Articles Posted in Cybersecurity

Published on:

Identity theft is an epidemic impacting people across America. During 2016, an estimated 15.4 million consumers experienced some kind of identity theft. This is an increase from 13.1 million in 2015. Another staggering statistic is that 1 in every 16 adults in the United States is a victim of identity theft.

This increase in identity theft notwithstanding the fact that 2016 was the first year that retailers were forced to accept EMV chip cards. The belief was that by switching to these EMV chip cards it would almost entirely eliminate card cloning, which is a major type of identity theft.  Instead of lessening the amount of credit card fraud this switch has made criminals move away from card cloning and into different types of fraud. More criminals are starting to make online purchases where swiping or inserting a physical card is no longer necessary.

Over the past few years, we have seen numerous data breaches. Data breaches have been hitting financial, health, commercial, government, and education institutions. These breaches have ranged from password management services like LastPass, the OneLogin security breach, and Target security breach.  All of these different breaches compromise our data and our identity. The above companies are just a few that have been hit by a security breach.

Published on:

OneLogin recently suffered from a major security breach. This breach has compromised private and confidential information, which is managed by its datacenter. OneLogin provides a service that is used by organizations to secure their data. It is basically a password manager for corporations. It allows employees, customers, and partners to gain secure access to the company’s cloud and applications on any device.  It allows its customers to integrate other websites and services like Microsoft Office 365, Slack, Amazon Web Services, Cisco, Webex, LinkedIn, and Google Analytics. The OneLogin website says that it currently has over 2,000 enterprise customers across 44 different countries. This includes well-known companies like Indeed, Pinterest, Midas, and Yelp.

How did this breach occur?

The breach occurred because the intruders were able gain unauthorized access to the OneLogin datacenter. Alvaro Hoyos, who leads the company’s risk management, security, and compliance efforts posted a blog about the risks. He wrote that a threat actor used one of our AWS keys to gain access to the AWS platform via API from an intermediate host with another, smaller service provider in the United States.  He said his company’s staff was able to detect and stop the intrusion very quickly.

Published on:

President Donald Trump has signed an executive order on cybersecurity as a response to the WannaCry ransomware attack. This executive order is entitled as “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The executive order contains three main sections and a fourth category that includes some definitions of terms that are contained in the order.

The first section of the executive order is regarding Cybersecurity of Federal Networks. This section states that the United States Information Technology (IT) should have the data secured responsibly by the United States Government. The President said that he will also be holding the heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprises. One of the findings included in this first section is that the executive branch has been too accepting of IT in that it is antiquated and difficult to defend. To manage these risks, the first section includes a risk management section, which includes ideas of how to reduce future cybersecurity risk.  For example, the head of each agency must provide a risk report to the Secretary of Homeland Security and Director of Office of Management and Budget.

The second section of the executive order is regarding Cybersecurity of Critical Infrastructure. This section states that support must be provided to the critical infrastructure that faces the greatest risk. It also describes how the Secretary of Commerce and Secretary of Homeland Security will both go through an open process to try and improve how resilient the internet is, so they can reduce threats of automated attacks.

Published on:

On May 12, 2017, what is believed to be the largest ransomware attack in history occurred on the internet.

A global search is heating up trying to locate those who are responsible for the attack.

While this search is occurring, there is also a question of how much blame for the attack should be placed on Microsoft. This is because the WannaCry attack took advantage of a weakness that was already existing in the Microsoft operating systems.

Published on:

In addition to California’s precautions against unauthorized email access, there are additional Federal measures to protect privacy. Compared to state measures, this gives another way for an individual to seek legal remedies in a federal court. This is broken up into three different statutes, as part of the Electronic Communications Privacy Act, first regarding wiretapping, unlawful access, and pen registers.  Yet, to a business only the first two have real consequence, with the final one applying in a narrower scope.  So, what is the difference between anti-wiretapping and unlawful access laws? Why might someone choose to sue under the wiretapping statute, but not unlawful access? Can either provision provide an individual the ability to recover for lost or misappropriated sensitive information from electronic mail?

Federal Laws

Federal wiretapping laws are outlined in 18 U.S.C. 2511, which focuses on prohibiting the intentional interceptions of electronic communication unless it is for valid government purposes. Yet, while it is called a wiretapping statute, it’s far more expansive. An unlawful interception would result in a fine and, at most, five years of imprisonment.  However, the civil remedies for a violation come from Section 2520, which allows equitable relief (e.g., injunction), punitive damages, and attorney’s fees.  The computation of damages is limited to the greater between the actual damages or statutory damages of $100/day for each day of violation or $10,000.

