All posts by Paul E. Paray

NYT: Two China Schools Said to Be Tied to Online Attacks

According to an article in the New York Times, the recent wave of APT attacks on US businesses “have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military.”   This conclusion is apparently based on information gained from the forensics investigators.  Given that pretty much every entity in China has some ties to the Chinese military, this revelation is hardly noteworthy.  What is noteworthy is the fact that the investigation has found no direct linkage to the Chinese government.  

In fact, the article goes so far as to state:  “the findings raise as many questions as they answer, including the possibility that some of the attacks came from China but not necessarily from the Chinese government, or even from Chinese sources.”   A professor at one of the schools had two guesses as to how the attacks may have originated from the Chinese schools:  “One is it’s a completely individual act of wrongdoing, done by one or two geek students in the school who are just keen on experimenting with their hacking skills learned from the school, since the sources in the school and network are so limited.  Or it could be that one of the university’s I.P. addresses was hijacked by others, which frequently happens.”

As we learn more about these attacks, we will likely find out two things.  First, that these attacks have been going on for longer than originally anticipated against a wider net of companies.  Moreover, the attacks will not abate any time soon.  Second, that the Chinese government was deliberately set up by the actual attackers – one or more sophisticated company or governmental entity.  Given that for many years now, the Chinese government has had the luxury of US companies sharing their IP confidences in return for access to Chinese markets, this “blame the Chinese” storyline made little sense from the beginning.  More to the point, the Chinese have enough boots on the ground to get whatever information they need in a much more direct way.

WSJ: Hackers Hit 2,400 Companies and Government Agencies

According to today’s Wall Street Journal, “data compiled by NetWitness . . .  showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.” 

Starting in late 2008, the hackers are said to have gotten into corporate networks using social engineering methods.  Employees were enticed to click on Web sites with malware or email ads purporting to clean up viruses.   NetWitness claims that in more than 100 cases, the hackers gained access to  servers holding large quantities of data such as databases and email.

As more firms deploy forensics experts such as NetWitness to audit their networks, we will see more and more Wall Street Journal articles demonstrating just how systemic these breaches are in corporate America.  Unfortunately, it is very difficult to “unlearn” clicking on images thrown your way on a computer screen.  It takes time and training.

China Leads the World in Hacked computers – Proving What?

According to a report by McAfee, in the last three months of 2009, about 1,095,000 computers in China and 1,057,000 computers in the United States were infected and made part of botnets used to send spam or attack Web sites.  Those numbers are in addition to the 10 million previously infected computers in each country. 

Stewart A. Baker, the former assistant secretary for policy at the Department of Homeland Security, points out the obvious in the Washington Post article describing the report when he says the number of botnet computers in a country says more about the vulnerability of the computers than about those who infected them.   Indeed, having so many hacked computers may indicate that China is not the source of as much malicious conduct attributed to it.   Baker points out:  “A nation that might want to use botnets as part of an attack probably would want to have its own computers bot-free and commandeer computers in other countries.”   Although it would be easy to cynically surmise that US interests are using Chinese computers while Chinese interests are simply commandeering US computers, we have a wide world of hackers that makes assigning blame much more complicated.

While the blame game plays out, China continues to deny any government role in hacking or network exploits and has purportedly cracked down on “hacking training sites” as per this recent article in China Daily.  According to the article, Black Hawk Safety Net was the largest hacker training site in China.  It openly recruited members,  disseminated hacker techniques, sold Trojan software and maintained online forums.  Those who ran the Black Hawk Safety Net were arrested under a new Chinese law that criminalized the offering of online attacking programs and software.   The article reports that Chinese Police used more than 50 officers to investigate the case.

Although it remains to be seen whether the widely publicized Google attacks  emanating from China were orchestrated by the Chinese Government, it does not really matter.  What is clear is that these sort of sophisticated attacks are not going away any time soon.  Whether attacks are caused by Chinese nationals, the Chinese Government or other foreign hackers,  companies need to put their combat boots on and throw away the old rules of engagement.  War is being waged against your business.  Protect your digital assets or risk everything.  It’s that simple.

