now browsing by tag
There’s a serous debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people’s comments.
The EFF has written extensively on why it is so important and dismantling it will ben catastrophic for the Internet. Danielle Citron disagrees. (There’s also this law journal article by Citron and Ben Wittes.) Sarah Jeong’s op-ed. Another op-ed. Another paper.
Here are good news articles.
Reading all of this, I am reminded of this decade-old quote by Dan Geer. He’s addressing Internet service providers:
Hello, Uncle Sam here.
You can charge whatever you like based on the contents of what you are carrying, but you are responsible for that content if it is illegal; inspecting brings with it a responsibility for what you learn.
You can enjoy common carrier protections at all times, but you can neither inspect nor act on the contents of what you are carrying and can only charge for carriage itself. Bits are bits.
Choose wisely. No refunds or exchanges at this window.
We can revise this choice for the social-media age:
Hi Facebook/Twitter/YouTube/everyone else:
You can build a communications based on inspecting user content and presenting it as you want, but that business model also conveys responsibility for that content.
You can be a communications service and enjoy the protections of CDA 230, in which case you cannot inspect or control the content you deliver.
Facebook would be an example of the former. WhatsApp would be an example of the latter.
I am honestly undecided about all of this. I want CDA230 to protect things like the commenting section of this blog. But I don’t think it should protect dating apps when they are used as a conduit for abuse. And I really don’t want society to pay the cost for all the externalities inherent in Facebook’s business model.
*** This is a Security Bloggers Network syndicated blog from Schneier on Security authored by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2019/12/reforming_cda_2.html
The post #cybersecurity | #hackerspace |<p> Reforming CDA 230 – Security Boulevard <p> appeared first on National Cyber Security.
View full post on National Cyber Security
HR professionals may handle everything from recruiting, interviewing, and training to payroll and benefits. That means they are the keepers of a lot of important information. And not only do they have information about their organization, but also personal information about employees too. If the wrong hands get ahold of the right information, it can be a disaster for your company and your employees. According to a survey by the National Cyber Security Alliance, after small or medium-sized businesses experienced a data breach, 37 percent suffered a financial loss, 25 percent filed for bankruptcy, and 10 percent went out of business.
Proactively protecting yourself from HR risks can give you peace of mind and let you focus on how you use your data, not how you store it. Here are some common HR risks and how to avoid them.
Risk #1: Keeping Your Data in Spreadsheets
While using spreadsheets to keep track of data may seem like a convenient and cheap solution, spreadsheets are not an incredibly secure way to store data and can leave you vulnerable to a security breach or hackers. And if your data is stored across multiple spreadsheets, it can be easy to lose track of the information you need to access.
Solution: Store your HR data in an HRIS. With a single, secure database you can store your confidential data safely. An HR software solution like BambooHR can protect your data with web application firewalls, frequent vulnerability scans, continuous security management and monitoring, and more.
Risk #2: Forgetting Security Issues When Offboarding Employees
Onboarding employees is the fun part: introducing them to new coworkers, sharing your organization’s incredible culture with them, and getting them set up to start doing great work. But employees have to be offboarded too. And when they leave, their access to all types of secure information, passwords, and applications needs to be removed. In an Intermedia Risk Report, 13 percent of people reported that they have accessed systems belonging to their previous employers after they left the job.
Solution: Automated account licensing and management. With an automated account manager, you can instantly revoke access on the day an employee leaves using a single app directory. Instead of having to individually track down which applications they had access to and nudging IT to revoke access, HR can manage accounts on their own in one convenient place.
Risk #3: Having Weak, Insecure Passwords
We all know that coworker who keeps their passwords on a Post-it-Note on their desk, visible to anyone who walks by. Or how about the team member whose passwords are all the same easy-to-remember pet’s name? Not surprisingly, these aren’t the safest ways to store or set your passwords, and once again leave your sensitive HR data at risk. But once you convince everyone on your team to use secure passwords stored in a secure place, your troubles aren’t necessarily over. There’s a good chance it will just mean more work for IT, constantly recovering passwords (which is still better than having your data stolen!).
Solution: Single sign-on. With single sign-on, your HR team has one-click access to all their apps and improves security by only having to memorize one very secure password. (You can remember just one, right?)
An HRIS like BambooHR and secure access software like Idaptive can be the difference between keeping your employee and company information safe and confidential and having a costly data breach. Don’t let your HR risks be the reason your employee’s identity gets stolen!
