When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link.

Second, whether or not you have a Bring-Your-Own-Device (“BYOD”) program at work chances are you will at some point be using a mobile device to conduct to conduct business.  Don’t feel that your mobile phone is invulnerable to being compromised. (Every networked device — Apple, Microsoft, Android, Linux, etc. — can be compromised)  Mobile hacking is one of the fastest growing areas for exploiting individuals and companies.  This is largely because people do not typically have security programs — such as anti-virus software — on their mobile device.  Additionally, people often connect their mobile devices to public networks, like those available at coffee shops, hotels, etc. — these networks are not secure.  Your best defense against having your mobile device hacked is to install a decent security app and be sure to turn off the Wi-Fi, Bluetooth, and Hotspot settings when they are not in use.   Also, try to only install apps from companies you recognize.  Further, mobile banking and purchasing apps make life easy, but if you don’t have security software — or if you are conducting a larger transaction — you may want to do it on your computer.

Next, If your computer’s security software pops up a security warning, pay attention to it.   Often times we are in a hurry and tend to click through these types of warnings, but that is a mistake.  The warning is there for a purpose whether it is a flag indicating that a website is potentially dangerous or a notice that your computer has detected malware.  When you see a warning it is best to stop what you are doing, close down any open websites, and call your help desk.  You may also want to scan the computer with your security software.  However, be careful of “security warnings” that pop-up from websites.  If the warning does not look like the warnings you are used to, and does not indicate the name of your security software, it may be a malicious attempt to compromise your computer.

Finally, don’t plug USB drives into your computer unless you know where it comes from and where it has been.  Rouge USB drives are a method by which hackers get malicious programs onto your computer.  The drive may contain an enticing file that when clicked, loads a virus onto your computer, or in some cases the drive may load the malware simply by being plugged into your USB port.  So, if you find a USB lying around it is best to turn it into IT, or throw it away. Continue Reading Cyber Security Best Practices

The use of open file sharing platforms in business continues to increase in 2017; Dropbox alone has over 200,000 active business accounts. Unfortunately, the convenience of these platforms and the increase in use by businesses attracts the attention of hackers a well.  File sharing platforms and accounts have a high “hack value” — the overall value of the accounts on the dark web — due to the relative ease with which account can be obtained and the sensitivity of the information stored on these platforms. The risk associated with the use of file share platforms is twofold.  First, company supported file share is attractive to attackers because it is guaranteed to contain sensitive information.  Second, file share platforms available to employees outside of the company — e.g. the employee Google Drive account — may be used to store company information, but likely do not use the same security standards as those enforced by the company. Attacks on file share platforms are also very real.  In August of 2016 Dropbox forced users to reset their passwords based on a breach — 60 million account credentials compromised — that had been discovered but was executed four years earlier in 2012.

Thus, it is important that businesses educate their employees on the risks of sharing information on these platforms and apply strict administrative and technical safeguards mitigate the risk of attack.

Common File Share Attack Approach

The most common approach attackers use to compromise file share platforms is phishing. Phishing is a technique by which the attackers sends out a legitimate looking (albeit fake) email which entices the employee to click on a link and provide information — such as login credentials — which goes directly to the attacker. Alternatively, the phishing attack may convince the employee to download an infected file to the same ends.  Once the attacker has compromised the file share, he or she can either steal information directly, escalate privileges to access more information, obtain additional account credentials, or sell the information on the dark web.  Access to the file share can also be used to perform a Denial of Service (“DoS”) attack by downloading or uploading large volumes of data thus congesting the network and preventing legitimate use.

Despite Google’s perceived safety, two major phishing attacks have been reported on Google accounts in the last two years. In late 2016, over a million google accounts were compromised by a malware attack known as Gooligan, designed to steal credentials allowing access to the victims Google services. Gooligan infected an estimated 13,000 devices per day during its lifecycle.  Again in early 2017, Google accounts were targeted with a message requesting the user to download a file.  When the user selected the link to download the file a face service that looked like a legitimate google service would request access to the users Gmail account.

Mitigating Risk

Businesses can mitigate the risk of file share attacks by implementing strict policies and sanctions regarding their use.  For example, all non-business file share sites can be blocked on the company’s network. Strict policies and monitoring should be in place to gain access to file share sites and employee accounts with such access should be closely monitored. Businesses should also implement test “phishing campaigns” — sending out company controlled phishing emails — to educate employees on what these email look like and how to avoid them.  Phishing tests also help businesses understand their risks by monitoring the number of employees who click on the bogus links. Whereas businesses have less control over employees loading data on to personal file share accounts, strict sanctions should be in place regarding this activity and employees should be aware of these sanctions.

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

Yesterday, organizations around the world were hit by yet another ransomware attack.  Similar to the recent WannaCry attacks, the Petya attack works to encrypt documents and files and subsequently demands a ransom to unlock them.  Unlike WannaCry, it is believed that the Petya attack spreads internally through an organization (rather than across the Internet) using a vulnerability called “EternalBlue” in Microsoft Windows.  It is not yet clear who is behind this attack.  You will know if you are a victim of this attack if your machine reboots and you see the message pictured here, which indicates that the ransomware is encrypting your data.  Immediately after seeing this, turn off your machine, disconnect it from the internet, use forensic tools to recover any files not yet encrypted, and once done, reformat your hard drive and re-install the operating system, apps, and then your data from your latest backup.  If encryption completes before you are able to power down, do not pay the ransom.  It has been reported that the email address notifying the attacker of payment has been shut down, so there is no possible way to get the decryption key for the data after paying the ransom.

