Friday, March 10, 2017

A data breach (like a diamond) is forever!  Or at least a long, long time.
Jeff John Roberts reports:
Home Depot has taken another step to move on from its colossal 2014 data breach, which involved hackers stealing email or credit card information from more than 50 million customers by infiltrating self check-out terminals.
In a new settlement with dozens of banks, the retailer has agreed to pay $25 million for damages they incurred as a result of the breach, one of the biggest in history.
The settlement, filed this week in federal court in Atlanta, also requires Home Depot to tighten its cyber-security practices and to subject its vendors to more scrutiny—a measure tied to the fact that a security flaw by a third-party payment processor made the hacked self-checkout terminals vulnerable.
Read more on Fortune.

It’s hard to convince my Computer Security students that studies like this are correct.  
Presser, but has some interesting findings:
Evolve IP, The Cloud Services Company™, today released the results of a study of Dark Web email vulnerabilities in the healthcare industry.  The research, conducted in a collaboration between Evolve IP and ID Agent, reveals the pervasive nature of email-based cybersecurity attacks and sheds light on the quantity, variety, sources and consistent growth of these threats.
Healthcare IT leaders place a high priority on preventing breaches, but despite their best efforts, hackers often break through the organization’s weakest link – end user email credentials.  The study, which included an analysis of 1,000 healthcare organizations, illustrates the need for proactive threat monitoring coupled with near real-time disaster recovery solutions to prevent employee email liabilities from becoming major catastrophes.

Amongst other findings the landmark study uncovered:
  • 68 percent of the healthcare organizations analyzed have compromised email credentials as identified by ID Agent’s Dark Web ID analysis.  Nearly 80 percent of the positive data set includes actionable password information, simplifying hackers’ efforts to infiltrate the network.
  • An estimated 7,500 individual incidents occurred across the study where healthcare companies had email credentials compromised due to phishing or key logging attacks.  Any one of these vulnerabilities could rapidly escalate to ransomware, denial of service attacks or PHI breaches across an entire enterprise.
  • 23% of the passwords stolen were available for sale or trade on the Dark Web as unencrypted, clearly visible text.  While the remainder of passwords were encrypted, the level of encryption used presents no real hurdle to professional hackers that want to crack them. [See Comey article, below.  Bob]

Would my Security students fix this or eliminate it entirely?
Over on TechDirt, Mike Masnick writes:
For years we’ve pointed out the sheer insanity of the TSA’s security theater, which is intrusive, insulting and does little to actually make us any safer.  One aspect (of many) that has been particularly troubling is the way that the TSA has basically enabled sexual assault of travelers.  If you felt that wasn’t too bad, have no fear, the TSA is apparently increasing the sexual assaulty nature of these searches:
The new physical touching—for those selected to have a pat-down—will be what the federal agency officially describes as a more “comprehensive” physical screening, according to a Transportation Security Administration spokesman.
Denver International Airport, for example, notified employees and flight crews on Thursday that the “more rigorous” searches “will be more thorough and may involve an officer making more intimate contact than before.”
This is madness.  The answer to the TSA’s awful and useless security theater should never be to give TSA agents more power to sexually assault travelers with “more intimate contact.”  This is not about security.  This is about the TSA wanting to make it look like they’re doing something, and apparently that includes groping strangers who are just trying to get somewhere.  How the hell does sexually assaulting travelers make anyone any safer?
Remember when they told us that the full body scanners would keep us safer and diminish the need for intrusive pat-downs?  So now they have BOTH, and the public will go along with this like sheeple.  Again.
Between this and the CIA hacking tools leak with FBI director Comey telling everyone,  “There is no such thing as absolute privacy in America,” I fear some Americans are first waking up to what some of us have been yelling from the rooftops for years as we headed towards a dystopian society.  Frighteningly, some still may not have woken up.
   Reagan’s nine most terrifying words in the English language, ‘I’m from the government and I’m here to help,’ should be replaced with, “I’m from TSA and I’m here to grope you.”

I wonder how many law firms have had a Computer Security audit?  
Derek Borchardt and Michael F. Buchanan have an update on litigation previously noted on this site.  At its heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had inadequate data security.  There was no allegation of any actual breach – the suit was over inadequate data security.
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit.  Last month, the firm obtained a significant victory in the case.
To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure.  (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)
The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.”  Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis.  The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis.  The court agreed.
Read more on Patterson Belknap Data Security Law Blog.
I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs, his perspective on the decision and its potential impact on other similar cases they had planned to file.  He replied:
We filed suit (under seal) seeking, first, injunctive relief to fix the alleged security vulnerabilities.  Once we were satisfied of the relevant fixes, we then moved to unseal the case and dismissed it.  The dismissal did not mean that we aren’t pursuing it, but rather was in recognition of the fact that there is an arbitration clause.  Johnson & Bell asked the Court to rule that we could arbitrate on an individual basis only (i.e. not on behalf of a class).
The Court agreed with them and we are going to appeal that decision.  However, regardless of whether this can be brought as a class action, we will still pursue the suit.  The question will be whether the class members are required to bring many individual arbitrations or can do it all at once.
In terms of other similar lawsuits, because this is a procedural issue (as opposed to one on the merits), it doesn’t have much impact unless a defendant has a similar arbitration clause as Johnson & Bell’s.  Even if they do, our guess is that because individual arbitrations are so expensive, it is unlikely that other defendants will choose to potentially face hundreds if not thousands of arbitrations instead of fighting one single (albeit larger) case.
So stay tuned, I guess.  I expect that there will still be issues raised of standing if there’s been no actual breach, but we’ll have to wait and see.

