Articles Posted in Cybersecurity

Published on: | by

The possibility of identity theft is a growing concern. However, banks, credit card companies, and various other institutions that house private information regularly take steps to protect customers’ identities. Nonetheless, a different type of identity theft continues to thrive. Online impersonation is a quick and easy form of identity theft that takes place over the Internet. It is an easy type of identity theft given the breadth and convenience of social media and expanding networking sites. However, in light of the Sandy Hook Elementary School incident, state and federal authorities are considering the possibility of bringing criminal charges for online impersonation.

State legislatures called for laws against online impersonation following the case of Megan Meier, a 13-year-old girl who killed herself after a woman impersonated a boy and engaged in cyberbullying. After the Sandy Hook shooting, people began posting incorrect information about the shooting and the suspect. Others began posing as the shooter and staging crime scenes similar to the shooting. Connecticut State Police Lieutenant J. Paul Vance called attention to this matter in a public press conference. He noted that these posts, in addition to being highly inappropriate, were also threatening and criminal in nature.

A spokesman for Commissioner Reuben Bradford stated that, harassing anyone who was a victim of the shooting would be criminally prosecuted. He noted that harassment would not only include in person contact, but also harassment through via the Internet and social media sites. Charges could include criminal impersonation and criminal misrepresentation. California and several other states have established online impersonation as a criminal offense. Critics argue that criminal regulations that prohibit online impersonation may arm interest groups with the power to suppress speech. For example, Electronic Frontier Foundation argues that such laws could silence groups like The Yes Men, which utilizes online impersonation as a form of commentary on the government and large corporations.

Continue Reading ›

Published on: | by

Cloud computing offers a revolutionary new way to conduct business over the Internet. This service is a form of cyber-outsourcing where virtual servers provide certain services or applications for consumers online. Cloud computing vendors include, IBM SmartCloud, Cisco Cloud Computing, Amazon Elastic Compute Cloud (aka Amazon EC2), and various smaller vendors. These providers offer a range of services including storage services and spam filtering.

There are various forms of cloud computing available over the Internet. Managed Service Providers (“MSPs”) are the oldest form of cloud computing. A “managed service” is an application such as virus scanning for email or anti-spam services. The most common form of cloud computing is through Software as a Service (“SaaS”), which delivers an application to multiple customers through a browser using a multi-tenant architecture. Customers benefit because they do not have to invest in servers or purchase software licenses. Providers benefit because they are able to reduce costs because they only need maintain one application for their multiple customers. Salesforce.com is a well-known example of SaaS cloud computing, but Google Cloud Storage is a fast growing option as well.

Similar to SaaS computing, some providers offer Application Programming Interfaces (“APIs”), which allow developers to offer certain functions over the Internet without having to offer entire applications. These functionalities range from specific business services to wider-ranging APIs, such as Google Maps. Another version of SaaS computing allows users to develop their own application and offer the application through a provider’s infrastructure over the Internet. The developers are limited by the provider’s capabilities, but the developers benefit from the established predictability. Google App Engine is an example of such cloud computing.

Continue Reading ›

Published on: | by

The technological advancements and the ever-expansive world of cyberspace are in a perpetual state of conflict with individual privacy concerns. For example, a recent research project by the Massachusetts Institute of Technology demonstrates that independent component analysis allows companies to track changes in pulse by the subsequent change in skin color that is readily visible through a video signal. In addition, employers, credit agencies, and health insurance providers can now purchase indexes that contain consumer profiles based on individual consumer’s browsing history, site membership, and online purchases.

The Federal Trade Commission has issued a report that proposes the steps companies can take to ensure optimal protection of consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” urges companies to incorporate privacy protection in every stage of their products, provide a mechanism against online activity tracking, and fully disclose what user information it shares with other entities.

The California legislature has proposed a new bill that would impose new restrictions on social networking sites, which would limit the information available about users. The proposed legislation would allow users to select privacy settings before ever using the site, which limits the sites accessibility. Social Networking sites, such as Facebook, have responded that such legislation would inappropriately burden the sites, in turn devastating cyber-business in California.