Identity Fraud is at an All Time High – SMBs Beware

After interviewing 5,000 folks, the latest annual Javelin study claims that the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent (or $6 billion) to $54 billion.  

The report claims that small businesses are sustaining the most hits:  “They suffer identity fraud at one and a half times the rate of all other adults. By using their own personal accounts for business transactions, they are at a greater risk of exposing themselves to identity fraud.”  And, the report suggests that because small businesses are more at risk they “need to implement safety precautions online and offline, and should consider employee background screening checks as a precautionary measure.”

According to the report:

The economic downturn is partially to blame for the rise in identity theft, and identity thieves are increasingly using more sophisticated and varied methods to obtain the personally identifiable information (PII) of consumers. Fraudsters are becoming more sophisticated and more aggressive, and their organized approach to online fraud through a myriad of threats and scams makes it harder to detect.  Fraudsters are also increasingly targeting – and taking over – multiple accounts of their victims, collectively going after checking accounts, credit card accounts, mobile phone accounts, and Internet accounts in one full sweep.

Using a combination of sophisticated malware, keystroke logging, and phishing attacks, fraudsters are able to use organized crime to steal identities. And social networking has introduced yet another means for consumers to exposure their personal information to wider audiences, providing another avenue for fraudsters to conduct their scams.

When it comes to pointing out security threats and exposures, the report’s above descriptions do not really shine a light on anything new or startling.   What is helpful, however, is their pointing out just how widespread and pervasive these exposures are to small businesses – helpful commentary that cannot repeated often enough.

Twitter and the Benefits of NSAP Branding

Twitter disclosed yesterday that it had to reset some passwords due to an exploit that really could have hit any company.  In essence, certain visitors to a fake peer-to-peer search engine signed up for an account using the same username and password they used on their Twitter accounts.  The owners of the fake P2P search engine used this information to access the users’ Twitter accounts.  This exploit is not surprising given that a majority of online banking customers reuse their login credentials on other websites.  Accordingly, standing alone, this would have little impact on Twitter’s security standing.  Unfortunately, there have been more incidents.

On January 5, 2009, several dozen Twitter accounts were hacked, including one belonging to our president.  On May 21, 2009, Twitter’s name was used in a phishing exploit that sent users emails notifying them of new followers and included a link to a fake Twitter site.  There were also security incidents in April and June.  In fact, one analyst has gone so far as to claim Twitter’s security posture is weak enough to be called “security Swiss cheese.”

Why pick on Twitter?  Afterall, yesterday our Director of National Intelligence told members of the Senate’s Select Intelligence Committee that  malicious online activity is growing at an unprecedented rate.  As Dennis Blair put it, “in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time.”  

The reason to mention Twitter is because their new user growth has slowed down.  Big time.  According to a Hubspot Report, Twitter’s new user rate of growth has gone from 13% in March 2009 to 3.5% for October 2009 (the last month tracked).  

Although Twitter may have lost steam as a social networking tool simply because the novelty has worn thin, it is also likely the case that its public security failings have slowed growth.  It is very likely that the current stagnation in growth is even worse given that it is estimated about 25% of accounts have no followers and about 40% of accounts have never sent a single Tweet.  Why bother signing up for something you likely will not even use if you are skeptical of its security?   Simply put, there is no reason to take a chance on a new company if public security lapses make you feel insecure about your data.

All of this points to the need for better security; and more importantly, the use of a directed marketing message that highlights security best practices.  This strategy would not only serve to benefit social networking companies.  All companies holding personally identifiable information need to get their network security and privacy (NSAP) marketing message out to potential clients.  In other words, NSAP processes and procedures are not just tied to risk management and compliance, they directly relate to a marketing message that should lead to an increase in profitable new business.

Is Chinese Government Really to Blame?