Published on:

This article discusses the remedies for unauthorized access to email in the State of California.  Now, email is an essential part of our lives and has been granted extensive protections in the state and federal spheres. Beyond that, it can occur in a variety of ways such as: (i) leaving an unlocked device on your desk; (ii) lending someone your email password; (iii) getting hacked by someone; or (iv) simply failing to properly update security on your device. Yet, what laws are in place to punish those who would unlawfully access an email account? What are the consequences? How might this help business owners protect their confidential information and intellectual properties?

California Laws

In California, there are statutes for computer crimes, which would prohibit individuals from unlawfully accessing another person’s email accounts.  For example, Penal Code 502 prohibits access without permission of computers, networks, internet websites, electronic mail, and similar things. Although, it should be noted that Penal Code 502 lists other criminal acts, such as knowing misuse of domain names, introductions of contaminants, and deletion of data.

Published on:

There are few things that you consider when forming a cybersecurity framework. Naturally, chief among them are the perpetrators such as hackers who engage in mysterious online threats by constantly adapting to new technology. These hackers might seem indomitable, clever, and always working to break down security.  Yet, this is not necessarily the case. What if the nature of the threat was different? What if anyone could become a top-level hacker without sufficient knowledge of computer programming? How might a business address this issue and anticipate a different threat?

What is the nature of the threat?

On the issue of hackers, while there are certainly those who have the skills to access systems, but they are not the only threat.  There are three kinds of hackers: First: “white-hat” hackers, who will hack to expose security flaws for a company. Second, “black-hat” hackers who hack to cause harm or gain profit. Third, “script kiddies” who are an offshoot of black-hat hackers. These script kiddies tend not to have the technical skills of a black-hat hacker. Instead, they rely on pre-existing tools that black-hat hackers disseminate. This allows a script kiddie to engage in a more advanced attack and cause harm. One particularly notorious instance occurred on February 7, 2000, where a 15-year old launched a massive DDoS attack using a slightly modified tool that was downloaded online.

Published on:

Now, we know what ransomware is and a little on how to fight against it.  So, what are the applicable statutes and how can you recover? Naturally, after a person pays the ransom, or loses their data, they have been harmed by a violation. This could be potentially devastating to a small business or an individual.  Yet, there’s no explicit way to recover the funds or recover from the harm except through a lawsuit. While, there is a statute specific to ransomware in California, individuals do have other avenues and claims.  What is this new statute? What can someone recover in a lawsuit? Are there any difficulties for ransomware lawsuits?

Ransomware Statutes

In September 2016, California passed a ransomware statute under SB 1137, which in essence amended Penal Code § 523.  This was prompted by an uptick of the attacks on hospitals.  In the statute, the use of ransomware is punishable by 2-4 years in prison. This is in line with treating ransomware like extortion crimes.  Furthermore, it defines ransomware in the statute as a “computer contaminant or lock placed or introduced without authorization into a computer . . . which the person responsible for the placement or introduction of the ransomware demands payment . . . to remove the computer contaminant . . .”

Published on:

A business’s computer network, which may comprise of network and database servers, is the operation’s lifeline.  A successful business should require its computer network to be secure and protected.  There are many ways that these measures can go wrong.  Yes, sometimes hackers can get in and access sensitive information (e.g., trade secrets, intellectual property) without authority.  There are countless ways for a hacker to obtain unauthorized access to a private network.  However, what happens when the hacker has gained unauthorized access? In the hacker’s tool belt is a special kind of malware known as “ransomware.” What can ransomware accomplish? How can you spot it? How dangerous can it be to your business?

What is Ransomware?

As the name might suggest, ransomware is a program that holds (or claims to hold) data hostage.  It then encrypts data, and renders it inaccessible until the data owner pays off the hacker.  Generally, the hacker will place the malware on the host computer through an email attachment, special program, unverified email, or malware that accesses a computer through pivoting, and then releasing the “payload” which consists of the malware.  After ransomware is activated, it sends an alert on the electronic device, usually demanding payment to an account, in the form of cryptocurrency (e.g., Bitcoin) or credit card payment.

Published on:

So, where do we go from here? After the Internet of Things was effectively used as a way to crash various online stores and services, it leaves us with the question of how can we fix this gaping hole in our security that would allow this new technology to continue to exist without causing further risk? As mentioned last week, the most likely solutions are either in the private sector, through consumer choice and manufacturer investment, or through government action. What actions should individuals take? What is the government doing now? What might the government do in the future?

What is the private sector currently doing?

The private sector is not doing much at this time. While consumers could demand more secure smart devices, the focus of the demand for these devices tends to be towards their functioning.  In general, less sophisticated consumers buy smart devices for the sake of convenience, with security being a distant thought when compared to the more sophisticated consumers.  These smart devices, like any other internet-connected device, occasionally need security updates to remain resistant to online bugs (i.e., malware).  So, as the world becomes smarter, this technology will need to adapt and advance, accordingly, in order to mitigate the risks. Yet, without some motive to do so, it’s less likely that resistance to the botnet will emerge, and it may be due to the government’s intervention.