Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Posted on November 19, 2009 by Gabriel M. Helmer

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using "spear phishing" attacks -- personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software.  "Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link." 

While the FBI indicates that it may not be possible to flag the emails attacks themselves, system administrators will be able to detect the malware infection once a computer has been compromised:

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.

The FBI has asked that firms that have detected a breach direct incident response notifications to the Department of Homeland Security and U.S. CERT.

FBI unit chief Bradford Bleier commented to the Associated Press: "Law firms have a tremendous concentration of really critical, private information," and infiltrating those computer systems "is a really optimal way to obtain economic, personal and personal security related information." 

Allen Paller, director of research at SANS Institute, told reporters that an attack on a major New York law firm in 2008 has been linked to a group of Chinese hackers.  Paller told the AP that the hackers going after law firms, "often target companies that are negotiating a major international deal -- anything from seeking a patent on a sensitive new technology to opening a plant in another country."  "The best documents to steal are in the law firm that represents that company."

As hackers become more organized and strategic, law firms may need to reassess the risks they face in light of the value of the information they manage for their clients. 

Links:

 

Tags: , , , , , , ,

American Institute of Certified Public Accountants Sues FTC to Stop Application of Red Flags Rules to Accountants

Posted on November 12, 2009 by Jeff Bone

First it was the lawyers.  Now it's the accountants.  Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants.  According to the AICPA's press release, the suit was filed on November 10.  For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.

The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level.  The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers.  As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.

It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers.  It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits.  As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear.  Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.

 

 

 

 

 

Tags: , , , , ,

Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline

Posted on November 2, 2009 by Gabriel M. Helmer

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

  1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
     
  2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

Tags: , , , , , ,

Congressional Aide Shares Secret Ethics List With The World

Posted on November 1, 2009 by Colin J. Zick

Last week, it was learned that a secret report of the U.S. House of Representatives Ethics Committee was disclosed -- apparently inadvertently -- by a junior committee staff member.  This staff apparently stored the file on a home computer that also ran a "peer-to-peer" file-sharing service.  Just as peer-to-peer services let you share music and games, they also can give outside users access to other files on your computer, including in this case secret Congressional reports.  The 22-page "Committee on Standards Weekly Summary Report" contained summaries of ethics investigations of dozens of House members and some of their staff.

Although "peer-to-peer" services have caused breaches of sensitive financial, defense-related and personal data from government sites in the past, it seems like the federal government has not learned its lesson (even as it tries to impose Fed Flags rules and the HITECH Act on the private sector).

Tags: , ,