Just wondering.  Is the Chinese Government being set up?  One has to wonder why a year-old report by a British spy agency was only recently leaked to the press.  Among other things, the report claims that free USB memory sticks loaded with trojan software was given to business leaders and lawyers at various Chinese trade events.  Another report  recently in the press indicates that classified documents from government and private organizations “including the computers of the Dalai Lama and Tibetan exiles” were hacked into.  Really?   The Dalai Lama?   Another report indicates that oil drilling data was purloined by servers in China.  

Given none of these attacks have any real direct linkage to the Chinese Government, the only two factors being used to implicate the Chinese Government relates to the sophistication of the attacks and the fact they originated on servers based in China.   This is hardly persuasive evidence that the government was involved.  There are any number of governments and large corporations able to perform these attacks.  Moreover, the fact that servers in China are being used also does not really indicate anything.  According to a report in Information Week, the country that hosted the most phishing sites in the third quarter of 2009 was not China.  It was not even close.  For example, in September 2009, the United States hosted 75.76 percent of all reported phishing sites.  China came in third place with 3.44 percent.  It is likely that of the US-based servers used, many were used by foreign attackers looking to cover their tracks. 

Similarly, it seems like a odd coincidence that oil data theft and so many other intellectual property hacking incidents are only being traced to Chinese servers when the Chinese Government – if culpable – could have easily used US-based servers to cover their tracks.  In other words, let’s not be so quick to blame the Chinese Government for attacks that could very easily have been done by other sophisticated hackers or simply Chinese citizens working on their own initiative.

Is the Bar Against Non-Lawyer Equity Owners Outdated?

Under Model Rule of Professional Conduct 5.4, “[a] lawyer or law firm shall not share legal fees with a nonlawyer” except under very limited circumstances.  Accordingly, it has long been the rule that only lawyers could manage or have an ownership interest in a law firm.   That is why, for example, no law firm (at least none in this country) has ever gone public.  Ostensibly, this rule prevents direct conflicts of interest in that shareholder interests are never allowed to trump client loyalty.  This rule mimics the rule that bars the corporate practice of medicine.  On the other hand, accounting firms generally only need a majority of their owners to be licensed CPAs.

If non-lawyers held an equity interest in a law firm, the Appearance of Impropriety Rulewould also apply whenever a law firm’s interests appeared to benefit equity owners’ interests over that of a client.  For example, a very conservative defense strategy might prolong a lawsuit and give the appearance that the strategy was enriching shareholders to the detriment of a client.  Aggressive collection strategies might also appear to create a direct conflict between shareholders and delinquent clients.  Although N.J. R. 1.7:210 is focused on barring dual representations, e.g., representing both sides in litigation, it can easily be envisioned that this rule might also apply to bar representations when outside shareholder interests were in direct conflict with a client. 

Are these ethical prohibitions fair or sound? 

Other than via the traditional “bill, manage, or produce” buckets, lawyers have few options when it comes to generating significant wealth.  For example, the potential upside for a successful litigation billed on an hourly basis is only the promise of future business.  Unlike their clients or even their investment banker peers, lawyers are not issued stock options, cannot invest in deals, and never reap the rewards of a seven figure annual bonus based on the upside of a corporate transaction.  This leads to an obvious disadvantage when it comes to law firms competing with hedge funds, investment banks, consulting firms, or high-growth companies.  It is clearly unfair that law firms experiencing double-digit growth are unable to reward those who contribute to such growth with some equity interest that can be sold to non-lawyers.  As for the soundness of such ethical prohibitions, they primarily make sense if one adopts a paternalistic approach – one that  assumes lawyers will not recognize the right ethical course of action unless given a blueprint.  Otherwise, the prohibition makes little sense.

In addition to questions regarding the soundness or fairness of this ethical framework, a bar against law firm shareholders puts US law firms at a disadvantage with global law firms who do have non-lawyer shareholders.  An article in the Wisconsin Law Review argues exactly that point:  “The very fact that outside equity is now available to lawyers in other jurisdictions, especially the United Kingdom, could create an influx of external competitive pressures on the American legal-services industry.”  It remains to be seen whether global competition from law firms who have non-lawyer equity owners will ever be sufficiently strong to warrant removal of the ethical bar.  More to the point, given the public’s general distrust of lawyers, it is doubtful these ethical barriers will be removed anytime soon.   The most we can hope for is improved creativity when it comes to billing and an increase in hybrid law firm practices.

