Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is – and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Hackers’ Cracked 10 Financial Firms in Major Assault – Russian Officials Involved?

There is nothing new about cyber attacks coming from Russia, however, to actually be able to tie them to Russian government officials — albeit loosely — would be another step. Is this a hunch or do they have something more?

Related: US Indicts Chinese Army Officers for Hacking US Companies

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

via Hackers’ Attack Cracked 10 Financial Firms in Major Assault – NYTimes.com.

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

No, the CFAA Does Not Require Taking Actions to Prevent the Hacking of Others

For all of the things the CFAA may (or may not) require, it does not require taking actions to prevent the hacking of others. We are not (yet) the guardians of the hacking universe!

In a factually interesting case that offers a great read on attorney professionalism, the United States Court of Appeals for the Seventh Circuit has confirmed that the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, does not require taking actions to prevent others from hacking into websites — even when the allegation is being made of internet service providers (ISP) that allegedly failed to take actions to prevent the hacking of their users websites.

In Lightspeed Media Corp. v. Smith, 761 F.3d 699 (7th Cir. 2014), the court addressed an appeal brought after the district court granted a motion to dismiss all claims, including the Computer Fraud and Abuse Act claim, which the court said was frivolous:

Lightspeed’s suit against the ISPs was premised on the notion that because the ISPs challenged appellants’ subpoena of the personally identifiable information of Smith’s 6,600 “co-conspirators,” they somehow became part of a purported plot to steal Lightspeed’s content. If there was any conceivable merit in that theory, then perhaps fees would have been inappropriate. But there was not.

Count I alleged that the ISPs violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030 and 1030(g), by failing to prevent hacking. The only alleged assistance to hackers, however, was the challenge to the subpoena. As expansive as the CFAA is, see Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 MINN. L. REV. 1561, 1563-65 (2010), this is a frivolous charge.

The Plaintiff’s original allegations are set forth below:

We are not guardians of the hacking universe!

We are not guardians of the hacking universe!

(link to Lightspeed’s full First Amended Complaint)

For all of the criticism of the expansiveness and unpredictability of the CFAA, and much of it is well deserved, we can now be confident that it does not impose a duty to take steps to prevent the hacking of others — and thank God!

3 Steps the C-Suite Can Take to Strengthen Cyber Security

NTCC 1The C-Suite is ultimately responsible for failures of a company’s cyber security. A recent example of this is how Target’s CEO, CTO, and several Board Members were pushed out in the wake of its data breach.

SEE BELOW FOR EVENT REGISTRATION!

This puts leaders in a difficult position. It is almost a statistical certainty that every company will suffer a data breach sooner rather than later. Does that mean that most C-Levels and Directors are on the verge of losing their positions because of a data breach? Does it mean that their careers and future are now out of their control?

No, it does not have to mean either of those things. There are steps leaders can take to help minimize the risk of these things happening, both to themselves and their companies.

Leaders will be Judged, but by What Standard?

Because statistics show that virtually all companies will eventually suffer some form of data breach, the standard by which their leadership is judged is not whether their company did or did not suffer a data breach. That is now a given.

Rather, the standard is whether, prior to a breach, the company had taken reasonable steps to protect its systems and data and whether it made appropriate plans to respond and mitigate the effects of such a breach.

Because the risk is foreseeable, the question is one of preparation. That is, did the leaders act reasonable in preparing their companies now that they are aware of the risks their companies face. If they did, they have much better odds. If they did not, they will be judged harshly.

How can leaders help prepare their companies for these challenges?

The 3 Steps

To prepare their companies, the C-Suite must show leadership on this issue by setting a tone for the company and establishing a culture of compliance when it comes to cyber security. This must come from the top down. There are three steps that leadership can take that will help create that culture:

  1. Leadership must truly care about cyber security and the digital business risks their company faces;
  2. Leadership must show its concern and commitment by dedicating appropriate resources for cyber security and minimizing digital business risks; and
  3. Leadership must listen to those responsible for, and who work most closely with, cyber security issues. By listening, leadership reaffirms its concern and commitment to a culture of compliance for cyber security. Leadership also increases its knowledge and understanding of the nature of the cyber security threats and the digital business risks the company faces.

Where Can Leaders Start?

The starting point for members of the C-Suite and Boardroom is to gain a better appreciation and understanding of the risks their companies face. There is a great opportunity for them to do this by attending an upcoming seminar sponsored by the North Texas Crime Commission.

The seminar, Strengthening the Weak Link: Cyber Security Essentials for the C-Suite, will be held at the George W. Bush Institute at Southern Methodist University on October 16, 2014.

The keynote speaker will be Tom Ridge, former Secretary of Homeland Security. There are several other notable speakers who will be sharing their knowledge of these risks, including members of the cyber units of the FBI, Secret Service, United States Department of Justice, and many others.

Register for the event on Eventbrite by clicking HERE! 

NTCC Cyber Security SeminarNTCC 3

NTCC 4

The #1 Thing the C-Suite Can Learn from Target’s CEO’s Resignation

Your Company is The Target

Business leaders must appreciate digital business risk and be proactive in trying to mitigate it. If they do not, they do so at their own peril.

Data security is such a threat to businesses that it must be a key tenet of leadership for the C-Suite and the Boardroom.

Over the last several years I have written and spoken extensively about the risks that businesses face from the threat of data breaches. (posts) One of the points I try to make is that this is not just a “tech” issue, but is a business issue that impacts the business as a whole. In other words, it is an issue that demands the attention of executive management as well as the board of directors.

We now have a very visible case study.

Following CEO Gregg Steinhafel’s resignation, Target released a statement saying “after extensive discussions, the board and Steinhafel have decided that now is the right time for new leadership.” While the data breach is certainly not the only factor being considered, it is a major one. From this, one can easily discern the underlying message which is that under Steinhafel’s leadership, data security was not a key focus, but under new leadership, it will be.

Commenting on the resignation, Ken Nisch, chairman of retail branding and design company JGA said of Target’s hunt for a new CEO: “They need to find somebody who really gets e-commerce.”

Data security isn’t exactly the same as e-commerce, but it is a step in the right direction. Target — and every other business — need leadership that appreciates digital business risk and is proactive in trying to mitigate that risk. My message for those leaders that refuse to do so: “Do so at your own peril.”

Full article: Target CEO out as data breach fallout goes on

 


About the author

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.