Locky Ransomware Variant Difficult to Detect

We previously warned readers about the Locky ransomware, which is potent and designed to use phishing emails to lure users to click on links and attachments, including pdfs.

Now, researchers at Cylance have discovered that a new Locky variant, known as Diablo6, is a variant of Locky, but much more difficult to detect. According to the researchers, Diablo6 attacks users twice—the first time in the traditional way—through a phishing email, which contains a zip file containing ransomware. When it is opened, the file contains a VBS file which attempts to connect to Locky’s command and control server for instructions.

Then, the VBS script downloads the ransomware. If it fails, a backup command and control server then attempts to download the ransomware again, but it downloads it into a temporary folder before attacking and encrypting files. Once it encrypts the files, a ransom note is placed on the user’s screen, and the encryption script self-destructs. UGH!

What does this mean? Locky continues to be one of the most vicious ransomwares out there. Ransomware continues to be a huge problem for all industries, and employers would do well to keep their employees attuned to these attacks that can bring companies to their knees.

Data Security Top Concern for Higher Education IT Professionals

At its annual conference, EDUCAUSE announced that the issue that is at the top of the 2018 Top 10 IT Issues is data security. This is no surprise. It has been the top concern for the past three years.

The issue, as described by IT professionals, was “developing a risk-based security strategy that keeps pace with security threats and challenges.” This is difficult in a higher education setting as the platform used in higher ed is so wide and de-centralized. Telling faculty and students that they have to take extra measures for data security is challenging in an environment that demands ease of access and use of IT assets.

Higher education administration and boards—listen up! The challenges facing higher education IT professionals include:

  • Helping institutional leaders understand the realities of today’s risk-intensive environment
  • Revisiting risk management planning
  • Engaging students and administrators in the adoption of new tools to assist with data security
  • Planning and funding for change management around data management

Engage your IT professionals to sift through these issues and establish priorities and solutions. Data security is not only top of the risk list for IT professionals, but also of administrators and boards of higher education facilities.

Big Data and Antitrust: Rethinking Competition Law in the Data Economy

As we approach calendar year end, traditionally the busiest period of the year for mergers and acquisitions, it is worth revisiting whether our existing competition law framework can and does properly assess the market power of big data.

This spring, The Economist magazine joined the ranks of some antitrust regulators, particularly from the EU, in questioning whether today’s measures of anti-competitive behavior, whether the proposed activity would result in higher prices or unfair competition, don’t really apply to low cost or free products and services offered by Facebook, Google and other big data companies. Also, many of the proposed merger transactions among data companies occur under the radar because the selling party’s balance sheet or its annual revenue falls below pre-merger review thresholds. Some acknowledge that other antitrust tests may still be relevant, such as evaluating the vertical foreclosure effects of a potential merger between two companies, one that collects consumer data and the other that sells targeted online advertising. The combination would well result in a powerful market player with the ability to deliver targeted marketing to millions of consumers.

The Economist piece posits that because competition has changed due to the sheer volume of data, competition law must “reboot” in order to properly assess and redress unfair competition and market power. Data driven companies are more valuable than comparable companies with larger sales because of their ability to collect data viewed as valuable for the future economy. For example, the magazine points out that car company Tesla is valued higher than stalwart General Motors, despite having only a fraction of its sales, at least in part due to the potential of its self-driving car data. Valuing data driven companies in this manner gives them more financial flexibility to operate and grow; in turn making them even more valuable, commanding purchase and stock prices that bear little relationship to their balance sheet.

Antitrust authorities and commentators point out another difference with the data economy. These large data players have a virtual crystal ball to see both today’s and tomorrow’s emerging global marketplace. Big data companies collect searching, sharing and purchasing data and from that know what is important to consumers. They also see what new products and services are offered in their app stores and on their platforms and operating services and where there is growth. Basically, they know what is trending before the market and outside companies know. With that early knowledge, they can develop a competing product or service to meet or defeat the potential future competition, or in the case of Facebook purchasing the start-up messaging service WhatsApp, simply acquire it. Facebook’s 2014 acquisition of WhatsApp is viewed by many competition experts as a watershed moment for this reason.

Today’s antitrust remedies also fall short, according to many commentators and authorities. Simply breaking up data companies, like we did with big oil a century ago only delays the effects. Rather, as The Economist and others suggest, change competition law to consider the combined data assets of the selling and buying companies when evaluating the anticompetitive effects of their potential merger. Consider whether having the combined data makes them and the marketplace more or less competitive.

A second The Economist recommendation is to loosen the grip data companies have on consumers’ data by making the collection and economics of consumer data more transparent and accessible to consumers. Allow consumers to see what their personal data and understand how it is collected and used. Permit consumers to have control with how and with whom their data is shared. Components of the second recommendation are included in the EU’s new privacy law, GDPR. Perhaps the next step in considering the competition issues is to evaluate the effect, if any, consumers’ rights under GDPR has on big data companies and their valuations and competition.

Data Breach Costs an Average of $3.6 Million

There have been a myriad of research studies attempting to come up with the “cost” of a data breach. The most recent, released by AT&T, estimates that it costs organizations $3.6 million to recover from a data breach.

The AT&T team surveyed 700 IT professionals in all industry sectors, and found that the biggest risks to organizations continue to be malware, viruses and worms, unauthorized access to corporate data, and ransomware.