Propaganda 101: Make it sound like you are being picked upon.  The Evil US is doing something to poor, innocent, helpless China that no other country would ever do to another. 
China to US: Stop hacking us
China asked the U.S. government on Thursday to stop spying on and hacking other countries, after WikiLeaks revealed data showing that the CIA can hack a range of devices, including some manufactured in China.

Also Propaganda-like.  Wasn’t the “bargain” that there was a “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures?”  Are warrants no longer adequate because of encryption? 
Comey: Strong encryption “shatters” privacy-security bargain
FBI Director James Comey told a Boston audience this morning that “ubiquitous strong encryption” – the kind now available on most smartphones and other digital devices – is threatening to undermine the “bargain” that he said has balanced privacy and security in the US since its founding.
Actually, he went further, declaring that such default encryption “shatters” the bargain.
   “Last fall we received 2,800 devices that we had lawful authority to open.  And there were 1,200 we couldn’t open with any technology tool.  These were devices recovered in criminal, gang, terror and pedophile investigations.”
   But he said with probable cause and a warrant approved by a court, “government can invade – that’s the bargain.  If government has probable cause, it can search and seize – take whatever the judge said it could.  Even our memories aren’t totally private.  The general principle is that there is no such thing as absolute privacy.”

(Related) Perhaps Comey could hire the Dutch if the FBI is not competent? reports:
Dutch detectives have gained access to 3.6 million encrypted emails sent by criminal gangs which will be used in dozens of prosecutions, the public prosecution department said on Thursday.  The information in the mails will provide evidence for criminal cases, including murder, armed robbery, drugs, money laundering and other forms of organised crime, the department said in a statement.
The messages were found on servers in Canada belonging to a Dutch company called Ennetcom.  Last year, the public prosecution department won the right to have the Ennetcom servers copied and the seven terabytes of information sent to the Netherlands for investigation.
Update: Read about how they were able to decrypt the messages on HackRead.

Stranger how often my class discussions revolve around failures.
Lessons from Mismanaged Crises at Yahoo, Cuisinart and Wells Fargo
   Contrast the above-companies’ performance with Johnson & Johnson’s handling of its tampered-Tylenol crisis in 1982, long considered a paradigm of successful crisis management.  However, today even its response probably would be regarded as a failure.  The company took three days to decide how to respond.  In our internet age with its 24/7 news cycle, a company does not have three days to react; it may not have even three hours.  Advance planning is critical.

(Related) Bias is programmed failure.  Diversity is a solution.
How I'm fighting bias in algorithms
MIT grad student Joy Buolamwini was working with facial recognition software when she noticed a problem: the software didn't recognize her face — because the people who coded the algorithm hadn't taught it to identify a broad range of skin tones and facial structures.  Now she's on a mission to fight bias in machine learning, a phenomenon she calls the "coded gaze."  It's an eye-opening talk about the need for accountability in coding ... as algorithms take over more and more aspects of our lives.  

We’re going to need to understand this technology and the laws governing it.  This will be very difficult or impossible to replicate manually. 
Mapping the Global Legal Landscape of Blockchain Technologies
by Sabrina I. Pacifici on Mar 9, 2017
Maupin, Julie A., Mapping the Global Legal Landscape of Blockchain Technologies (February 14, 2017).  Available at SSRN:
“Blockchain technologies are beginning to push a broad array of global economic activities away from centralized and toward decentralized market structures.  Governments should tackle the new regulatory conundrums of an increasingly disintermediated global economy by focusing on blockchain’s individual use cases rather than its underlying enabling technologies.  Grouping the known use cases around common characteristics reveals three broad categories of blockchain/law interfaces: the green box, the dark box, and the sandbox.  Each raises distinctive legal, regulatory and policy challenges deserving of separate analysis.”

Disruption.  Clearly Staples could put up an online store.  Does this actually indicate that shoppers always start their buying search at Amazon?  (Only going to other sites if they don’t find what they want?)   
Staples and Office Depot Are Being Ripped to Shreds by Amazon and the Internet
Persistently plunging sales, weak profits and more store closures have become the new normal for office supplies retailers Staples and Office Depot as they battle online foes such as Amazon.

My latest ‘get rich quick’ scheme: Print up fancy labels you can slap on your bottle to make tap water look exotic.  For example, “Water from some glacier in the Himalayas.”
Americans drank more bottled water than soda in 2016

No comments: