individuals cannot realistically seek redress against the thousands of websites that may contain embarrassing information and are stymied by various protections preventing the public from forcing the large content providers to block access to embarrassing content.

There is, however, a ray of hope for those who want greater privacy protections. In contrast to the U.S., the European Union and its member nations have chosen to follow a path where the privacy rights of individuals receive greater protections. Following a landmark decision by the European high court earlier this year, numerous search providers must consider individuals’ requests to remove links that they say infringe on their privacy. The decision has resulted in what is commonly referred to as the “right to be forgotten” movement. Currently, each nation in the E.U. has a data protection agency through which citizens can appeal for help in erasing their online histories. Whether the “right to be forgotten” movement takes hold in America remains to be seen.

2. The Law Offers Little Solace

For anyone looking to the courts for justice, they will likely find that the patchwork of 50 divergent laws and the absence of comprehensive federal legislation render an adequate judicial remedy a long shot at best.

Putting aside the breadth of the state and federal laws, there are several initial obstacles that must be overcome before one could consider legal action. First and most obvious is the inability to identify who stole or released your information. Hackers work in the shadows of the Internet, adopt catchy “street names,” and take extraordinary steps to hide their location. Even if the hacker can be identified, there are significant jurisdictional limitations that constrain cybercrime prosecution or litigation.

…it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions.

The legal concept of jurisdiction involves territory, with the reach of a law being limited by the boundaries of the state or country. Thus, to apply a particular state law, the crime or tort must have occurred within the territorial boundaries of that state. Unfortunately, it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions. This raises many questions, which largely remain unanswered: Where did the crime occur? Which state has jurisdiction over the crime? And, where is the hacker subject to personal jurisdiction?

These issues have sparked a push for comprehensive federal legislation governing cyberattacks, data breaches, and victims’ rights. Due to deep philosophical divisions in Washington, D.C., however, this much-needed legislation has failed to make any serious progress. Currently, hacking victims can invoke the Communications Decency Act of 1996 (“CDA”), but the CDA is drafted in a way that protects service providers and website operators more than the public. Section 20 of the CDA states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Therefore, unless the provider, for example 4chan, was directly involved in the hacking and release of the racy photographs, it is not liable for damages.

Until the laws are updated, a criminal and civil remedy appears elusive.

3. Don’t Look to Your Cloud Provider

Much of the anger resulting from the celebrity hacking scandal has been directed toward “big Internet companies” generally, and Apple specifically. The arguments rest on the assumption that if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Although the exact method used by the hackers has yet to be identified, the response from Apple has been both swift and consistent with the position adopted by other cloud providers. Apple has vigorously denied its systems have been compromised and suggests the hackers accessed the accounts after obtaining the celebrities’ email and passwords. The implication of this argument is to suggest the celebrities’ computers were hacked, not Apple’s iCloud servers. As the party bearing the burden of proof in a civil trial, the celebrities will need to refute Apple’s argument by demonstrating how the hack occurred and that the hack could not have occurred but for an issue with Apple’s security protocols. This will be no easy task.

…if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Even if the celebrities manage to establish the hacker’s method, the ability to obtain any meaningful compensation will be severely limited by their cloud service agreements. Cloud providers often limit direct damages by capping the aggregate dollar amount for all claims under the service agreement. In the case of Apple, its cloud service agreement—which is ignored by most users—states that Apple cannot be “LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES… .”

With little ability to undo the damage caused by an embarrassing data breach, nearly insurmountable obstacles precluding a civil/criminal prosecution, and a cloud service agreement rendering a contract action against the provider illusory—what is the average person to do? The answer is as unsatisfying as it is simple. Keep your most confidential, valuable, and embarrassing items in a location that is not accessible to the Internet.

 

Little Recourse for Victims of Private Data Theft

By Steven Caponi

Earlier this week I was a guest analyst on the CBS Evening News, discussing the legal ramifications of the recent celebrity hacking scandal. It was a pleasure working with CBS to address this important issue and raise awareness on the need update our 20th century laws to combat a significant 21st century problem.

steve2

 

Did Russian Hackers Really Amass over a Billion Passwords?

By Steven Caponi

459367595 (1)It was widely reported yesterday in The New York Times and elsewhere that a sophisticated Russian crime ring was holding a massive cache of stolen Internet credentials.  According to the private security firm Hold Security, a Russian cybercriminal gang called CyberVor has accumulated 4.5 billion stolen records, including 1.2 billion unique usernames and passwords belonging to more than 500 million email addresses.  CyberVor allegedly obtained the confidential material by raiding 420,000 websites.  Hold Security maintains the breached websites include some very large companies that are “household names.”  The New York Times article notes Hold Security “has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.”