Continue Reading ›

Published on: | by

The internet and social media have allowed people, businesses, and brands to communicate and interact more than ever before. As much benefit as that brings, it also brings significant risks to the reputation of both people and brands. The internet allows people to post using a pseudonym, or to appropriate someone else’s name. The appropriated name could be that of a prominent individual or (“public figure”), but online “persona hijacking” can affect anyone.

Generally, the motive of most persona hijacking is profit or fraud. Someone may appropriate the name or likeness of a famous person to profit from public goodwill towards that person. It could include setting up social media accounts, e-mail addresses, or websites using the person’s name, or some other effort to spoof the person’s identity. For a person who is not famous, persona hijacking may serve a function much like identity theft, using that person’s credentials to obtain, for example, fraudulent credit.

In some cases, the purpose of persona hijacking is to submit a person’s name to criticism or parody. The line between legitimate commentary and unlawful harassment, however, can be very fine, and parody can easily become a “false light” portrayal of a person. Use of a person’s name or likeness for the purpose of criticism or parody may, in certain limited circumstances, be protected by the First Amendment. In other cases, it may constitute unlawful infringement of a person’s trademark rights or right of publicity.

A person who uses their own name in commerce, usually someone prominent in business or entertainment, may obtain trademark protection. This generally prohibits others from using the name commercially. For most people, the right of publicity prohibits use of their name or likeness without their consent, especially for commercial purposes. The Fair Use doctrine, however, may allow use of a name or likeness for legitimate criticism or parody, where it is clear that the work is not originating from the person being appropriated.

You can take several steps to protect yourself from online persona hijacking:

Continue Reading ›

Published on: | by

Cyberattacks can hit businesses of any size, causing catastrophic damage to a business’s finances and to the integrity of its information security. Hundreds of breaches occurred at large corporations during 2011, affecting over thirty million sensitive or confidential records. Hackers went after Sony, NASDAQ, and other giant businesses, but small companies are also vulnerable to attack. According to a report in the Business Journals, as many as eighty-five percent of small business owners do not see cyberattacks, which may include hackers or malicious software, as a serious threat. Heightened security at these big companies, though, could lead hackers and other cyber criminals to focus their attacks on smaller businesses who may not be so prepared.

Guarding against cybercrime is simply good business for small companies. A hacker targeting a small business can cripple the business or even force it to shut down with a very simple series of hacks or viruses. If a cyber criminal targets a small business’ banking system, it could empty its cash reserves and leave it unable to operate. A hacker who compromises a business’ confidential client data could expose the business to enough liability to put it out of business.

The “Common Sense Guide to Cyber Security,” published by a coalition of government agencies and organizations, including the Federal Emergency Management Agency and the U.S. Chamber of Commerce, offers a set of security practices small businesses can use to protect themselves from cyberattack. After an initial set-up period, most practices involve simple daily maintenance and monitoring.

Risk Management Planning. Businesses should carefully assess the risks and weaknesses in their computing systems to see where protection is most needed. They should prepare contingency plans in case a breach or loss occurs, including how to continue business operations with alternate computing systems or at an alternate location.

Access Control and Accountability. A business’s network security plan should include access controls that limit who may access critical systems and information. A single department or officer should have responsibility for information security and for approving new hardware and software, thus ensuring accountability for decisions and errors. At the same time, a business should educate all employees and officers as a means of creating a “culture of security.” All employees should sign an agreement committing to the company’s cybersecurity policies.

Firewalls and Other Security Measures. Firewalls can protect businesses from many common attacks, particularly from viruses and malware. Companies should also encourage use of complex passwords that combine upper- and lowercase letters, numbers, and other symbols; avoid common words and phrases; and change at least every three months.

Continue Reading ›

Published on: | by

Computers and computing activities play an increasingly integral role in daily life in America, affecting our financial activity, social interactions, and more. With an increased level of dependence on networked devices comes the risk of theft, or even attacks, on and through our computer networks. While the business community has already recognized the importance of cybersecurity, the government and legal system are finally responding in five key areas.