The post #cybersecurity | #hackerspace |<p> 3 HR Risks and How to Avoid Them <p> appeared first on National Cyber Security.
View full post on National Cyber Security
A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack this week that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.
Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.
Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.
The attack on CTS comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.
Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s heard from several affected practices that the attackers are demanding $700,000 in bitcoin from some of the larger victims to receive a key that can unlock files encrypted by the ransomware.
Others reported a ransom demand in the tens of thousands of dollars. In previous ransomware attacks, the assailants appear to have priced their ransom demands based on the number of workstation and/or server endpoints within the victim organization. According to CTS, its clients typically have anywhere from 10 to 100 workstations.
Terronez said he’s spoken with multiple other practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with third party companies to independently negotiate and pay the ransom for their practice only.
Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.
“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”
“My experience has been very different,” said dental practitioner based in Las Vegas. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”
Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.
“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”
*** This is a Security Bloggers Network syndicated blog from Krebs on Security authored by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2019/12/ransomware-at-colorado-it-provider-affects-100-dental-offices/
View full post on National Cyber Security
#cybersecurity | #hackerspace | Going After the Good Guys: The Government’s Ransomware Identity Crisis
Why fixing that ransomware attack might get you indicted
Note: We’re pleased to publish this article from attorney Ryan Blanch, sharing
an expert perspective on some of the legal issues in the cybersecurity
comes to ransomware, malware, and hackers, the government is finding it
difficult to keep pace with the quickly evolving landscape of cybercrime. And
sometimes, the government seems to be going after the good guys instead of the
bad guys, as evidenced by the recent CoalFire debacle in which Iowa arrested
and charged the same cybersecurity professionals it had contracted to try to
breach the state’s security systems.
As a criminal
defense attorney, I’ve been involved in myriad cybercrime cases. There were the
DDoS attacks on the Church of Scientology, and then the infamous Blackshades
malware allegedly used to spy on Miss Teen USA. We defended a sports gambling software company
accused of conspiring with the mob abroad, which went to trial and was ultimately dismissed.
Later, we handled a cryptocurrency hacking case, an online currency arbitrage
platform; and, more recently, the allegedly illegal deployment of scores of
Bitcoin ATM machines around high crime neighborhoods – to name a few.
cases, it’s at least apparent why prosecutors are focusing on our client. But
in other cases, prosecutors are barking up the wrong tree—they’re going after
the targets they can find instead of looking for the actual bad guys. After all,
career hackers can be nearly impossible to track down and apprehend. In the
sports gambling case I handled, my client reported that the New York district
attorney’s office wanted to strongarm him into hacking into his clients’
systems to turn over personal data on gamblers and their bookmakers who may be
involved in illegal gambling.
where prosecutors seem to be struggling to find and prosecute the right parties
is with ransomware attacks. If you should fall victim to a ransomware attack,
be very careful how you navigate your crisis. And that goes double for those
who try to help you. The government may be looking to indict you both. And the penalties are steep.
Let’s hash it out.
How Ransomware Attacks Work: From Attack to Prosecution
brings companies to their knees in an instant as it encrypts user data and
files irretrievably. In some cases, the only way to resume business as usual is
to pay the ransom outright and most of them only take crypto.
Phase 1: The Attack
You show up
to work to find a message like this one filling all 100+ displays of your
company’s employee workstations. Your CTO and IT administrator are in a panic. Your
entire company has been locked out of its servers, computers and files. The company
stands to lose hundreds of thousands of dollars each week that this persists. There
is a countdown clock on the monitor, and IT cannot find any way to access the
system. All you can think is, ‘What would Kiefer Sutherland do?’
Phase 2: The Fallout
It’s day two
and the losses have already exceeded $40K. Clients are taking flight as they
fear the worst. Employees are asking whether they should come to work, and the IT
department is pulling its collective hair out. You wonder what you have them around for if
they can’t fix your computer-related problems. Arnie, Head of IT (for now), has
resorted to Googling (from his personal cell phone) “ransomware help” to look
for outside companies that might be able to lend a hand.
The 5 bitcoin
demanded hasn’t yet increased, but it might as well have because the volatile
bitcoin market has already added $5,753 to the price (some companies are
starting to keep an emergency bitcoin account to offset the risk of price
reminds you that you have business insurance that may cover this sort of thing.
You call your insurer. They do in fact cover ransomware attacks and have a list
of “approved providers” aka cybersecurity firms who can help.
