Y2K18? Are #Spectre and #Meltdown the Y2K Apocalypse, Eighteen Years Late?

Hear Shawn Tuma interviewed on News Radio 570 KLIF – Experts: Update Settings and Download Updates to Protect from “Meltdown” and “Spectre”

CLICK HERE if you are impatient and only want to know what you should do ASAP to protect against Spectre and Meltdown

With Y2K we had a warning. So much of a warning that it pushed me into cyber law in 1998. We were told of an apocalypse if we did not heed the warning and fix the problem. Whether we did, or whether it was a lot of hype is still being debated, but the problem was averted. When the ball dropped on NYE 2000, the planes were still flying, power grid still operating, and banks still banking.

Fast forward eighteen years, NYE 2018, the ball drops and, while we are closing out a year when the word cybersecurity (yes, it is one word, not two) has become a part of everybody’s vernacular, the only thing we were thinking of when hearing the words “Spectre” and “Meltdown” was a James Bond movie marathon on New Year’s Day.

Just a few days later we are now talking about a global threat to the world’s computers — all of them from the most powerful supercomputers to, yes, even Apple computers, all the way to the computer you carry in your pocket (i.e., your smartphone) — that isn’t just a programming or software glitch, but is also a hardware problem, going to the very heart of the computer: it’s CPU.

The threat timing? Imminent — this isn’t something that is going to happen, this is something that has already happened and has just recently been discovered.

Now unlike with Y2K, the problem in and of itself will not directly cause a failure but is a vulnerability that has been exposed that will allow others — the bad guys (whoever they may be) — to exploit the vulnerability. But take no comfort in this because you can bet, to the bad guys, the revelation of this vulnerability made this exploit Target of Opportunity #1 for all.

The fix? This where it gets good. “Meltdown” can likely be mitigated with software patches, which programmers at major companies are fervently writing as I write. The problem is, these patches will lead to a degradation of computer performance by 20% to 30% — but they are not optional. You must install them.

“Spectre” is where it could get really nasty. This will likely require a redesign of the computer processors themselves — a wholesale hardware redesign that focuses more on security vis-a-vis performance. Then, in order to implement the fix, the hardware will have to be replaced — the CPUs in all of the world’s computers upgraded.

Sounds pretty bad, doesn’t it? Is this the real Y2K apocalypse arriving eighteen years late — Y2K18 or Y2K8teen? It could be.

But, if history is any indication it will not reach worst-case scenario levels, but things could still get really, really bad even if worst-case scenarios are not even on the radar. In fact, as this post is being written some researchers with clout are saying that the fix may not require the wholesale replacement of hardware — and I’m sure there will be more softening of this as we go along.

However, remember, “Wanna Cry” was only one exploit to a specific outdated Windows operating system that was revealed and had a patch issued for months before it actually hit. We all had better take this one seriously.

What can you do? When the patches come out from Microsoft, Apple, etc. and they tell you to install the patch to protect your computer, do it, immediately, and with a smile because losing 20% to 30% of your computing power is far better than losing 100%!

IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus

On August 1, 2017, the Senate Cybersecurity Caucus introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017,” bi-partisan legislation focused on establishing minimum security requirements for the federal procurement of Internet connected devices (#IoT). Continue reading “IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus”

FUD and Voting Machine Hacking: An Important Point and Important Lesson

This morning I am doing radio interviews as a Fox News Radio contributor. My topic? The DEFCON Voting Village demonstration of hacking voting machines that have been, or may currently be, used in US elections. Here are a couple of the news stories if you are unfamiliar: Hacking a US electronic voting booth takes less than 90 minutes | New Scientist and To Fix Voting Machines, Hackers Tear Them Apart | Wired

With all of the talk about hacking or rigging elections, this is a great topic to pique people’s interest for a radio interview but it can also generate a great deal of FUD. And, I really do not like FUD because it detracts from the real issues and lessons that we can learn from situations. So, there is one very important point and one very important lesson that I have tried to make during these interviews and that I hope will rise above the FUD:

IMPORTANT POINT: The voting machines used in this example were obtained from eBay and government auctions because they had been decommissioned. This means they were old. Unfortunately, some had been used in recent elections — which is a big problem — but generally speaking, we’re talking about outdated technology.

IMPORTANT LESSON: Voting machines are computers and, while (IMO) no computer will be secure they can certainly be more secure. We must be vigilant about the security of the voting machines and other election infrastructure that we use in our voting process and demand that current, state of the art equipment be used, where security is baked in from the outset and is continuously maintained as an ongoing process, from now on until further notice.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Invitation for 2 Webinars: Protecting Data Exchanged in Discovery and Securing IoT Data

I thought you may like an invitation to attend two complimentary webinars that I will be doing this coming week:

YOURS, MINE, OURS: Protecting the Data Gathered and Exchanged in Litigation, Association of Certified E-Discovery Specialists (ACEDS)
Monday, August 7, 2017 @ 12:00 CDT
LINK for more information FULL VIDEO (see below)

Securing IoT Data: Compliance, Privacy, and New Regulations, SecureWorld (webinar panel with Andrew Lance of Thales e-Security, Jay Irwin of Teradata, and Craig Spiezle of the Online Trust Alliance)
Wednesday, August 9, 2017 @ 12:00 CDT
LINK for more information

I hope you are able to attend the webinars and find the information helpful in your business. As always, please let me know if you have any questions or if I can help you.

