The WhatsApp Hack – Practice Good Phone Hygiene and Update Your Apps

WhatsApp, the popular instant messaging app announced a hack and the exposure of a security flaw this week. The flaw injected malware onto users’ phones, potentially exposing their otherwise encrypted data and messages. WhatsApp allows users to instant message and make phone calls throughout the world. The app features described on its website include simple, secure, and reliable messaging and is widely known for encrypting messages between users.

This week’s announcement of the security flaw and resulting malware reportedly targeted specific individuals. WhatsApp has not yet announced how many of its 1.5 billion users were affected, but is recommending that users upgrade to the latest version of the app – version 2.19.134 updated on May 10, 2019.

While you are updating the WhatsApp, it’s a good idea to keep all your apps up to date, change passwords frequently, and do a little phone hygiene and clean up your phone and delete unused and out of date apps.

FBI Flash: Ryuk Ransomware Continues to Attack U.S. Businesses

According to a recent FBI Flash, Ryuk ransomware has hit more than 100 U.S. companies since August 2018, with a “disproportionate impact on logistics companies, technology companies, and small municipalities.”

The Flash, “provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals,” seeks information from companies regarding Ryuk, which retains Hermes code. According to the Flash, once Ryuk is in the system, it deletes all files related to the intrusion, so it is impossible to identify the infection vector. It is able to steal credentials, and “in one case, the ransomware appears to have used unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded…” and “once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”

The attackers in the newest version of Ryuk provide email addresses to contact them to pay the ransomware and do not tell the victim how much ransomware is needed until the victim contacts them via email. Only then do they say how much bitcoin is necessary and provide a specific Bitcoin wallet where the payment is to be made and provides a sample decryption of two files to verify the files still exist.

The FBI says that it “does not encourage paying a ransom to criminal actors.” Instead, the FBI encourages all companies affected by ransomware to contact their local field office to report the event. The FBI is specifically seeking information on Ryuk, including:

  • Recovered executable file
  • Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible
  • Live memory (RAM) capture
  • Images of infected systems
  • Malware samples
  • Log files
  • E-mail addresses of the attackers
  • A copy of the ransom note
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Names of any other malware identified on your system
  • Copies of any communications with attackers

If you are a victim of a cyber-attack or ransomware, the FBI can be contacted through its 24/7 Cyber Watch at www.fbi.gov/contact-us/field or CyWatch@fbi.gov or (855)292-3937.

Tech Company Execs Sweat Personal Liability for Privacy Violations

In the Privacy Law classes I teach in the Brown University Executive Masters of Cybersecurity and at Roger Williams University School of Law, we discuss the enforcement authority that the Federal Trade Commission (FTC), the Office for Civil Rights (OCR) and other federal and state agencies have over data privacy and security, including how effective the enforcement has been over the past decade. In the wake of massive data breaches, my classes uniformly are of the opinion that the present enforcement scheme is not a big enough stick to deter big tech companies from collecting, selling and monetizing data.

Recently, members of the FTC have publicly lamented that this is true. What look like large fines against tech companies that have violated consumers’ privacy are often not sufficient to act as deterrents, such as the $5.7 million levied against Musical.ly (or TikTok), which was less than 1% of the parent company’s annual revenue, and therefore inconsequential to company executives.

According to one member of Congress, “for large companies, fines are simply a cost of doing business.” This is consistent with my classes’ conclusion. Facebook is poised to pay a significant fine and has set aside $3-5 billion (yes, that’s with a “b”) to pay for various alleged privacy violations. Many observers have opined that this is a drop in the bucket for Facebook, and is not enough to change behavior.

Perhaps the private right of action in the California Consumer Privacy Act, which takes effect in 2020, will change tech companies thoughts about privacy violations. Congress is looking into how the FTC and other agencies can regulate the big tech companies, and candidates for the Presidency have gotten into the fray, with one declaring that the tech companies should be broken up. The FTC has publicly stated that it is looking into assessing personal fines against company executives as a way to encourage compliance.

No matter how this shakes out—and it will—the present discourse should be enough for tech company execs to be concerned about personal liability. Executives may want to start focusing on the organization’s data privacy and security plan, and making policy decisions on its implementation a top priority.

U.S. Senators Push for Remote Drone I.D.

U.S. Senators Edward J. Markey (D-MA) and John Thune (R-SD) called on the Federal Aviation Administration (FAA) to publish a proposed rule for the remote identification of unmanned aerial systems (UAS or drones). The request was issued through a letter sent to the U.S. Department of Transportation (DOT).