Over the past 24 hours, the reaction to the Hold Security press release has gone from shock and surprise, to doubt and skepticism. The trepidation is a result of Hold Security’s decision to not name the victims, citing confidentiality concerns.  But, according to an article appearing in The Guardian, Hold Security initially offered a commercial “breach notification” service requiring consumers and companies to pay an up-front fee to see if they had been affected.  Although the company offered a commercial security services as part of its report, Hold Security has since said it would allow consumers to check for free whether their usernames or passwords had been stolen.

In light of Hold Security to failure to completely disclose its findings, cybersecurity experts caution the report should be taken with a grain of salt.  To date, the claims have not been vetted or the findings verified by third party security experts.  Additionally, it is somewhat troubling that no major companies have so far come forward to urge their user to change credentials.  Given the alleged magnitude of the breach—nearly 5 billion passwords—and the global coverage it has received, one would expect to have at least a few companies to have issued public statements if its users are at risk.

Seeking to address these concerns, Hold Security permitted a third party security expert to analyze their findings at the request of The New York Times.  According to The New York Times, the expert confirmed the data was authentic.

While the validity of the claim by Hold Security is being viewed cautiously for now, as new facts emerge over the next few days and the cybersecurity industry investigates, Hold Security will either be vindicated or suffer an embarrassing black eye.

Delaware Adopts Law Requiring the Destruction of Consumers’ Personally Identifiable Information

By Steven Caponi & Elizabeth Sloan

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice.  The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …”  By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit.  Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.  Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.

The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.”  Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”

Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”

A copy of the law and the relevant legislative history can be found at: http://legis.delaware.gov/LIS/lis147.nsf/vwlegislation/E7AF55FF393A832E85257C590067118D

Goodwill Investigating Possible Data Breach

By Steven Caponi

Yesterday it was announced that a number of financial institutions reported tracking what could be a series of credit card breaches involving various Goodwill locations nationally. Goodwill operates more than 2,900 stores nationwide and has annual retail sales of $3.79 billion. Goodwill issued a statement indicating it is working with the U.S. Secret Service to investigate the possible breaches. At this juncture the scope of the breach remains unknown, but early reports suggest Goodwill’s systems could have been compromised as far back as the middle of 2013.

Banking sources have also reported the potential fraud involves retail stores in Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington, and Wisconsin. Because Goodwill consists of a network of 165 independent agencies with separate regional headquarters in the United States, there is no centralized database containing customer credit card information. While this will make an investigation more difficult, it will also limit the scope of a breach and number of customers impacted.

In a statement sent to Krebs on Security, Goodwill said it first learned about a possible incident Friday, July 18.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. “Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Cybersecurity—There Is an App for That!

By Steven Caponi

Many of our readers and those active in cybersecurity have been following ThreatWatch from Nextgov. This highly informative site provides a daily snapshot of the data breaches impacting organizations and individuals on a global level. Although not an authoritative list of cyber attacks, ThreatWatch provides a good overview of the most prevalent cyber events on a rolling basis. In addition to identifying the target, the alerts name the suspected attackers and their methods of penetration, highlight patterns of activity, and note emerging trends/threats.

The information found at ThreatWatch is now available in the palm of your hand in the form of a new iPhone app, which includes some additional features. Aside from a daily rundown of the latest reported breaches hitting agencies, retailers, and every other sector, you now also receive threat level scores and story feeds from around the globe. For example, today’s threat level is a 12 on a 100-point scale, according to data analytics company HackSurfer. On an industry basis, utilities are at a level 3, financials are at a level 5, and information technology is at a level 81. Under the “Breaches” tab, there is an article discussing how a system engineer hired by a staffing agency copied and sold personal data from 7.6 million contracts with the Japanese education firm Benesse Corp. Included within the “Newsfeed” tab, you will have access to technology security articles from Guardian, Wired, and other reputable publications that are streamed constantly, along with commentary from cyber firms, such as Sophos and Malwarebytes.

The app is free and available for download at the Apple iTunes store.

Is the Password Finally Dead? Fernando Corbató Hopes So.

By Steven Caponi

As noted in a recent article in the Wall Street Journal, although his impact on our daily lives arguably rivals that of Bill Gates, Mark Zuckerberg, and other giants in the computer industry, the name Fernando Corbató remains obscure. He is, however, the father of the modern computer password. While toiling away at the Massachusetts Institute of Technology in the early 1960s, Mr. Corbató and his colleagues developed the password in order to control access to files on a large, shared computer. Little did they know that over 50 years later, billions of people across the globe would be forced to remember countless passwords and type them into devices ranging from their personal computers to ATMs, smartphones, tablets, and even home appliances. One cannot “Like a friend” on Facebook, check a bank balance, review a child’s school grades, or bid in an online auction for that completely unnecessary item that is destined to sit in the back of a closet, without first entering at least one password.