The AT&T cybersecurity insights report, entitled “Mind the Gap: Cybersecurity’s Big Disconnect,” found that IT professionals face skills gaps in threat prevention, threat detection and threat analysis. Further, and frankly, disappointing, was that only 61 percent of organizations require security awareness training for all of their employees. We have been urging clients to provide security awareness education to employees, especially in light of the increase of malware and ransomware attacks against companies through phishing campaigns.

True to predictions in the data security industry, the Report found that employee devices accounted for 51 percent of all data breaches, followed by IoT devices, which accounted for 35 percent of data breaches and then compromised third-party credentials (34 percent). These findings emphasize the importance of including bring your own device programs, IoT and third party and vendor management program in your enterprise wide risk management program.

Anti-Drone Technology—a Billion Dollar Business?

While unmanned aerial systems (UAS or drones) are banned from flying over military bases, there isn’t much legally that the military can do to stop a drone intruder. However, if they were given the authority to stop these intruders, surely the market for anti-drone technology and tools would explode. Market research firm, Frost & Sullivan, estimates that the anti-drone industry is worth between $500 million and a billion right now—and Frost & Sullivan aren’t the only market researchers with that estimate. Other market research firms project estimates of $1.5 billion by 2023. These estimates are based largely on military acquisitions.

Of course, with the current legal state, these anti-drone technologies are currently useless. Counter drone systems range from trained attack eagles to radio jammers directed to energy systems like lasers. And some of these systems are expensive. For example, Blighter Surveillance Systems new anti-drone system, which was purchased by the Spanish military, costs about $1 million. Of course, that system includes a 24-hour, all-weather system with visible and thermal imagery capabilities, acoustic detection, and radar with a 10 kilometer range. When a drone is targeted by this system it sends a jam signal that disables the intruder drone. Most anti-drone systems work by attacking a drone’s radio transmissions or taking complete control of the drone and initiating a forced landing. However, none of these systems are legal in the United States because they interfere with legal radio transmissions such as wireless computer networks, which puts the jammer in the sights of the Federal Communications Commission (FCC).

There are other more brute force methods—a net fired by a bazooka-type launcher, attack drones (i.e., a ‘dog fight’ between drones)—but these methods are not permitted under the Federal Aviation Administration (FAA) because drones are afforded the same legal protections as manned aircraft. Brining a drone down is a felony regardless of how or why it is done. So, downing a drone even over a military base is treated the same way as if it had been a civilian aircraft.

Privacy Tip #114 – Your Email May Have Been Hijacked and You Don’t Know It

A new study by Google, the University of California Berkeley and the International Computer Science Institute has concluded that email users are being threatened by massive credential theft and phishing schemes are the primary way hackers are stealing credentials.

According to the study, phishing victims are 400 times more likely to have their email accounts hijacked compared to regular Google users. Victims of data breaches are 10 times more likely to have their email addresses hijacked and keylogger victims are 40 times more likely to become victims of email hijacking.

How the attacker acquired the victim’s credentials is directly linked to whether the email account can be hijacked. 7 percent of those whose information was breached in a third party data breach had their gmail account password exposed, compared to 12 percent of keylogger victims and 25 percent of phishing victims.

What this says to me is that it is very important to change your password to access your email account any time you are advised that you have been involved in any type of compromise, and even if you don’t get notice, change the password on your private email account frequently. Remember to use pass phrases, as they are easier to remember [related blog post about passwords].

Do You Have “Security Fatigue”?

Every day it seems a new data security breach has occurred, a new “cyber hack” is in the news…making us run to our phones, computers, bank accounts, you name it, to see if we could be the “one” affected. As a result, more and more online transactions, websites, financial institutions, for work or personal, require longer and more complicated login user names and passwords. I can barely remember my name as it is….let alone the now at least 25 unique user names and passwords I have to keep in a notebook. I have security fatigue! Continue Reading

Michigan Governor Establishes Cyber Civilian Corps

Michigan Governor Rick Snyder has signed into law the Cyber Civilian Corps Act, which established the Michigan Cyber Civilian Corps, dubbed MiC3, which has been in existence for three years, but not statutorily deployed.

The law, which was effective on October 26, provides authority for the Governor to reach out to a cadre of cyber experts to assist when the state is the victim of a cyber attack and to assist with any security incidents. The law allows the corps to provide voluntary technical and other assistance, and can include members from the government, nonprofits, businesses, higher education, and other stakeholders to come together to assist with the cybersecurity needs of the state. Michigan describes it as similar to volunteer firefighters.

What a great idea!

CFPB Releases Principles for Financial Services Industry for Sharing Data

The Consumer Financial Protection Bureau(CFPB) recently issued principles for the access and disclosure of sensitive data in the financial services industry. The CFPB referred to the guidelines as principles instead of regulations so fintech and other firms can innovate while protecting consumers’ information, and give consumers the ability to consent to the sharing of information in order for products and services to be offered to them.

According to its press release, the CFPB “seeks to ensure a workable data aggregation market that gives consumers protection and value.”

The principles are designed to protect consumers as the market for services using consumers’ data develops. The principles center around “data access, data scope and usability, control of the data and informed consent, payment authorizations, data security, transparency on data access rights, data accuracy, accountability for access and use, and disputes and resolutions for unauthorized access.”

Maryland Data Breach Notification Law Updated: Effective 1/1/18

The Maryland Personal Information Protection Act has been updated and the new provisions are effective January 1, 2018.

The new law expands the definition of personal information that is protected under the statute. Presently, the definition of personal information includes a Maryland resident’s first and last name or initial and last name along with: a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number. Continue Reading