According to the Senators’ letter, remote identification could permit the public, the FAA, law enforcement and others to remotely track and identify drones and their operators during flight, which would assist in addressing unauthorized drone flights in sensitive areas such as airports and large public events. Specifically, the letter states, “In recent months, a series of UAS sightings in safety-sensitive areas have underscored the need to quickly adopt and implement remote identification. Remote identification will enhance safety, security and privacy and serve as a critical tool for law enforcement to respond to and address reports of illegal and unauthorized drone operations.” We will track this issue as it progresses through the FAA and the industry as a whole.

Privacy Tip #190 – Internet of Medical Things (IoMT)

These days, pretty much everyone is aware of potential security incidents and the risks involved with Internet of Things (IoT) devices because security was not built into the device during the manufacturing process, but there is less awareness of the risks associated with the Internet of Medical Things (IoMT).

Just like IoT devices, such as home security systems, TVs, coffee pots, cameras, fitness monitors and baby monitors —all of which are hackable—IoMT devices are those devices and monitors designed and manufactured to be used in the medical industry, such as heart monitors, pacemakers, drug monitoring devices, and radiology systems. All of these monitors and devices are also connected to the Internet, but they may be implanted in our bodies or ingestible. They are able to monitor our medical condition and report back electronically to our physicians or the electronic medical record of a hospital.

Although these IoMT devices are meant to improve our health, they are no different than home security systems, baby monitors, or fish tanks that were designed and manufactured without data security imbedded in them. That means that they are hackable as well. And that means that intruders can not only hack into our homes, but now they also can get into our bodies.

A new survey by Fortinet (see article for FierceHealthcare written by my friend and student Sonia Arista here) “reveals two noteworthy trends regarding the state of security in healthcare as well as what care providers need to do next.”

According to the article, the risk of IoMT is high, and one of the top threats is IP-enabled cameras being used in hospitals. “Compromised cameras could not only be used to obscure malicious onlsite activities or prevent healthcare providers from monitoring patients, but they could also open an entry point into connected cybersystems from which cybercriminals could launch DDos(distributed denial of service) attacks, steal personally identifiable information, initiate a ransomware attack, and more.”

Many physicians are unaware of the security risks of IoMT devices. When considering the use or surgical implanting or ingesting of a device that can be monitored digitally, discuss the security risks with your physician, and do some online research on the data security measures that are taken, and publicly disclosed, by the manufacturer of the device. If you can’t find any information about the data security of the device in a public search, then data security is probably not a high priority for the company. Don’t rely on your physician to have done any such research—do it yourself, and do it before something is implanted in you. The last thing you want is to be notified that the device has to be removed in order to update a security patch, as many patients have had to do with pacemakers.

Hotel Chain Hit with Class Action Alleging “Misuse” of Biometric Data

Hotel chain Fillmore Hospitality, LLC is the latest target of a proposed class action complaint filed this week, alleging violation of the Illinois Biometric Information Privacy Act (BIPA). We don’t usually discuss the specific allegations in BIPA cases, but since they continue to populate the litigation landscape, we thought it would be instructive to take a deeper dive so companies are aware of the minefield these cases present and how they really are a roadmap for compliance.

According to the Complaint by the named plaintiff who worked at a Cambria Hotel in Chicago, “[T]his case concerns the misuse of individuals’ biometrics by Defendants, a leading hotel chain with locations across the United States.” The defendants are allegedly doing so by using biometrics for clocking in and out without notice and obtaining express written consent from employees. It further alleges that the company failed to “publish publicly available retention guidelines for permanently destroying biometric identifiers and biometric information.”

The Complaint goes on to say that “[C]ompliance with BIPA is straightforward and may be accomplished through a single, signed sheet of paper. BIPA’s requirements bestow a right to privacy in biometrics and a right to make an informed decision when electing whether to provide or withhold biometrics.”

According to the Complaint, the defendants used handprints or portions thereof, including fingerprints, for authentication and timekeeping purposes, and then disseminated the biometric information to third parties, including data storage vendors and payroll services. These actions allegedly violated the plaintiff’s right to biometric privacy.

The Complaint requests injunctive relief and statutory damages. The injunctive relief requested is a requirement that defendants comply with the BIPA requirements for the “capture, collection, storage, use, and dissemination of biometric identifiers and biometric information;” the award of statutory damages of $1,000 for each violation of BIPA; and the award of reasonable attorney’s fees, costs and litigation expenses, including pre- and post-award interest.