Phase 3: The White Knight Arrives
It looks as
though all that panic-driven Googling may have paid off. Arnie has already
found a cyber security firm and is on the line with them. As luck would have
it, this firm is also on your insurance company’s “approved provider” list. The firm thinks they may be able to resolve
the problem remotely. But when asked, they admit that no one can actually decrypt
the files. More pointedly, if you were
to marshall the combined forces of Homeland Security, the NSA, M.I.T., Kaspersky
Labs and Elliot Gunton to the singular purpose of retrieving the electronic
files of your trading house and photos of your mini labradoodle wearing a tutu,
they would all wind up with zilch. That’s how hard it is to unencrypt what’s
been properly encrypted.
So how can
this cybersecurity firm help?
ransom, of course.
So then, what
good are they? Well, for starters, they have a bitcoin wallet on the ready. You
don’t. Secondly, they actually know how to deploy a decryption key. You don’t
(and neither does Arnie).
most ransomware, eh hem, artists don’t restore your files for you when you pay
the ransom. They merely send you a key. Technical support doesn’t exist. It’s
do it yourself. And you wouldn’t want your attackers fixing it for you even if
Here is why
it makes sense to hire the cyber security firm rather than pay the ransom
yourself in a nutshell:
- They can pay immediately.
- They may be able to get the attackers
to lower the ransom. Probably not enough to decrease your cost but enough to
offset the cost of the firm’s fee.
- You shouldn’t be dealing with your attackers.
They may expand the problem to other systems if you let the wrong information
- Once you get the key, if you don’t
deploy it correctly you could corrupt your files forever. Some of these keys
require several steps to deploy them. And you need to make sure you back up
your files first, etc.
- After you get your files back you
need to close the proverbial back door. Your attackers could come back if you
don’t. The honor of your extortionist ends with the promise to send you the
key. It does not include a promise to never return.
- The best firms will issue and update a
white paper to make sure that you continue to follow best practices to avoid
- An honest firm will tell you if the
strain of your ransomware variant is actually undecryptable. Some variants are old,
and the decryption key has already been disseminated publicly. If your firm has
the key, they may just deploy it for you at little or no cost.
Phase 4: The White Knight Gets Indicted
All good? Not so fast. Now the cyber security firm’s principals and employees are contacted by the FBI’s Cyber Division. The U.S. Attorney’s Office wants to talk about a turn-in date and because they know this is a real company with generally law-abiding individuals, they wanted to call and invite them in to “self-surrender” so they can forgo the unpleasantness that comes with a 3AM home arrest warrant execution.
your company’s savior is going to need to hire a great criminal defense
out the government doesn’t look kindly on paying ransoms. The reasons
themselves are not objectionable:
- The money could go straight to terrorist
organizations and other criminal cartels
- The money is difficult to trace when
transferred through bitcoin.
government also knows that juries don’t like to convict victims for paying
their extortionist. It’s like arresting the mother of a kidnapped child for
paying the kidnappers their ransom to get her baby back.
It would never fly.
How The Government Views Paying Computer Ransoms
computer files, lost business revenue and even stolen intimate photos are less
sympathetic reasons to sponsor a crime cartel than say, getting a real live
child back. But, just the same, the DOJ doesn’t like to lose. And prosecuting
victims is a losing strategy. So, for now, victims can (probably) pay ransoms
back directly (as ill-advised as that is) to their attackers.
But if you
hire an intermediary, that’s where the government is testing a prosecutorial
theory. The theory is if they can prosecute the cyber firms who pay the ransoms
then they can get a pelt for what they view as an ugly business. Hey, somebody
has to pay. Cybercrime is the new bank robbery and it’s turning into an
epidemic. The government’s so-called ransomware “experts” are in the stone
ages. But prosecuting cyber security firms makes it look like they are doing
something about this epidemic (spoiler alert: they aren’t).
enough, the FBI has made multiple statements encouraging or allowing companies
to pay off ransomware attacks:
Bonavolonta, Assistant Special Agent of the FBI’s Cyber and Counterintelligence
Program, said that in most cases, because the FBI can’t
help these companies recover files, their agents often end up recommending them
to pay the ransom to get their data back.
official statement from the FBI said they don’t “advocate” paying
ransoms, but that the “FBI understands that when businesses are faced with an
inability to function, executives will evaluate all options to protect their
shareholders, employees, and customers.”
They haven’t yet publicly announced a policy of indicting companies for paying ransoms or started issuing mass indictments. But they are hovering around the periphery, looking for instances where they think they might be able to dirty-up the white knight cyber security firm to make them a public example of the perils of paying ransoms as a business model.
