Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Hackers’ Cracked 10 Financial Firms in Major Assault – Russian Officials Involved?

There is nothing new about cyber attacks coming from Russia, however, to actually be able to tie them to Russian government officials — albeit loosely — would be another step. Is this a hunch or do they have something more?

Related: US Indicts Chinese Army Officers for Hacking US Companies

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

via Hackers’ Attack Cracked 10 Financial Firms in Major Assault – NYTimes.com.

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

No, the CFAA Does Not Require Taking Actions to Prevent the Hacking of Others

For all of the things the CFAA may (or may not) require, it does not require taking actions to prevent the hacking of others. We are not (yet) the guardians of the hacking universe!

In a factually interesting case that offers a great read on attorney professionalism, the United States Court of Appeals for the Seventh Circuit has confirmed that the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, does not require taking actions to prevent others from hacking into websites — even when the allegation is being made of internet service providers (ISP) that allegedly failed to take actions to prevent the hacking of their users websites.

In Lightspeed Media Corp. v. Smith, 761 F.3d 699 (7th Cir. 2014), the court addressed an appeal brought after the district court granted a motion to dismiss all claims, including the Computer Fraud and Abuse Act claim, which the court said was frivolous:

Lightspeed’s suit against the ISPs was premised on the notion that because the ISPs challenged appellants’ subpoena of the personally identifiable information of Smith’s 6,600 “co-conspirators,” they somehow became part of a purported plot to steal Lightspeed’s content. If there was any conceivable merit in that theory, then perhaps fees would have been inappropriate. But there was not.

Count I alleged that the ISPs violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030 and 1030(g), by failing to prevent hacking. The only alleged assistance to hackers, however, was the challenge to the subpoena. As expansive as the CFAA is, see Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 MINN. L. REV. 1561, 1563-65 (2010), this is a frivolous charge.

The Plaintiff’s original allegations are set forth below:

We are not guardians of the hacking universe!

We are not guardians of the hacking universe!

(link to Lightspeed’s full First Amended Complaint)

For all of the criticism of the expansiveness and unpredictability of the CFAA, and much of it is well deserved, we can now be confident that it does not impose a duty to take steps to prevent the hacking of others — and thank God!

3 Steps the C-Suite Can Take to Strengthen Cyber Security

NTCC 1The C-Suite is ultimately responsible for failures of a company’s cyber security. A recent example of this is how Target’s CEO, CTO, and several Board Members were pushed out in the wake of its data breach.

SEE BELOW FOR EVENT REGISTRATION!

This puts leaders in a difficult position. It is almost a statistical certainty that every company will suffer a data breach sooner rather than later. Does that mean that most C-Levels and Directors are on the verge of losing their positions because of a data breach? Does it mean that their careers and future are now out of their control?

No, it does not have to mean either of those things. There are steps leaders can take to help minimize the risk of these things happening, both to themselves and their companies.

Leaders will be Judged, but by What Standard?

Because statistics show that virtually all companies will eventually suffer some form of data breach, the standard by which their leadership is judged is not whether their company did or did not suffer a data breach. That is now a given.

Rather, the standard is whether, prior to a breach, the company had taken reasonable steps to protect its systems and data and whether it made appropriate plans to respond and mitigate the effects of such a breach.

Because the risk is foreseeable, the question is one of preparation. That is, did the leaders act reasonable in preparing their companies now that they are aware of the risks their companies face. If they did, they have much better odds. If they did not, they will be judged harshly.

How can leaders help prepare their companies for these challenges?

The 3 Steps

To prepare their companies, the C-Suite must show leadership on this issue by setting a tone for the company and establishing a culture of compliance when it comes to cyber security. This must come from the top down. There are three steps that leadership can take that will help create that culture:

  1. Leadership must truly care about cyber security and the digital business risks their company faces;
  2. Leadership must show its concern and commitment by dedicating appropriate resources for cyber security and minimizing digital business risks; and
  3. Leadership must listen to those responsible for, and who work most closely with, cyber security issues. By listening, leadership reaffirms its concern and commitment to a culture of compliance for cyber security. Leadership also increases its knowledge and understanding of the nature of the cyber security threats and the digital business risks the company faces.

Where Can Leaders Start?

The starting point for members of the C-Suite and Boardroom is to gain a better appreciation and understanding of the risks their companies face. There is a great opportunity for them to do this by attending an upcoming seminar sponsored by the North Texas Crime Commission.

The seminar, Strengthening the Weak Link: Cyber Security Essentials for the C-Suite, will be held at the George W. Bush Institute at Southern Methodist University on October 16, 2014.