Shawn E. Tuma | Scheef & Stone, L.L.P.
Cybersecurity & Data Privacy Attorney
2600 Network Blvd., Suite 400, Frisco, TX 75034
214.472.2135 (direct) | 214.726.2808 (mobile)
Email: shawn.tuma@solidcounsel.com
Firm: www.solidcounsel.com
Blog: www.businesscyberrisk.com

WHDT World News Interviews Shawn Tuma about WikiLeaks’ CIA Vault7

See also: 

WikiLeaks and CIA’s Russian Hacking Tools & Techniques: Was it really the Russians?

Seal_of_the_Central_Intelligence_Agency.svg.pngIn the wake of WikiLeaks’ Vault7 release of documents revealing the CIA’s hacking tools, I must revisit a key section of a post from September 2016. The section was about the convenience of blaming “the Russians” given the craze of attributing everything wrong in the cyber world to the seemingly omnipresent “Russians.”

See: “SHAME HACKING” LIBERAL GROUPS — IS IT REALLY RUSSIAN HACKERS DOING IT?

The point was, while it makes “victims” seem much less culpable to blame cyber incidents on an adversary such as the Russians, there needs to be substantially more evidence than using the same tools and techniques to prove it actually was. A skilled hacker knows their signature and knows the signature of others, knows how to hide their tracks, and knows how to mask their signature to emulate others. In the earlier post I used a video clip from a Bourne movie to demonstrate this point, embedded below.

Last October, regarding the DNC/Russian blame fest, I asked the opinion of intelligence agents from various countries what they thought and each one said to me, in substance, “if it looks like the Russians, it was probably was not the Russians.” I do not pretend to know who it really was or was not but common sense tells me they were probably right.

Since that time, we have had the CIA become more openly politicized by leaking information to the New York Times to say it was “the Russians” that hacked the DNC and they knew this because they used known tools and techniques that were used by “the Russians.” The CIA then leaked, in essence, “trust us” because we know what we’re talking about. Now it has been revealed that the CIA actually has and uses many of the tools and techniques of Russian hackers to make others think that hacks they are doing are actually being done by the Russians.

When it comes to Yahoo, the DNC, the Russians, and the CIA, what is truth? What is fiction? Who knows, but here were my thoughts on this last September:

WAS IT REALLY THE RUSSIANS? IF SO, WHY?

Since last summer when it became so en vogue to blame the Russians for so many of our cybersecurity woes, I have tried researching the situations where the “it’s the Russians” play is used to see what facts those assumptions are usually based upon. The most common one I find is that it is tied to IP addresses known to be used by groups working as proxies for Russian intelligence agencies. I find this odd, for several reasons.

First, it reminds me of the Forged Fingerprint scene out of the Bourne Supremacy:

In the movie, Jason Bourne is the most intelligent, highly trained, skillful, badass covert operator on the planet — someone who knows how to leave a fingerprint and how not to leave a fingerprint — yet, based on “his fingerprint” being at the scene, the intelligence world jumps to the conclusion that it was him.

Let’s think about this for a moment, in the context of the Russians. Let me be clear, I have no idea if it was the Russians or not. But, is a digital fingerprint — an IP address — really what we seem to be going off of on these claims?

First, nearly everybody in the cybersecurity universe knows that someone with even moderate skills can spoof an IP address and hide their identity or make it look like somebody else was doing it. Here is a Wikipedia page on IP address spoofing.

Second, most would agree that the hackers for Russia’s intelligence agencies are near the top in terms of skills and abilities — close to the level of our American intelligence agencies’ hackers — the best in the world. Do they not understand that (a) they could spoof their IP addresses and (b) they are leaving such digital tracks behind? Seriously, if this is all that we have to go on, would not it be more reasonable to believe that it is anybody but the Russians that the IP addresses point to?

Third, and perhaps most importantly, why would the Russians care about hacking into Yahoo and stealing its account users’ information? Are the Russians now subsidizing their economy by selling stolen Yahoo users’ account information on the dark web?

Indeed, is this even about obtaining the value of the users’ account and identity information? Or, is this about causing harm to Yahoo? I have written several posts recently about the evolution of hacking for extortion and embarrassment in the context of the Sony breach and how that has transitioned into the shame hacking we saw in the Ashley Madison and Brazzers breaches.

Do you think the attack on Yahoo has more to do with obtaining its users’ data or with potentially impacting its value in the marketplace — especially now that Yahoo is in negotiations to sell itself to Verizon for $4.8 billion, which Verizon just learned of 2 days ago?

For a breach that occurred in late 2014, the timing of the hackers’ letting this information slip sure is an interesting coincidence …

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

How to Protect Yourself from Cell Phone Cyber Threats (WFAA TV Interview)

WFAA TV’s Jane McGarry interviewed Shawn Tuma on the Good Morning Texas show to discuss how you can protect yourself from cell phone cyber threats and identity theft (Jan. 18, 2017) (WFAA LINK).

Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Dyn, Krebs, and Mirai Botnet – the IoT Pandora’s Box is Open, Now What?

Businesses now risk disruption from attacks by a minion army of “smart” IoT devices through DDoS attacks like those experienced by Dyn last Friday, and Brian Krebs in late September. The Mirai IoT botnet made these attacks possible and, because its source code was recently released into the wild, it will likely be used against other companies. Continue reading “Dyn, Krebs, and Mirai Botnet – the IoT Pandora’s Box is Open, Now What?”