While designed to help manage and secure files, the ubiquitous nature of the password has rendered it the most significant security risk to computers. In the wake of Heartbleed, and recent attacks on eBay, Yahoo, and Target, it is not surprising that the voices calling for the death of the password are growing louder. Just listen to John Proctor, Microsoft’s Vice President of Global Cybersecurity, who wrote a blog post on this subject last week, stating, “Allowing users to log in simply with a username and password is a grave error… Frankly, the password is dead.” Using equally blunt terms, Jeremy Grant, the head of the National Strategy for Trusted Identities in Cyberspace, stated, “Passwords are awful and need to be shot.” How did Mr. Corbató respond to these attacks on his invention? The 87-year-old retired researcher expressed the view shared by many—“It’s become a kind of a nightmare.”

Despite the nearly universal distain for the password, finding a replacement that would be accepted by the computer industry is not easy because the password is cheap to use and is a fundamental aspect of the architecture of most websites. Making things even more difficult are inertia and human behavior. Using a password has become a daily, routine part of human behavior, to the point where entering a personal identification number (“PIN”) has become second nature. And even in the face of a known breach such as Heartbleed, people refuse to change their passwords because they are typically easy to remember and used across many accounts.

The dissatisfaction with the password begs the question: What will the replacement look like?  There are currently many contenders waiting to supplant the password. These include hardware options such as fingerprint readers (i.e., Apple iPhone 5), iris scanners, and USB keys. There are also software options by companies such as BioCatch Inc., which is located in Boston, that verify a person’s identity by measuring how they hold a smartphone or drag a mouse across a screen. Recently, U.S. Bank announced it was joining other large financial institutions in testing voice biometrics as a potential replacement for the traditional password. This group, which includes Wells Fargo & Co. and Barclays Plc., are adopting voice biometrics software that requires users to login to an application or website by speaking a word or phrase. The word or phrase is compared to a previous recording the customer has made to verify it’s the same user.

One option that is gaining traction for its combination of security and simplicity is multifactor authentication (“MFA”). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network. This is achieved by combining two or three independent credentials: what the user knows (knowledge-based authentication), what the user has (security token or smart card), and what the user is (biometric verification). Single-factor authentication, in contrast, only requires knowledge that the user possesses (e.g., a PIN, phone number, Social Security number, etc.). For instance, some Google accounts use two-factor authentication that require smartphones to run an app that randomly generates a number that resets every 30 seconds. This number is required to login to your account.

Whatever security feature may lie ahead, it is safe to suggest that it will not be the much maligned password. While Mr. Corbató’s invention has served us well for the past fifty years, the frequency of major hacks and sophistication of cyber criminals have overwhelmed the password’s ability to serve as an effective gatekeeper to our data. When the inventor, users, and companies maintaining sensitive data all agree that change is needed, it is only a matter of time before the password is able to R.I.P.

 

United States v. China: The Battle over Cyber-Espionage Results in Criminal Charges

By Steven Caponi

452686675(web)For those of us who have been active in cybersecurity, it is a well known fact that the Chinese government, acting through its military, has been the most prolific global perpetrators of cyber-espionage. Over the past several decades, China has emerged as a global power based on its economic prowess rather than its military might. As a result, the Chinese government sees the strength and health of its economy as directly tied to its national security, and by extension, the future of the ruling communist party. As an act of self-preservation, China has relied upon its military to engage in industrial espionage to ensure its companies remain competitive. This conduct has resulted in U.S. officials openly accusing China’s army of launching cyber attacks on American industrial and military targets for the purpose of stealing secrets or intellectual property. Driving this point home, Director James Comey told NBC News, “For too long, the Chinese government has blatantly sought to use cyber-espionage to obtain economic advantage for its state-owned industries.” China has aggressively denied these allegations.

Today, the war of words has moved from press releases and diplomatic protestations to the criminal charges and the courtroom. Marking a significant escalation, the United States has brought first-of-its kind cyber-espionage charges against five Chinese military officials accused of hacking into U.S. companies to gain trade secrets. The charges were lived against individuals who are believed to work for Unit 61398, the arm of the People’s Liberation Army known to specialize in cyber-warfare. Today’s indictment accuses the Chinese of targeting major U.S. private sector companies in the U.S. nuclear power, metals, and solar products industries.  Among the victims were Westinghouse Electric, U.S. subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies, and Alcoa.

When announcing the indictments, Attorney General Eric Holder said, “This is a case alleging economic espionage by members of the Chinese military and represent the first-ever charges against a state actor for this type of hacking.” He further stated, “The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States. … Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security.”  Eric Holder’s actions should not come as a surprise in light of comments earlier this years by John Carlin, recently installed as head of the Justice’s National Security Division, that cited prosecution of state-sponsored cyber-threats as a key goal for the Obama Administration.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

Heartbleed Adds to Corporate Cybersecurity Heartache

heartbleedIn the wake of several massive point of sale consumer data breaches over the holiday season, companies must now face Heartbleed, a bug that potentially infects 50% of the entire Internet. Blank Rome attorneys, Grant Palmer and Michael Iannucci, have written an article that addresses the Heartbleed bug and suggests a plan of action for companies dealing with cyber threats and data breaches.