The keynote speaker will be Tom Ridge, former Secretary of Homeland Security. There are several other notable speakers who will be sharing their knowledge of these risks, including members of the cyber units of the FBI, Secret Service, United States Department of Justice, and many others.

Register for the event on Eventbrite by clicking HERE! 

NTCC Cyber Security SeminarNTCC 3

NTCC 4

The #1 Thing the C-Suite Can Learn from Target’s CEO’s Resignation

Your Company is The Target

Business leaders must appreciate digital business risk and be proactive in trying to mitigate it. If they do not, they do so at their own peril.

Data security is such a threat to businesses that it must be a key tenet of leadership for the C-Suite and the Boardroom.

Over the last several years I have written and spoken extensively about the risks that businesses face from the threat of data breaches. (posts) One of the points I try to make is that this is not just a “tech” issue, but is a business issue that impacts the business as a whole. In other words, it is an issue that demands the attention of executive management as well as the board of directors.

We now have a very visible case study.

Following CEO Gregg Steinhafel’s resignation, Target released a statement saying “after extensive discussions, the board and Steinhafel have decided that now is the right time for new leadership.” While the data breach is certainly not the only factor being considered, it is a major one. From this, one can easily discern the underlying message which is that under Steinhafel’s leadership, data security was not a key focus, but under new leadership, it will be.

Commenting on the resignation, Ken Nisch, chairman of retail branding and design company JGA said of Target’s hunt for a new CEO: “They need to find somebody who really gets e-commerce.”

Data security isn’t exactly the same as e-commerce, but it is a step in the right direction. Target — and every other business — need leadership that appreciates digital business risk and is proactive in trying to mitigate that risk. My message for those leaders that refuse to do so: “Do so at your own peril.”

Full article: Target CEO out as data breach fallout goes on

 


About the author

Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Corporate Espionage: Hacking A Company Through A Chinese Restaurant Takeout Menu

Photo Credit: country_boy_shane via Compfight cc

Photo Credit: country_boy_shane via Compfight cc

Corporate espionage (industrial espionage) is a favorite topic of mine. I have written and presented on the subject quite a bit and, while I am never sure how my readers react when I write about this, I do carefully watch the look on my audience members’ faces when I first mention the issue. The story their eyes tell is interesting.

The story of “why should I care about this?”

At first they usually have a glazed over look with no emotion or reaction — as if they are thinking “this is just another lawyer using fancy lawyer words but whatever he is talking about, it doesn’t apply to anything that I do” and they politely sit there feigning paying attention.

And then, I tell them about the cases where Chinese state-sponsored groups had “insiders” planted in companies like Motorola or DuPont to steal their proprietary trade secrets. Their reaction does not change — as if they are thinking “yeah, ok, whatever, my company is not Motorola or DuPont or anything like it — we are a small shop and nobody cares that much about what we have.”

And then, trying to get their attention with something they have heard about, I mention Target and the massive and expensive Target breach. Their reaction does not change — as if they are thinking “dude, why are you telling me this? My company is nothing like Target — we could barely even be a supplier to Target, why would anyone care about us?”

And then, I ask them if they have ever heard of Fazio Mechanical Services — knowing they have no idea of who that is.

Blank stares.

So I ask them to raise their hands if they’ve ever heard of Fazio Mechanical Services — and usually no one raises their hands but at least now they are listening …

So I go on to explain that

  • Fazio Mechanical Services is (or should I say was) a vendor to Target and that it was a breach of Fazio’s computer system through an email spear phishing attack that ultimately allowed the hackers to breach the Target system;
  • While no one may have cared about getting Fazio’s information, Fazio’s system was very valuable to the hackers because it provided an intrusion point into the Target system — which made attacking Fazio very valuable, strategically, to the hackers;
  • Hackers are smart and very strategic and now that they have seen a great example of how effective using indirect methods, such as third party vendors, to attack their primary target has been and they will likely do it again;
  • Even if they do not believe their company is a high value target to hackers, if one of their suppliers, vendors, or other business associates may be, it could be their system that is used to become that intrusion point to reach the high value target, and
  • If that were to happen, their business would likely be the next Fazio and they would probably be looking for new employment.

What does this have to do with hacking through a Chinese Restaurant Takeout Menu (website)?

This usually brings the abstract notion of “corporate espionage” to reality for them. I was reminded of this when I read a recent article in the New York Times titled Hackers Lurking in Vents and Soda Machines that provides a great explanation of how hackers use this indirect method of attack on their primary targets. Here are a few poignant quotes but you should read the whole article:

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

*   *   *

Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.

Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.

Full Article: http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html?ref=technology&_r=0.

This is a serious problem — even your company needs to pay attention to it, even if no one in your company likes Chinese takeout.


 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.