What if they succeed? What does that accomplish? It doesn’t stop the ransomware attacks. It doesn’t stop the victims from paying those ransoms directly. But it takes out a middle man would-be protector, leaving the victim to their own devices.
Making the Good Guys Prosecutable: Dirtying up the White Knight
don’t like to convict victims, how would they feel about their heroes? As a
matter of public policy, do we want to criminally prosecute the saviors of
those who have otherwise irretrievably lost their businesses?
is it depends. We should not criminalize the only people that offer any
protection whatsoever to the victims of ransomware. They also provide a
mechanism for insurance companies to insure the losses of such an attack. The
government is putting this in jeopardy (more on this to come). In order to make
a white knight prosecutable, the government needs to shift our view of them. The
prosecution will want the jury’s perception of the white knight to be that of
an opportunistic broker of shattered dreams. Instead of saving their victims
from further attack, they provide a surcharge to further exploit them. As
ridiculous as this sounds, this is what in fact is being kicked around at DOJ
The Insurance Companies as Co-Conspirators?
So, if the
cybersecurity firm is recommended and, in some instances, paid for by the
victim’s insurance company, doesn’t that make said insurance company an
accomplice in the conspiracy to pay ransoms to possible crime cartels? After all, the insurance company knows exactly
how the cyber security firm addresses the problem – by paying ransoms. So, will
the government start prosecuting Allstate for providing ransomware protection
to its insureds?
taking the cyber security firm out of the equation, it would force the
insurance company to pay the ransom to the insureds or even worse, pay it
directly to their attackers. Knowing that would result in potential
prosecution, they would have to stop insuring businesses and individuals from
ransom attacks all together, compounding the victim’s losses exponentially.
No Good Deed Goes Unpunished
So if the
reasons listed above are all valid reasons why you SHOULD hire a cyber security
firm in a ransomware attack and if billion dollar insurance companies are
recommending that their insureds hire these companies (knowing full well that
those companies will pay the ransoms), then how in the world can the government
look to criminally charge these very same companies for doing what it has
failed to do – rescue victims of
For now, the government is limiting its
prosecutorial powers to low hanging fruit; looking at smaller cyber security outfits
that they believe make easy targets to test-flex their muscles. They have yet to rope in the insurance companies
who refer them business. And their internal (and informal) policy of the moment
seems to militate against charging ransomware victims who pay ransoms
‘victim beware’ when it comes to paying ransoms. You don’t know where the money
is going—and the U.S Treasury’s Office of Foreign Assets Control (OFAC)
maintains a nearly incomprehensible and ever changing
list of thousands of countries, individuals and entities to whom it’s a crime
to send funds.
The takeaway: If you fall victim to ransomware, hire a cyber security
firm to handle it. If you are such a
firm, proceed with caution and consult with legal counsel about best practices.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Ryan Blanch. Read the original post at: https://www.thesslstore.com/blog/going-after-the-good-guys-the-governments-ransomware-identity-crisis/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Continuing a series on how to strengthen your personal online privacy, we are taking personal inventory of how we connect online. These were themes covered during our webinar on “Security Beyond Your Website: Personal Online Privacy” and during a Twitter conversation (through the #Digiblogchat weekly forum). […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans In late November the Avast Threat Labs team discovered cyberattacks that exploited Brazilian users’ routers to send them to phishing pages designed to look like actual websites the victim wanted to visit. In this case, sites included Brazilian banking, and news sites, as well as Netflix. […] View full post on AmIHackerProof.com
#cybersecurity | #hackerspace | Apple Confirms iPhone Regularly Gathers Location Data, But Says It Doesn’t Leave the Phone
Source: National Cyber Security – Produced By Gregory Evans Apple confirmed that their latest iPhone 11 phones come with a feature that requires regular geolocation checks, but the company said that information doesn’t leave the phone. Security researcher Brian Krebs noticed that the latest iPhone 11 was making geolocation check seven when all apps that […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Normally, the only types of epidemics that healthcare organizations fight are the microbial kind. But lately, they have been hit with a rash of ransomware attacks, crippling their IT systems and demanding payments to unlock the encrypted system. Many of these attacks have leveraged third-party vendors […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Home > Security News > Vulnerabilities Mozilla issued patches for Firefox 71 and Firefox ESR 68.3 fixing 11 high- and moderate-rated vulnerabilities. The majority of the patches were shared between Firefox 71 and ESR 68.3 with Firefox 71 receiving an additional three fixes. The most severe […] View full post on AmIHackerProof.com