former employee = current data thief

Fifth Circuit Upholds CFAA Conviction for Former Employee’s Misuse Causing Damage Based on Circumstantial Evidence

In United States v. Anastasio N. Laoutaris, 2018 WL 614943 (5th Cir. Jan. 29, 2018), the United States Fifth Circuit Court of Appeals affirmed a jury verdict finding Laoutaris guilty of two counts of computer intrusion causing damage, in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i) of the Computer Fraud and Abuse Act.

Laoutaris had been an IT engineer for Locke Lord LLP; following the termination of his employment, he accessed to the firm’s computer network and issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts. This post-termination access was without authorization. He was ordered to pay restitution in the amount of $1,697,800 and sentenced to 115 months’ imprisonment.

On appeal, Laoutaris argued that “the evidence at trial was insufficient to support the jury’s verdict for both counts of conviction because there was no proof he was the person who accessed Locke’s network and caused the damage that occurred on the relevant dates.” Further, Laoutaris had an expert testify that the attacks came from China.

The Fifth Circuit disagreed and found “[t]he evidence at trial shows a rational jury could have found each essential element for the § 1030(a)(5)(A) offenses charged against Laoutaris, who elected to testify. Contrary to his assertions, there was ample circumstantial evidence identifying him as the perpetrator of these offenses.”

The government’s brief indicates that the following evidence was admitted on this issue, beginning at page 6:

At trial, the government presented a substantial volume of circumstantial evidence identifying Laoutaris as the intruder. Logs created by the servers on the Locke Lord network showed that the intruder on December 1 and December 5 connected to the network using LogMeIn, which was installed on the HOBK01 backup server in Houston, and accessed the network using the credentials of a Windows “master services account” called svc_gn and its associated password. (ROA.1463-1515, 2835-47.) The IP address of the intruder on December 1 and December 5 was 75.125.127.4. (ROA.2768, 2835.)
That IP address was assigned to The Planet. (ROA.1077-79.) Laoutaris was an employee of The Planet at the time. (ROA.1068-70; see also ROA.2635-83.) Kelly Hurst, Laoutaris’s supervisor at The Planet, testified that the IP address was The Planet’s public wireless network at the Houston corporate office, which employees would be able to use while working out of The Planet’s corporate office. (ROA.1077-78.)
*7 Laoutaris was also associated with the LogMeIn software running on the Houston backup server. The software program was installed by a person who identified his email address as “c_hockland@hotmail.com.” (ROA.1304-07, 2848.) Records from Microsoft established that the account was created by “A.N. Laoutaris.” (ROA.2587.) Further, several Locke Lord employees testified that “c_hockland@hotmail.com” was an email address they knew to be associated with Laoutaris. (ROA.1306.) Additionally, Laoutaris’s personnel file included his resume, where he used the email address, and an email he sent on his last day providing c_hockland@hotmail.com as his forwarding email address. (ROA.2550.) Even after he quit, Laoutaris used that email address to send a message to a former colleague at Locke Lord making disparaging comments about the firm and his former supervisor. (ROA.2559-60.) Laoutaris continued using the email address as recently as July 2014, after he was indicted. (ROA.2681.)
The government also presented evidence establishing that Laoutaris had the password for the “svc_gn” account. The “svc_gn” account was the “master of all masters” account that had “no limits” on what it could do within the Locke Lord network. (ROA.1147.) IT engineers at Locke Lord explained that all of the engineers would from time to time use the “svc_gn” account when performing various tasks on the network and that all the *8 engineers had the password. (ROA.1147.) The jury heard evidence that Laoutaris asked for, and received, the password for the “svc_gn” account shortly before quitting the law firm. On August 10, 2011, a few days before Laoutaris quit, he requested the password from Michael Ger and Stan Guzic, two of the other IT engineers at Locke Lord. (ROA.2556-57.) Guzic testified that Laoutaris “constantly asked us for the password” and thus “to help him remember it, we used his name within the password itself” – specifically, “4nick8.” (ROA.1151.)
Not only was Laoutaris specifically tied to the December 1 and December 5 attacks, the government presented evidence tying him to at least 12 unauthorized intrusions into the Locke Lord network through LogMeIn. (ROA.2703-16, 2746, 2756, 2758, 2760, 2762, 2764, 2766, 2768, 2835, 2849.) Each of those intrusions originated from an IP address that was tied back to Laoutaris – either his home or his place of employment. (ROA.2703-16.)
The government’s brief also provides an excellent example of how to calculate a loss in a case such as this, beginning at page 12.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What do we in the United States really want from our cyber laws?

In my newsfeed are articles in prominent publications discussing the problems with the federal Computer Fraud and Abuse Act from very different perspectives.

www.businesscyberrisk.comIn the “the CFAA is dangerous for security researchers” corner we have White Hat Hackers and the Internet of Bodies, in Law360, discussing how precarious the CFAA (and presumably, the state hacking laws such as Texas’ Breach of Computer Security / Harmful Access by Computer laws) and Digital Millenium Copyright Act can be for security researchers.

In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.

Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?

This reminds me of a piece I wrote about the CFAA and the broader national policy discussion a few years ago, Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue? In that piece I stated,

The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:

The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.

Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?

I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.

Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?

What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?

Hacking Into A Company You Sold Can Get You Jail Time

A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.

USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York

 

Trying to DDoS the White House Website to Protest Trump’s Inauguration Violates CFAA

OLYMPUS DIGITAL CAMERA

There has been a lot of buzz this past week about protesters indicating they plan to protest President-Elect Trump’s inauguration by launching a DDoS attack on the White House website. This plan has received some high-profile publicity by articles in magazines such as Forbes and PC World.

I initially learned of this discussion when I started receiving a large number of ping-backs on a post I wrote a few years ago titled Yes, Case Law Says it Really is a CFAA Violation to DDoS a Website.

This post looked at the Sixth Circuit Court of Appeals case of Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295 (6th Cir. 2011), a case that did not deal directly with a DDoS attack but did deal with a labor union’s concerted email and telephone “attack” on a company of such a volume that it disrupted the company’s ability to do business. The Pulte Court held that such activity violated the Computer Fraud and Abuse Act (CFAA). Read more about the Pulte Court’s analysis here.

Applying the Pulte Court’s principle that a transmission that weakens a sound computer system–-or, by analogy, that diminishes the ability to use data or a system–-causes damage, the Pulte opinion and the cases it cites do support the proposition that it is a violation of the Computer Fraud and Abuse Act to DDoS a website.

So, if you try to DDoS the White House’s website in protest of Donald Trump becoming President of the United States, you will violate the federal Computer Fraud and Abuse Act and there is a decent chance that President Trump’s Department of Justice will then be coming after you. Now you know.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Feds: Chinese Traders Busted, Trading on Info “Hacked” from Law Firms via Email Compromise

A warning for law firms:

Preet Bharara, the U.S. Attorney for the Southern District of New York, said the case should serve as a “wake-up call for law firms around the world.”

“You are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Bharara said in a statement.

But here is the most important point to remember, from the DOJ statement, demonstrating that this entire “hack” was a result of compromised email credentials – not the James Bond kind of stuff people like to think about. There were two law firms “hacked” and both started with compromised employee email credentials:

“[B]eginning about July 2014, the Defendants, without authorization, caused one of Law Firm-1’s web servers (the “Law Firm-1 Web Server”) to be accessed by using the unlawfully obtained credentials of a Law Firm-1 employee. The Defendants then caused malware to be installed on the Law Firm-1 Web Server. The access to the Law Firm-1 Web Server allowed unauthorized access to at least one of Law Firm-1’s email servers (the “Law Firm-1 Email Server”), which contained the emails of Law Firm-1 employees, including Partner-1.””

“[T]he Defendants, without authorization, caused one of Law Firm-2’s web servers (the “Law Firm-2 Web Server”), located in New York, New York, to be accessed by using the unlawfully obtained credentials of a Law Firm-2 employee. The Defendants then caused malware to be installed on the Law Firm-2 Web Server.”

Sources:

A Cybersecurity Night Before Christmas

clarkMy friend Paul Ferrillo (@PaulFerrillo) shared a cybersecurity version of the Night Before Christmas that I thought was brilliant. Wanting to be sure and properly credit this fine work, I asked Paul about attribution … since we can never be too confident in attribution, after all, yet it is critically important. Paul then confessed that it was not his original work but that of his AI poem-bot which, to me, is even more remarkable.

Here is Paul’s AI poem-bot’s version of the Cybersecurity Night Before Christmas:

‘Twas the night before Christmas, when all through the house
not a creature was stirring, except for Fancy Bear.
The computers were humming by the chimney with care,
exfiltrating data that soon would be not there.
The incident response staff were nestled all snug in their beds,
while visions of sleep filled night danced in their heads.
When out of the SIEM there arose such a clatter,
I sprang from my bed to see what was the matter.
And I said Darn, I wished I had installed that machine learning solution I heard about at RSA.
Happy Holidays to all!

Here is our conversation with the original post so if you enjoyed it, hop on over and let Paul know with your comments: www.linkedin.com/hp/update/6218155148829552640

Merry Christmas, friends, and a very Happy New Year!

p.s., if you want to know some of Paul’s thoughts on how to have more effective cybersecurity, without working really hard like Clark Griswold and washing machines, check out our article 7 Strategies to Win the Cyber “Space Race” and the discussion of using AI and machine learning.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Is Key Claim Missing from Pastor’s Lawsuit Over Wife’s Nude Pics Emailed to Swinger Site?

Should a claim for [YOU GUESS] have been included in this lawsuit? See my thoughts below and share your thoughts.

The Allegations Behind the Lawsuit

A legal team led by Gloria Allred made news by suing Toyota (and others) on behalf of a Frisco, Texas pastor and his wife, Tim  and Claire Gautreaux, alleging that a Toyota salesman emailed nude pictures of Claire to a swingers’ website from Tim’s phone while in his possession to confirm a preapproval offer that was on an app. Continue reading “Is Key Claim Missing from Pastor’s Lawsuit Over Wife’s Nude Pics Emailed to Swinger Site?”

Invitation to the Cyber Future Summit – 10/28/16 at SMU’s Bush Center

Dear Friends & Colleagues,

I want to invite you to attend the inaugural Cyber Future Summit, being held on Friday, October 28, at the Bush Presidential Library adjacent to the SMU campus in Dallas.

We have a stellar lineup of speakers, including our luncheon Keynote Speaker, 4-Star Admiral Patrick Walsh, USN (Ret), who retired from active service after a long and honorable career which included serving as the Vice Chief of Naval Operations, and Continue reading “Invitation to the Cyber Future Summit – 10/28/16 at SMU’s Bush Center”