You can find the article here.

Target Data Breach Suit By Banks Extends To Security Vendor

By Jeffrey Rosenthal

Target_logoDecember 18, 2013, was a dark day for Target Corp.  Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”

But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.”  According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts.  This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges.  The cost of card replacement alone is estimated to ultimately rest around $200 million.

Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one.   While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.

“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged.  It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs.  “The damage done to the banks and other class members is monumental,” the suit asserts.  The alleged cost to banks/retailers could eventually exceed $18 billion.

In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014.  This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action.  The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.

When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected.  While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.

The Umpqua Bank and Trustmark National Bank complaint(s):

Cyber Legislation Advances on the State and Federal Level

By Steven Caponi

Last year, cyber attacks on computer networks increased to a record level, doubling the number recorded in 2012. According to cybersecurity research firm FireEye, the rate of attacks on enterprises occurred every 1.5 seconds last year, up from once every three seconds the previous year. In the face of this onslaught, it is no surprise that government officials are taking steps to pass cybersecurity legislation. Unfortunately, if the recent announcements by Kentucky and Senator Mark Warner are a harbinger of things to come, it appears that inability of Congresses to enact comprehensive reforms will result in a patchwork of state and federal laws/regulations.

For its part, the Kentucky Senate passed a bill to improve security of personal data located on government computers. Known as House Bill 5, the legislation requires state agencies to better protect private information stored on government computers and also requires state and local government agencies to notify people within 35 days if their personal information is stolen or mishandled. House Bill 5 is a top priority of State Auditor Adam Edelen, who noted, “Every cybersecurity expert agrees that it’s not a matter of if agencies will be hacked. It is just a matter of when.” He further stated that, “From social security numbers, to tax returns, health records, to credit cards, governments possess more sensitive, private data than any other single entity.” These comments are likely a greater reflection on the past than a prediction of the future as a consequence of the 2012 incident when the Kentucky state finance cabinet accidentally posted Social Security numbers and sensitive information on its website.

House Bill 5 cleared the GOP-controlled Senate without opposition and received final approval from the Kentucky House on March 28. So far, the process has been described as bipartisan, and with 74 co-sponsors, a signature from the Governor appears to be a sure thing.

At the federal level, U.S. Senators Mark Warner (D-Va.) and Mark Kirk (R-Ill.) announced that they will introduce a bipartisan amendment creating a law enforcement partnership between the United States and Ukraine to combat cybercrime and improve cybersecurity. This amendment will be attached to an aid package intended to help bolster the Ukrainian government. At first blush, attaching an amendment to an aid package for Ukraine and limiting its focus to fostering cooperation between two countries may seem puzzling. But Ukraine is a known international haven for hackers, as evidenced by the data breach directed at millions of U.S. customers of Target and other leading American retailers. Both attacks were ultimately traced to cybercrime syndicates operating in Ukraine.

The Warner/Kirk amendment to the Ukraine aid bill proposes the following:

1) The initiation of formal U.S.-Ukraine bilateral talks on cybercrime to be followed by multilateral talks that include other law enforcement partners such as Europol and Interpol.

2) The establishment of a U.S. standing senior-level working group to conduct regular dialogue on cybercrime concerns and share best practices between law enforcement agencies in the U.S. and Ukraine.

3) The expansion of cyber law enforcement capabilities through a program with Ukraine that includes sending FBI agents to assist Ukrainian investigations and improve law enforcement cooperation.

4) Improved extradition procedures. There currently is no U.S.-Ukraine extradition treaty, which makes Ukraine a safe haven for operators of international cybercrime activities syndicates.

Sen. Warner stated in support of the amendment, “As the United States works to support this new Ukrainian government and as the Senate considers this significant Ukrainian aid package, we have an excellent opportunity to create new structures of cooperation that will better protect American consumers and businesses by working together to crack down on international cybercrime.”

“Our nation is one of the most frequently targeted countries for major cybercrimes and data breaches, accounting for nearly half of the $11 billion of losses on payment cards worldwide,” Sen. Kirk added. “Ukraine is a known hub for cybercrime, and the United States should work with the Ukrainian government to create a framework of cooperation to deter, prevent and counter these cyber criminals and ensure the safety of the newly formed Ukrainian government and financial system.

Whether the amendment remains part of the aid package and achieves positive results remains to be seen. But if it even slightly diminishes the ability of hackers to operate freely in Ukraine, it will be deemed a success.