Category: Security

Cyber Security and Data Privacy

Gibson Dunn & Crutcher LLP just published a very sobering article on this topic.  The article is entitled “Cyber-security and Data Privacy Outlook and Review: 2013,” and it is probably one of the most comprehensive reviews on the status of lawsuits, regulatory changes, and breaches I’ve read to date.  It’s guaranteed to make you wince.  The good news — maybe I should say the only good news– is that this arena has the potential to create lots of opportunities for lawyers.  Work abounds in class actions, defense, regulatory compliance, security audits and policies, trade secret protection, and white collar crime, to name but a few.

Just to give you an idea of how bad a year 2012 was in terms of security, here is a brief excerpt:

Data breaches continue to grow in both number and scale. This past year saw major hacks at Zappos (24M customer accounts), Statfor (private U.S. intelligence firm; 5M e-mails), Global Payments (1.5M credit card numbers), LinkedIn (6.5M passwords), eHarmony (1.5M passwords), Yahoo (0.5M passwords), Nationwide Mutual (1.1M customer accounts), and Wyndham Worldwide (600K credit card numbers). According to industry reports, this past year saw a sharp increase in browser-related exploits, such as luring an individual to a trusted website that has been infected with malicious code. Using browser vulnerabilities, attackers can install malware on the target system. In addition, the rise of “bring your own device” policies in the corporate world have led to security challenges for organizations. For example, many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.

This past year saw a dramatic increase in the number of breaches from state and local governments. Leading the pack was the South Carolina Department of Revenue, where an employee fell for a phishing e-mail that allowed hackers to steal 75GB of data containing the social security numbers, credit cards, and bank account information for 3.8M residents. The data also contained information about 700,000 businesses. The governor faulted outdated IRS standards, which did not require social security numbers to be encrypted. Another major hack affected the New York State Electric & Gas Company, in which 1.8M customer files were stolen that included social security numbers and some financial information. Investigations of the hack faulted out-of-date data security standards. Other notable breaches occurred at the California Department of Social Services (700K employees’ payroll information), Utah Department of Health (780K citizens’ health information), and the California Department of Child Support Services (800K health and financial records). Many of these attacks could have been prevented by following up-to-date security standards.

No wonder President Obama signed an executive order on February 12, 2013, seeking to strengthen the cyber security of critical infrastructure, by directing the development of a public-private sector cyber security framework, and increasing information sharing between the public and private sector.  If you’ve been following my blog, you’re read my previous posts “Another Cyberattack on a Major U.S. Bank;” “Cyberattacks on U.S. Banks — Are You Safe?;” “Beware Email Messages from Facebook Friends;” and “Trojan Infects 260,000 Android Devices” to name just a few.

It’s a very dangerous computing world.  That means you have to keep up to date on developments.  You need to keep your software updated to plug security holes as they’re discovered.  You need to actually use your shredder.  You need to avoid using public WiFi for accessing confidential information.  You have to train your employees not to click on links or email attachments which are unexpected, regardless of the source.  You should encrypt your laptop hard drive, and use a boot password too.  You should be sure you have enabled the ability to remotely wipe the data from your Smartphone before you put anything on there.  This is just a start off the top of my head.  If you’re not already doing all these things, or if you don’t even know about some of these things, perhaps your starting point should be a simple security audit by a qualified vendor.

Computer Security Alert: Protect Your PC From a Data Dump

A data what?  Yep, you  heard it right.  There’s a new computer security threat afoot which can fill your hard drive in seconds.

This new threat was just reported in BBC News : Technology.  According to the report, the vulnerability has been created by a loophole in the programming of HTML5.  While most websites are currently built using version 4 of the Hyper Text Markup
Language (HTML).  However,  that code is gradually being upgraded by the newer version 5.

One big change brought in with HTML5 lets websites store more data locally on visitors’ PCs.  Based on one’s browser, there is a limit of how much data can be placed on  your PC.  However, the loophole is enabled by a software routine which endlessly creates new, linked websites, enabling each  to dump huge amounts of data onto a target PC.  Oh, and did I mention that the actual creation of the linked websites, and data dumping takes place literally in seconds?

What data will it dump?  Well, it could be pictures of cartoon cats, as done in the demo created by Developer Feross Aboukhadijeh, the discoverer of the loophole. According to the news report, In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.

Most major browsers, including Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug.  Only Mozilla’s Firefox capped storage at 5MB and was not vulnerable.

What can / should you do?  Well, this has been reported, and is being worked on.  Your number one defense is to have a back-up emergency boot disk, so that if your hard drive is crammed with cr*p, you can still boot your computer.  You also need to have a good solid back-up, so that you can restore your software and documents after you reboot.

