Hacking Into A Company You Sold Can Get You Jail Time

A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.

USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York

 

FUD and Voting Machine Hacking: An Important Point and Important Lesson

This morning I am doing radio interviews as a Fox News Radio contributor. My topic? The DEFCON Voting Village demonstration of hacking voting machines that have been, or may currently be, used in US elections. Here are a couple of the news stories if you are unfamiliar: Hacking a US electronic voting booth takes less than 90 minutes | New Scientist and To Fix Voting Machines, Hackers Tear Them Apart | Wired

With all of the talk about hacking or rigging elections, this is a great topic to pique people’s interest for a radio interview but it can also generate a great deal of FUD. And, I really do not like FUD because it detracts from the real issues and lessons that we can learn from situations. So, there is one very important point and one very important lesson that I have tried to make during these interviews and that I hope will rise above the FUD:

IMPORTANT POINT: The voting machines used in this example were obtained from eBay and government auctions because they had been decommissioned. This means they were old. Unfortunately, some had been used in recent elections — which is a big problem — but generally speaking, we’re talking about outdated technology.

IMPORTANT LESSON: Voting machines are computers and, while (IMO) no computer will be secure they can certainly be more secure. We must be vigilant about the security of the voting machines and other election infrastructure that we use in our voting process and demand that current, state of the art equipment be used, where security is baked in from the outset and is continuously maintained as an ongoing process, from now on until further notice.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Fifth Circuit: Employee Taking Data to Work for Competitor Violates Texas Hacking Law

former employee = current data thiefBefore leaving his employment at Merritt Hawkins & Associates (MHA), Larry Gresham allegedly accessed MHA’s computer network and copied 400 of MHA’s proprietary files and then deleted hundreds of files in an attempt to hide his activities. A jury found Gresham’s actions violated the Harmful Access by Computer Act (HACA), Texas unauthorized access law (i.e., “hacking law”). The Fifth Circuit affirmed the jury’s verdict. Merritt Hawkins & Associates, L.L.C. v. Gresham, 2017 WL 2662840 (5th Cir. June 21, 2017).

Here are three key points from this case about the Texas Harmful Access by Computer Act (civil) or Breach of Computer Security (criminal) laws:

  1. An employee may violate HACA / BCS by accessing his employer’s computer system without its “effective consent” (i.e., (a) by using it for a purpose other than that for which consent was given, (b) in violation of a clear and conspicuous prohibition, or (c) in violation of an express agreement) and taking data to use for non-company business related purposes.
  2. An award of $50,000 in damages for the missing and stolen computer files was supported by sufficient evidence, in the following form:
    1. the owner of the company’s testimony that he would have to pay an employee at least $100 an hour to recreate every file that was deleted and that it would be more expensive to search the company’s database to see if any files remained, even though he admitted that it was difficult to calculate the damages, especially for those that were taken but not deleted;
    2. a computer forensics expert testified that he billed the company over $60,000 for his work assessing the damage to its computer system, excluding litigation costs; and
    3. the company’s IT employee testified about the expenses he incurred and the hours he worked trying to restore the computer files.
  3. “A prevailing party on a Harmful Access by Computer claim ‘is entitled’ to attorneys’ fees.” Tex. Civ. Prac. & Rem. Code § 143.002.

See these resources for more information about the Texas Harmful Access by Computer Act and Breach of Computer Security laws:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

New Hacking Technique Revealed, Viruses in Online Video Subtitles

Check Point security group has released information revealing how hackers are now using online video subtitles as a source to transport viruses into personal computers, granting hackers to endless information for very little work.

This method of hacking requires a user to do nothing other than opening up their favorite videos online. According to a recent article, this is not even potential danger but is the real thing because it’s already being used successfully by the hackers.

Hackers are very knowledgeable and creative which is why most seem to be one step behind them in most cases. A few years ago people were panicking because of pop-ups, surveys, or phishing links. Now hackers are able to encrypt information by using techniques that can bypass many security products and it is more destructive than anything seen before.

This drastic increase in hackers using the technique of online video subtitles as a source to transport viruses is no surprise. Check Point stated they “estimate there are approximately 200 million video players and streamers” and online video streams have a massive audience making these defenseless targets very beneficial investments. Using this technique, these hackers are able to take complete control of a computer with minimal effort.

Big streaming sites such as VLC, Stremio, Popcorn Time, and others are assisting users in defense by providing updated patches for blocking viruses. Unfortunately downloading these patches is the only defense (other than completely avoiding online videos) and as we saw recently with the #WannaCry ransomware outbreak, counting on people to keep their systems patched seems to be too much to ask. Hopefully, that will begin to change.

______________________

Seth Tuma is a student at Santa Barbara City College in Santa Barbara, California.

“Thank You” to 2 Legal Leaders that I Respect

There are many ways to honor someone. For me, one of the greatest privileges is knowing that others have found some value or usefulness in my work, especially by referencing it to others. What is unfortunate, however, is when you did not learn about it for quite some time and realize you never properly thanked them!

So . . .  here I am in a meeting with an attorney and her clients to discuss my consulting with them (behind the scenes) to help the attorney with various cyber issues that are involved in the case. Now you already know that I consider myself to be fairly knowledgeable in the area of cyber law but even in this area, there is still a lot out there I do not know. An issue about the Wiretap Act comes up — specifically, the Texas version of the Wiretap Act — and I do not have a good answer for the question.

So . . . I change the subject momentarily while I do what any reasonable Texas attorney should do; I use my iPad to discretely pull up Judge Emily Miskel’s (@emilymiskel) very well-respected article that discusses this issue, Peeping Toms in the New Millennium: Digital Dos and Don’ts, that she co-authored with Mark I. Unger (@miunger) and Kristal C. Thomson.

In perusing Peeping Toms in the New Millennium (while maintaining normal conversation) I not only found the answer to the question that I was looking for, but I also discovered that the article included a reference to one of my blog posts, 3 Key Takeaways About Texas’ Unauthorized Access Law, that discusses the case Miller v. Talley Dunn Gallery, LLC.

Given the tremendous respect that I have for Judge Emily Miskel and Mark Unger (I have not met Kristal but she is in good company!), I was both humbled and honored. So, now, here is my proper “THANK YOU!

Finally, if you’re like me (and Judge Miskel, and Mark, and presumably Kristal) and you geek out on this kind of stuff and want further reading, let me direct you to my original blog post that discusses the Texas Breach of Computer Security and Harmful Access by Computer Act laws, which are explained in more detail than you could ever ask for starting on page 25 of this guide: Federal Computer Fraud and Abuse Act and Texas Computer Crime Laws.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.