On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The Order has two key components. First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted [...]
Category Archives: Cybersecurity & Cybercrime
Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the [...]
In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.” The Pentagon’s plan would create three [...]
A recent article in The Economist questions whether it is safe and secure to trust a company’s computer network to a Chinese company. The specific concern in that The Economist article related to ”a Chinese company with connections to the Chinese government and the People’s Liberation Army (PLA)” that would be providing services inside the corporate firewall. An unnamed former member of [...]
The Obama Administration officially put its weight behind Sen. Lieberman’s Cybersecurity Act of 2012, with the issuance of the following Statement of Administration Policy: STATEMENT OF ADMINISTRATION POLICY S. 3414 – Cybersecurity Act of 2012 (Sen. Lieberman, I-CT, and 4 cosponsors) The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. [...]
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber [...]
Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets."
What do cyberattackers want? According to a recent article in the Wall Street Journal, it depends. And the most dangerous ones are the ones that really know what they want: the Advanced Persistent Threat (APT). They APT isn’t easily defined, but think of APTs as professional thieves, going after high-value targets and using sophisticated techniques. They [...]
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one: The upshot is that there is probably no right answer. All security is [...]
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition [...]
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice. The individual worked as an information technology [...]
In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends– bigger breaches and breaches involving theft of electronic media: Between January 1, 2010 and December 31, 2010, breaches involving 500 or more [...]
Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime. Sounds a lot like the Advanced Cyber Security Center.
As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from [...]
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA." * * * No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in [...]
Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government. Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report: Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing: [...]
With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011″ is tough to ignore. The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments: “Chinese actors [...]
cyber-security “Advanced Cyber Security Center”
There is an interesting article in this week’s Boston Business Journal on venture capital in the data security space: "Securing profits: Venture capitalists betting online security will be big money-maker."
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents: Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot [...]
In a story in the October 17 online edition of the New York Times, it was reported that the United States considered engaging in cyber-warfare against Libya early in the campaign to unseat Colonel Qaddafi. What seems clear is that this was not a prize worth the price of the precedent such a cyber-attack would [...]
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity. This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject.
It’s a pretty technical read, but this recent Microsoft report, "Sex, Lies and Cyber-crime Surveys" by Dinei Florencio and Cormac Herley tries to support an interesting hypothesis: cyber-crime surveys that suggest huge losses from hacking and phishing aren’t reliable. Here’s an excerpt of their thinking: First, [cyber-crime] losses are extremely concentrated, so that representative sampling of the population [...]
As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20. The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley. As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the [...]
I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link.
Interesting article in the recent Economist on the battles within the cyber underground. Take a look at some of the bigger players in this space: Anonymous, and its threat to "kill Facebook" and LulzSec. They present a pretty scary image of our near future.
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and [...]
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting [...]
Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys. One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel). The ACSC is a collaborative, cross-sector research facility [...]
As we have noted in the past, there seems to be an ongoing cyber war between North and South Korea. The latest salvo in that skirmish was apparently fired last month, in a April 12 cyberattack on Nonghyup Bank, which is alleged to have been orchestrated by North Korea.
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy – Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. [...]
InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks." (Subscription required.) The brief discusses the following subjects: Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do [...]
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in [...]
The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity [...]
In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . . [and] to certain open-ended questions on a form sent to employees’ designated references.” This particular challenge came from [...]
If you got a new smartphone over the holidays, you’ve probably figured out how to use it by now. The next thing to worry about is security. The good news is that wireless providers are working to fortify their phones against attacks, as explained in this Wall Street Journal article. There are some personal actions [...]
Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9. In particular, Microsoft promises that: IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking. “Tracking Protection Lists” will enable consumers to control what third-party site content [...]
The following item was posted recently on Foley Hoag’s Corporate Social Responsibility and the Law blog, and we thought it would be of interest to our readers. Companies seeking to develop privacy policies that both comply with national laws and respect internationally recognized human rights often face difficult challenges, especially when confronted with specific host [...]
In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security." This tension is not limited to that context, however. Nearly every workplace that uses email faces a similar tension between open access and secure communications. And this debate splits people. An ongoing informal survey [...]
In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network. The details of this decision are instructive for those still looking at questions of network privacy and security. This case had its [...]
Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP’s press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, [...]
Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government." Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him. The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the [...]
Today, the Internet Crime Complaint Center (IC3), a federal organization run as a partnership between the FBI and National White Collar Crime Center, released its 2009 Internet Crime Report (.pdf). Highlights include: IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year. The dollar loss caused by incidents reported to IC3 [...]
FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks
The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. [...]
1. Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities. On January 14, 2010, commuters on Moscow’s Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements [...]
1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in [...]
Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq
1. Iranian Cyber Army Puts Twitter On Hold Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army. Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site. [...]
Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week. On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using “spear phishing” attacks — personalized emails drafted to look like they come from a [...]
Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”
This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.
Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast
Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.
In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General’s Cyber Crime Initiative. Under the Initiative, the Attorney General’s office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing [...]
In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind. Last week, Gonzalez pleaded guilty to nineteen charges relating to his role [...]
Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for “Pre-Release” Music
Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release. According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS [...]
Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)
The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware. The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.” [...]
According to a press release from the United States Attorney’s Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history." According to the press release, the indictment describes a [...]
Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft
Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft. The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged [...]
Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring
Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities. Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was [...]
According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking. Mark Sullivan, the director of the Secret Service, stated [...]
Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents
This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter’s internal company documents. The hacker, who goes by the handle "Hacker Croll," has apparently emailed a collection of 310 internal [...]
On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post [...]
Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before “Devil’s Day” Attack
This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.
While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief.
In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups. Consumers’ concerns range [...]
An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers. In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual [...]
Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem [...]
Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare. The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security’s [...]
In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years. Specifically, Section 5 of the [...]
According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system. According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system. More importantly, the [...]
As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation. Last week the Senators introduced two bills. The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President. The second, S.773 (text of the [...]
The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to [...]
The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested [...]
Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records
Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, [...]
Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports. The proposed legislation would also require [...]
As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company [...]