If you use one of the impacted browsers on either MAC or PC platform, you may want to make sure that your anti-virus software is set to scan sites for malicious code before you actually connect.  There is no mention in the report as to whether this is detectable, so I can’t say for sure it will protect you.  But it’s worth a try, and it’s always a good idea anyway, since malicious code can be placed on just about any web site.  Last, stay away from web sites which are known to harbor nasty stuff, like file and music sharing and game sites.  At least until you’ve heard this problem is resolved.

Another Cyberattack on a Major U.S. Bank

Citizens Bank of PA has been hit by cyberattacks, according to an article in Philadelphia Business Journal.  In keeping with my previous post on this topic, “Cyberattacks on U.S. Banks – Are You Safe?” these attacks are still being blamed on Iran, despite their continued denial of involvement.

Thus far the financial institutions have spent millions trying to shore up their security and ward off attacks.  At this point, they are requesting assistance of the U.S. government, according to an article in the Wall Street Journal.  This is significant, coming from an industry which flatly rejected the imposition of security measures previously.

Cyberattacks on U.S. Banks – Are You Safe?

McAfee warned of this months ago, and their predictions are coming true.  U.S. Banks are under attack.  As are some cloud providers, for that matter.  The attacks are more massive and organized than ever before.  An article in CNet News on December 13, 2012 revealed that a report released by McAfee Labs predicted an impending attack on U.S. financial institutions — dubbed Project Blitzkrieg — was a “credible threat.”

Project Blitzkrieg is believed to be headed by an individual known as vorVzakone, according to McAfee. In September, vorVzakone announced a massive fraud campaign to be launched against 30 U.S. banks in spring 2013. VorVzakone also put out a call to arms for fellow hackers to join his cause. The attacks are said to be done with a highly developed Trojan that could infect victims’ computers, plant software, and allow cybercriminals to steal information and money.

Rather than being a sweeping attack, McAfee said the campaign will selectively target accounts at investment banks, consumer banks, and credit unions. Going after selected groups makes it easier for vorVzakone to stay under the radar and not be detected by network defenses, according to McAfee.

The attack was to expected to hit hard in Spring, 2013.  But it looks like plans have moved up a bit.  And are not being executed as predicted.  A January 10, 2013 article in the Philadelphia Business Journal carried the title “PNC, Wells Fargo Cyberattacks Work of Iran, U.S. Believes. ”  The real story is based on a January 8, 2013 article in the New York Times entitled “Bank Hacking Was the Work of Iranians, Officials Say“:

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. . . . But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems.

Iranian officials emphatically deny any connection with the attacks.  However, the attackers allegedly stated last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

I don’t know what I believe about who or what is behind these attacks.  I do believe that the threat, no matter the source, is very real.  Thus far there has been no theft; simply a consistent disabling of the bank’s abilities to service online customers.  However, I have no doubt that this is camouflage designed to distract security professionals from the eventual real consequences of these attacks, which has the potential to create havoc with assets of individuals and businesses. 

What do you need to do? 

  1. Be mindful of the insurance limits which apply to all of your combined accounts.  (Excluding IOLTA.  See “Unlimited FDIC Insurance on IOLTA Accounts Due to Expire” for further details about this issue.) 
  2. Make sure that you are not dependent on online banking for essential transactions.  Even if you do your deposits and bill paying remotely, have good old-fashioned deposit slips and checks handy. 
  3. Be sure you print out your monthly statements if you do electronic review.  You may need to access your information quickly at a time when your financial institution is trying to clean up a mess.  Those with an audit trail of their own will always fare better.
  4. Be careful about where you conduct your business.  Never log onto your secure encrypted accounts from a public computer, or over a public WiFi connection.
  5. If you don’t have a password on your smartphone, netbook and/or tablet, put one on immediately.  Yes, I know it’s a pain that after 3 – 10 minutes of idle time you have to put in a password to resume work.  On the other hand, no one can pick up your device when you’re not looking, and find your autologin information for your bank!
  6. Be especially wary of any so-called email communications from your banking institutions asking you to logon and reset your password, enter your SSN, or other sensitive information, and especially if they provide you with a link to do so.  Verify the legitimacy of the request by calling the institution on the phone before clicking on the link.  Nowadays sophisticated fraudsters create web sites that are so close to the real thing it can fool most people into entering sensitive information.

These are just a few quick thoughts to get this issue on your personal radar screen.  I encourage you to add your thoughts in terms of what we need to do to protect our firms, ourselves, and our clients.

Beware Email Messages from Facebook Friends

Chances are pretty good you have friends on Facebook.  You may even have your own Facebook page and friends.  Let’s face it, if you have children or grandchildren, it’s your best bet for communicating with them.  No one seems to want to use regular email or even a telephone to communicate anymore.  It’s all about social media.  Instant updates about what everyone is doing.  While I like seeing the pictures immediately of friends’ grandchildren and children, and knowing what everyone is up to, I have to admit that the constant stream of electronic “chatter” is a bit much.  But I digress  . . .