National security. The federal government has made cybersecurity a central feature of its national security strategy. Recognizing the risk of an attack on the nation’s computer networks by a foreign power or sub-national group, the Department of Defense created a comprehensive strategy for cybersecurity (PDF file) in 2011. The strategy treats “cyberspace” as its own “operational domain,” requiring specialized training and organization. The government has also taken steps to combat online theft, which can include not only monetary theft but theft of intellectual property and identity theft. The latter has become more and more sophisticated as thieves find ways to exploit personally identifiable information (PII) stored online.

Federal legislation. The Obama administration proposed legislation outlining ten points for cybersecurity protection. These generally included protection of the American people, the nation’s infrastructure, and the federal government’s networks and computer systems. Several bills pending in Congress address aspects of cybersecurity. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, allows sharing of data between companies and the National Security Agency in order to investigate and combat cybersecurity threats.

State legislation. Protection of government data, PII, and personal privacy have informed numerous state statutes enacted in the past ten years. California passed a law requiring notification of cybersecurity breaches in 2003, and forty-six other states and the District of Columbia followed suit. Laws requiring “reasonable” levels of security for protected information exist in at least ten states, and numerous states are enacting statutes protecting people from wiretapping and other monitoring of electronic activity.

Regulatory initiatives. Multiple regulatory agencies have addressed cybersecurity concerns through additional regulations, guidelines, and enforcement actions. The U.S. Security and Exchange Commission (SEC), for example, recently issued a new set of guidelines for publicly-traded companies. The guidelines address disclosure of cybersecurity breaches as a means of making information available to investors. The FBI, meanwhile, established a joint task force to investigate cyber threats.

Continue Reading ›

Published on: | by

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose “cyberrisks,” even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC’s guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident’s “personal information,” such as social security number, home address, driver’s license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California’s lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

Continue Reading ›

Published on: | by

In California, the stalking laws are included under Section 646.9 of the Penal Code, which states that any person who willfully and maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety or that of an immediate family member is guilty of stalking. Stalking cases may include additional related charges such as: (1) Trespassing; (2) Vandalism; (3) Burglary; (4) Criminal Threats; and (5) Obscene, Threatening, or Annoying Phone Calls.

Please keep in mind that willfulness is a standard related to the culprit’s state of mind. For example, when the person is acting purposefully, then he/she has the “conscious object” of engaging in conduct and believes or hopes that the attendant circumstances exist. If the person is acting knowingly, then he/she is practically certain that his conduct will lead to the result. If the person is acting recklessly, then he/she is aware that the attendant circumstances exist, but nevertheless engages in the conduct that a “law-abiding person” would have refrained from. If the person acts negligently, then he/she is unaware of the attendant circumstances and the consequences of his conduct, but a “reasonable person” would have been aware. Finally, if the person acts with strict liability, then mental state is irrelevant and he/she is strictly liable.

In the last few years and with the emerging of the world wide web, a new kind of stalking has developed which is also called “cyber stalking.” This type of misconduct occurs when the violator utilizes the Internet, electronic mail (e-mail) or other communication devices to harass and stalk others. For example, it can occur by sending e-mails to the victim, impersonating another person in online chat rooms and e-mail messages, and disseminating lies in cyberspace. It is also important to note that the Internet is a cheap and efficient method for “cyber stalkers” to anonymously cause harm to their victims.

Continue Reading ›

Published on: | by

The Securities and Exchange Commission stated that publicly-traded companies should disclose the threat and potential impact of cyber attacks that pose a risk to their investors.

The commission made its comments in a letter to Senator Jay Rockefeller, chairman of the Senate Commerce Committee, that was released on June 8, 2011. Last month, Senator Rockefeller and four other Democratic senators wrote a letter to SEC Chairman Mary Schapiro, urging the agency to issue guidance on disclosure of data- security risk, including “material network breaches,” attacks that may result in the theft of intellectual property or trade secrets.

Published on: | by

The threats from cyberspace grow more powerful and pernicious. Companies like Sony Corporation, Google Inc., and Lockheed Martin have admitted startling security lapses. The International Monetary Fund, last month suffered a breach leading to the loss of highly sensitive data. The United States Congress and executive branch agencies face approximately 2 billion attacks in cyberspace per month in 2010.