Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

FBI Director Talks Cyber Espionage: Chinese Like “Drunk Burglar”

FBI

“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director

The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.

Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:

“What countries are attacking the United States as we sit here in cyberspace?”

“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.

“What are they trying to get?”

“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.

“How many hits from China do we take in a day?”

“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.

“The Chinese are that good?”

“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

via FBI Director: Chinese Like ‘Drunk Burglar’ | The Weekly Standard.

 

Hackers’ Cracked 10 Financial Firms in Major Assault – Russian Officials Involved?

There is nothing new about cyber attacks coming from Russia, however, to actually be able to tie them to Russian government officials — albeit loosely — would be another step. Is this a hunch or do they have something more?

Related: US Indicts Chinese Army Officers for Hacking US Companies

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

via Hackers’ Attack Cracked 10 Financial Firms in Major Assault – NYTimes.com.

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

No, the CFAA Does Not Require Taking Actions to Prevent the Hacking of Others

For all of the things the CFAA may (or may not) require, it does not require taking actions to prevent the hacking of others. We are not (yet) the guardians of the hacking universe!

In a factually interesting case that offers a great read on attorney professionalism, the United States Court of Appeals for the Seventh Circuit has confirmed that the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, does not require taking actions to prevent others from hacking into websites — even when the allegation is being made of internet service providers (ISP) that allegedly failed to take actions to prevent the hacking of their users websites.

In Lightspeed Media Corp. v. Smith, 761 F.3d 699 (7th Cir. 2014), the court addressed an appeal brought after the district court granted a motion to dismiss all claims, including the Computer Fraud and Abuse Act claim, which the court said was frivolous:

Lightspeed’s suit against the ISPs was premised on the notion that because the ISPs challenged appellants’ subpoena of the personally identifiable information of Smith’s 6,600 “co-conspirators,” they somehow became part of a purported plot to steal Lightspeed’s content. If there was any conceivable merit in that theory, then perhaps fees would have been inappropriate. But there was not.

Count I alleged that the ISPs violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030 and 1030(g), by failing to prevent hacking. The only alleged assistance to hackers, however, was the challenge to the subpoena. As expansive as the CFAA is, see Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 MINN. L. REV. 1561, 1563-65 (2010), this is a frivolous charge.

The Plaintiff’s original allegations are set forth below:

We are not guardians of the hacking universe!

We are not guardians of the hacking universe!

(link to Lightspeed’s full First Amended Complaint)

For all of the criticism of the expansiveness and unpredictability of the CFAA, and much of it is well deserved, we can now be confident that it does not impose a duty to take steps to prevent the hacking of others — and thank God!

Collin County Bench Bar Presentation on Cyber Risks to Lawyers #CCBBF

Collin County Bench Bar Presentation Digital Information Law

Collin County Bench Bar Presentation Digital Information Law

This morning I have the privilege of speaking at the Collin County Bench Bar Conference and talking with a tremendous group of Collin County Judges and Lawyers about the risks that lawyers, their clients, and their law practices face from data insecurity issues.

Here is the Prezi presentation that I will be using – take a look and tell me what you think! Cyber Fraud, Data Breaches, and Corporate Espionage: How They Impact Your Law Practice

p.s. The theme for the weekend is The Kentucky Derby if you were wondering how the horse fit in!