Right now there is a deluge of emails coming to everyone’s inbox from alleged friends on Facebook.  Usually the subject line just says “For [your name]” and the only thing in the email is a link.  If you look closely, you will see that the email return address is not related to whomever it is supposed to be from. 

Even though we’re all so cautious and savvy about computing risks, I have to take a moment to remind you NOT to click on the link.  If you don’t look closely you won’t give it a thought, as it appears to have been sent from someone you know and trust.  But if you click on the link you will wind up on a site which will infect you with spyware.  Anld you probably won’t even know it.  Remember that zero day attacks can hit you before your anti-virus and/or anti-spyware has been updated to defend you.  That’s what the “zero” stands for.  So unless your security software is updating throughout the day, you probably have no defense at all.

So repeat after me:  Delete, Delete, Delete.  Say it again:  Delete!!!

Hundreds of Free Security Software Packages

A tip-of-the-hat goes out once again to Gizmo’s Freeware for providing an updated listing of hundreds of free security software packages, along with reviews and live links.

In the past two weeks I have received literally dozens of spoofed emails from alleged Facebook friends, with toxic links inside.  Thankfully, I never click on links, unless it is clear why it has been sent.  I always think it’s worth a simple email asking that question before taking the risk.  But it reminds me regularly what a dangerous computing world we live in.  Which is why this update from Gizmo’s is even more valuable.

When Love is No Longer in the Air

By now we all know that our online presence may and probably will outlive us.  We know that approximately 1 in 5 heterosexual marriages, and one in 3 gay unions begin with online meetings.  Most of us know of at least one couple who met online.  I’ve been to three weddings of couples who met online.  Have you ever wondered about all the relationships started online that don’t end in bliss?  You should.  A recent study indicates 88% of exes stalk through Facebook after the relationship fails.  Creepy, huh?

An article in CNET News entitled “88 Percent Stalk Their Exes on Facebook” caught my eye.  A master’s candidate at Western University, Veronika Lukacs, discovered that a full 88 percent of lovers follow their exes around on Facebook.  She was doing research for her thesis. Not only did the vast majority stalk, but 70 percent of those interviewed admitted to using a mutual friend’s profile, or even logging in as that mutual friend, to do their stalking.  And in case you’re not sufficiently creeped out, 74 percent crept around the profile of their ex’s new partner or someone they feared might be their ex’s new partner.

There is no moral to this story.  No sage words of wisdom.  Just this personal observation: OMG!  Welcome to the new reality.

How Safe Is Your Laptop or Other Portable Device Housing Confidential Client Data?

Every once in a while I read an article in the news which reminds me to remind all of you about the responsibilities you have to safeguard client data.  Sometimes we forget how much “stuff” may be on digital dictation devices, smartphones, flash drives, laptops, netbooks and other devices, which are prone to disappear.  A recent article in the Philadelphia Business Journal entitled “Laptop Crime Wave at Office Buildings May be Solved” reminded me it’s time to remind you once again.  The  27-year-old suspect has been charged with stealing more than 30 laptops from four Philadelphia business towers since May.  During the day.  Many of the locations housed law firm tenants. 

What happens to your client data if your laptop is stolen?  How about if you lose your smartphone, dictation device, etc.?  Does your laptop have a boot password?  Is the hard drive encrypted?  Can you “wipe” your smartphone remotely? 

With a laptop stolen at the rate of more than one every minute in the USA, these are questions you must be able to answer.  You may find this article entitled “Safeguarding Laptops, Electronic Devices, and Protecting Confidential Client Data” to be a good starting point.  Rule 1.15 [Safeguarding Client Property] requires you to give this some thought, and take reasonable precautions.  Given the vulnerability of these devices, don’t wait to find out the hard way that what is considered reasonable precaution may be far beyond what you currently employ.


Google Privacy Countdown

My partner, Jennifer Ellis, has just posted instructions on her blog about how to get rid of your Google web search and YouTube histories before the March 1, 2012 account consolidation deadline.  You can read about it here.

As Jennifer explains, Google announced that it would be combining all of the data from various accounts into one place for purposes of making its privacy policy easier. She finds the prospect of Google  putting all of the data from various accounts into one place  a bit scary, and notes that, not too surprisingly, a lot of people want to delete the data before Google puts it into once place.  Jennifer explains what you can and cannot delete, and provides illustrated step-by-step instructions.

Wash Hands Before Using Phone

Once in a while I read something that just makes me outright laugh.  I especially love when it concerns our use of technology.  This is one of them.

A recent article on C-Net Daily News entitled “‘Reverse smudge engineering’ foils Android unlock security” explains how an Android user with greasy fingers left his unlock pattern visible for others to hack.  Fortunately, they were colleagues, because it took them only minutes to bypass his security thanks to his greasy screen.

Really?  We have to worry about washing our hands before using our phone now?  Check it out.

WordPress Themes