PT Security recently published a tweet showing the local “kill switch” for Petya.  From an organizational standpoint, ensure that all Microsoft patches are installed, consider installing protection programs to combat against potential attack, and complete routine backups of data.

On June 13, 2017, the Department of Homeland Security published an alert regarding malicious cyber activity by the North Korean government, known as Hidden Cobra.  Per the DHS and FBI, Hidden Cobra uses cyber operations to the government and military’s advantage by exfiltrating data and causing disruptive cyber intrusions.  Potential impacts of a Hidden Cobra attach can include “temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.”  The DHS publication outlines ways to detect and protect against the malicious activity and suggests that organizations work to upgrade and/or remove older Microsoft operating systems and older versions of Adobe Flash Player, Microsoft Siverlight, and Hangul Word Processor.  Further, organizations should review and block all IP addresses listed in the “indicators of compromise” list provided, review and enforce incident response plans, and contact the DHS and FBI to report any potential Hidden Cobra intrusions. The full DHS publication can be found here.  We suggest that IT departments carefully review the full alert and take any steps possible to mitigate risk to the organization.

The 2017 edition of The Legal 500 United States recommends Seyfarth Shaw’s Global Privacy & Security Team as one of the best in the country for Cyber Law (including data protection and privacy). In addition, based on feedback from corporate counsel, the co-chairs of Seyfarth’s group, Scott A. Carlson and John P. Tomaszewski, and Seyfarth partners Karla Grossenbacher (head of Seyfarth’s National Workplace Privacy Team) and Richard D. Lutkus were recommended in the editorial. Richard Lutkus is also listed as one of 14 “Next Generation Lawyers.”

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities.

On May 11, President Trump signed Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This is a significant development for U.S. cybersecurity as it represents a concrete call to action for the government to modernize its information technology, beef up its cybersecurity capabilities, protect our country’s critical infrastructure from cyberattacks, and ensure the overall cybersecurity and privacy of the internet for generations to come. The EO also stresses the importance of the growth and sustainment of a workforce that is skilled in cybersecurity as the foundation for achieving U.S. objectives in cyberspace.

This EO was much anticipated. In fact, earlier this year, we, along with many other internet sources, reported that President Trump was expected to sign soon EO on Strengthening U.S. Cyber Security and Capabilities. The “leaked” draft of the expected EO we examined at that time was never signed, and the actual, signed EO on cybersecurity bears little resemblance to the version that circulated on the internet in February.

The signed EO requires various agencies to prepare a number of reports on the current status of cybersecurity and risk management and to present plans for improvement and further development. Because there are tight deadlines associated with these reports, the agencies are already at work on conducting the necessary analysis and developing path forward. With all its robustness, the EO, however, represents a natural progression in strengthening our national cybersecurity and builds upon previous federal efforts. Indeed, the EO expressly ties several of its mandates to the various cybersecurity orders signed by President Obama.

Scott Carlson, the founder and Chair of Seyfarth Shaw’s eDiscovery and Information Governance practice, will examine this EO along with other current cybersecurity issues facing U.S. organizations in further detail during the First 100 & Beyond: Seyfarth’s Strategy & Planning Summit For Businesses, an event that will be held at Seyfarth Shaw’s Chicago office on May 25, 2017. There is no cost to attend this event, but registration is required. Please consider joining us for this important discussion.

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.  This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in as many as 27 different languages.  The latest version of this ransomware variant, known as WannaCryWCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

Continue Reading WannaCry Ransomware Attack: What Happened and How to Address

shutterstock_506771554Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar.   Sometimes the emails include the name, title, and other personal information of the “sender” that we believe might be harvested from LinkedIn or other business databases.  The email asks employees to use a link in the phishing email or attached PDF to log into a fake Workday website that looks legitimate.  The threat actors who run the fake Workday website then use the user name and password to log into the Workday account as the employee and change their direct deposit bank/ACH information to another bank, relatable Green Dot, or similar credit card.

The fraud is typically only discovered when the employees contact HR inquiring as to why they did not receive their direct deposit funds.  Unfortunately it appears that spam filters and other controls are failing to prevent this email from infiltrating the organization’s network.

In order to prevent this from happening to your organization, Workday has posted several “best practice” tips on their customer portal.  The most impactful mitigation techniques include enabling and enforcing two factor authentication on your organization’s Workday instance, and changing your Workday settings to force administrative approval upon employee requests for direct deposit account change.  Both of these will help secure your Workday environment and avoid employee loss of paychecks.   Finally, always remember to train employees on fraudulent email identification through training and security drills/tests.

 

On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.

Continue Reading Lessons from the FTC’s First Enforcement Action Against an IoT Company