This case is another reminder to all companies located in Illinois, or doing business in Illinois to be aware of BIPA and to consider implementing a compliance program to stay out of the cross-hairs of class action litigators.

City of Baltimore Shuts Down Servers Following Ransomware Attack

Another city, another ransomware attack. Cities and municipalities continue to be targeted with ransomware campaigns. Fortunately, in this case, essential services such as fire, police, Emergency Medical Services and 311 service were still operational despite the attack. According to a tweet by Mayor Bernard Young, Baltimore shut down its servers in response to the ransomware attack, and preliminarily, it does not appear that any “personal data has left the system.”

City hall personnel were instructed to disconnect their computers from the Internet as there were reports that the ransomware was spreading from computer to computer.  Baltimore’s Department of Public Works suspended late water bill fees, and its customer service and support were down and unable to assist customers with water billing issues. The Baltimore Department of Transportation was also affected due to network and email outages.

Supply Chain (and Vendor) Security and Contract Management

We continue to see clients hit with notifications from vendors about security incidents caused by either the vendor or the vendor’s downstream supply chain. Often, the client didn’t even know that its vendor was outsourcing part or all of the work to another vendor. When a security incident occurs down the line, the entity that experienced the security incident or data breach usually has contractual obligations to tell its customer, and its customer then has the contractual obligation to tell its customer, and on and on up the line. If you are at the end of the line, all of the supply chain vendors are saying that their only obligation is to notify you, and you must notify any affected individuals and the regulatory authorities.

Managing the supply chain is challenging but necessary in today’s world of sophisticated cyber-attacks. In our experience, there is no one size that fits all when it comes to contract management. But no matter what size or how complex your organization is, a supply chain and vendor security and contract management  program is essential to reduce risk of downstream incidents.

We hear the term “vendor management” all the time when discussing how to address downstream risk. Vendor management is one aspect of the supply chain risk analysis. Yes, it is important to assess which of your vendors have access to your high risk data, and once you determine that, to review their security posture and then incorporate security requirements into the contract. But it is also important to know who your vendors are doing business with and how those businesses are treating your data.

I submit that during the assessment of the vendor you find out who their key subcontractors or partners are, whether they are doing appropriate due diligence on their subcontractors’ security posture, and whether they are requiring drop-down provisions that the vendor has agreed to with the entire supply chain down the line. Some clients are requiring vendors to provide proof that the vendor has done a security questionnaire or other due diligence efforts on their vendors so the entire supply chain is secure. Other clients are requiring vendors to request permission before allowing any subcontractor to have access to data. And still others are flat out refusing to allow any vendor to subcontract any portion of the contract to another vendor at all. There are many strategies, and finding the one that works for you is key.

All of these strategies are challenging and difficult when it comes to finalizing a contract and getting work started. Your business partners may be frustrated by the due diligence and the contract negotiations. Nonetheless, the up-front due diligence may prevent a notification from a vendor about a security incident caused by someone else down the supply chain that you didn’t even know existed or had access to your data. Those clients who have had that experience are spending more time up front in evaluating the security of the entire supply chain and managing the contract negotiations to address this issue.

Drone Delivers Human Kidney for Transplant

Last month, a University of Maryland unmanned aerial system (UAS or drone) delivered a donor kidney to surgeons at the University of Maryland Medical Center (UMMC) in Baltimore for an ultimately successful transplant to a patient with kidney failure. The drone flew 2.6 miles in approximately 10 minutes.

This University of Maryland project is important to determine whether this process of delivery works; if it is a proven system of delivery, unmanned organ transport can potentially be done at much greater distances. This would minimize the need for multiple pilots and flight time and address safety issues.

The drone flight was monitored by AiRXOS Air Mobility Platform, which manages the volume, density and variety of UAS traffic data for safe operations, as well as a separate apparatus for maintaining and monitoring a viable human organ.

FAA’s UAS Growth Predictions

In the Federal Aviation Administration’s (FAA) latest aerospace forecast, it noted the “phenomenal growth” of the small unmanned aerial system (UAS or drone) industry. The FAA reported that at the end of 2018 there were 277,000 UAS registered with the FAA. In the FAA’s 2017 report and predictions, that number was expected to be only 158,900. The FAA further said in its report that the UAS sector “will be much larger than what [the FAA previously] understood.” Overall, in the last five years, the UAS industry has seen “healthy growth,” but the FAA also reports that the introduction of so many UAS into the national airspace has sparked some “operational challenges,” including safe integration into the national airspace. However, despite the safety challenges, the FAA says that the UAS sector holds enormous promise. To read the full report, click here.

LexBlog