SMBs Increase Investment in Data Security

More and more security firms are pushing their products towards the SMB market.  In a recent press release, Blackhat Solutions  looks to sell its services by warning “small to medium businesses of their financial and legal susceptibility in the face of increasingly sophisticated data hacking.”  This is no surprise given Forrester Research projects that about 40 percent of SMBs are planning to increase their IT security budgets for 2010.  In its $1,749 report, Forrester outlines why network security and data security top the IT investment and attention for SMBs.  The goal in increasing funding is to protect data rather than just finding broader operational savings – a past common driver of IT initiatives.

SMBs should also be looking to make a little lemonade with their added expenses.  Why not take this increase in data security expenditure and turn it into a profit-making marketing edge?  Most smaller firms who are able to position themselves as security stalwarts will eventually increase their market share no matter what industry they are in.  It’s that simple.   When building out their enhanced security capabilities, there is no reason SMBs cannot also get this marketing message out to their clients, business partners and employees.

Data Breach Expenses and BCBS of TN

According to a news report, BlueCross BlueShield of Tennessee admitted on January 25th that it has spent more than $7 million to address an October theft of 57 computer hard drives.   The company said that it may have to spend millions more to assess what was on the missing computer records and to provide identity protection for affected customers.   According to its website, the company has notified 220,000 BCBS customers in Tennessee and other states where persons covered by BCBS of TN plans may work.  Further, determining what was on the stolen hard drives as required by the HITECH Act and state notification requirements has required the hiring of more than 700 contract and BlueCross workers.

If we are to accept the Ponemon Institute’s most recent Cost of Breach report, this breach will ultimately cost BCBS of TN over $44 million.   Given that 67% of the $204 per record cost consists of lost customers and other indirect costs, it looks like BCBS of TN has another $7.8 million to go on its notification, credit monitoring, forensics and other direct expenses.

This breach is a stark reminder that even though the lawsuits are being won by breach defendants, costs incurred prior to the first lawsuit can be very significant.  Having a post-breach gameplan in place to address these costs has certainly become absolutely crucial during the past few years.   After all, nothing hurts a bottom line as quickly as a significant unfunded expense.

Update:  March 14, 2012
BCBS of TN agrees to pay HHS $1.5 million under the HITECH Act’s breach notification settlement.  When coupled with the $17 million in first-party expenses already paid, this incident remains a stark reminder as to the benefits of a network security and privacy insurance policy.

 

Google Attacks Provide a Valuable Lesson

The facts are starting to surface regarding the recent attacks against Google, Yahoo! and Microsoft – all of which have been linked to Chinese interests.  According to one recent report, the attackers selected employees with access to proprietary data, determined their social networking friends and then hacked into those accounts.  Once in control of the friends’ accounts, the attackers (posing as friends) sent their actual targets instant messages with links to sites that installed spying software on their computers.   

This sort of criminal strategy could be applied to any company – large or small.  In fact, it is much easier to assume that the president of a large middle market firm has more valuable intelligence on his computer than a strategic employee at a larger company.   Having knowledge of this sort of attack is important given the overall number of attacks against business has been increasing.  According to a recent CSO Survey, 37% of businesses polled have seen an increase in attacks during the past 12 months.  

One sure way to reduce the risk of a corporate attack is to limit social networking access to those individuals in marketing or sales who have a corporate reason to go to those sites.   Even those individuals should have proper training so that they would know, for example, not to click on links that have strange URLs or link to content that does not serve a distinct corporate purpose.  Also, try hard to avoid clicking on an image.  It may be hard to do.  Our propensity to click on whatever online content we see is a habit not easily kicked.