Last week, the Federal Aviation Administration (FAA) began investigating a YouTube video that shows a helicopter almost colliding with a drone right off the coast of Hollywood Beach, Florida. In the video, the drone is heading west towards the coast before its camera turns south and the helicopter is seen in the distance; the helicopter remains on its path, which is in direct line with the path of the drone, missing it by only a few feet as it continues to fly north. The video has since been removed—the user had posted a comment stating, “Enjoying an afternoon flight with my drone around Hollywood Beach, FL. A private helicopter flew right into my drone. I guess I got lucky that day nothing happened. Phew.”

Current FAA regulations prohibit drones from flying near other aircraft and to be aware of FAA Airspace Restrictions; drone operators must also fly their drones below 400 feet. The FAA’s investigation is ongoing. This is a valuable lesson for both commercial and hobbyist drone pilots—follow FAA regulations and be aware that even the FAA is checking out YouTube.

The United Kingdom data privacy watchdog reports that the number of complaints received since the EU’s General Data Protection Regulation (GDPR) took effect three months ago has almost doubled.  Under GDPR, anyone who believes their personal data has been misused can file a complaint with the Information Commissioner’s Office, or ICO.

Legal Experts say GDPR is promoting greater privacy awareness, mainly because organizations have to reveal when, and often times, how they were breached. Ann Henry, a Dublin-based attorney who specializes in data protection law, says “This increase in reported data breaches and in complaints from data subjects is a trend we expect to see continuing as the public becomes increasingly aware of their rights under GDPR and the value of protecting their personal data from a privacy perspective.”

Thus far, none of the EU’s Data Protection Authorities have imposed any fines based on GDPR policy. It’s simply too soon, having been only three months since inception.  At some point though, perhaps in the very near future, the tide will change.

A previous blog post by my colleague Linn Freedman, provides valuable information on GDPR requirements and guidance on what organizations can do now to comply.

The Federal Trade Commission (FTC) regulates the Telemarketing Sales Rule (TSR), which requires marketing entities to eliminate from telemarketing campaigns telephone numbers that are listed on the Do-Not-Call Registry (the Registry).

Although many of us have both our residential and cell phone numbers listed with the Registry, we still get many, many annoying and inconvenient telemarketing calls.

This week, the FTC amended the TSR by updating the fees charged to entities that access the Registry from $62 to $63 for each area code, with the maximum amount to be charged an entity set at $17,406. The fee change goes into effect on October 1, 2018.

The fee is significant, and clearly, many companies are not subscribing to the Registry and are not paying the fee, as we continue to be inundated with unwanted telemarketing calls. Nonetheless, registering may decrease the number of calls you receive. There are exceptions to the prohibition on telemarketing calls—including charities, political groups, debt collectors and surveys.

Signing up for the Registry is free. You can register both your home and cell phone numbers. You also can report unwanted calls, and the FTC has the authority to enforce violation of the Registry and hit violators with very large fines.

To sign up for the Registry, click here.

Proponents of blockchain technology, the distributed ledger system underlying bitcoin and other cryptocurrencies, view the technology’s applications as potentially offering significant efficiencies to the provision of government services. Two pilot projects currently underway are geared toward exploring the technology’s potential in two key areas of services provided by state and local governments: real property recording and voting.

On August 28, the Franklin County Auditor’s Office in Ohio tested a blockchain application developed by the Columbus, Ohio-based startup SafeChain. The test involved transfer of 37 properties sold through a forfeiture auction. Potential buyers were required to register through the digital system and the ownership transfer involved adding a barcode to the paper document with the remaining documents accessible on the blockchain. This pilot project follows on the heels of the Ohio Legislature passing a law this summer explicitly recognizing the legitimacy of blockchain transactions.

Meanwhile, in West Virginia, the state is extending its trial use of a blockchain-powered mobile voting application developed by the Boston-based startup Voatz. The trial, which is largely limited to military service members serving abroad who are covered by the Uniformed and Overseas Citizens Absentee Voting Act, was originally tested in two West Virginia counties during primary elections and will now be extended through November for the midterm elections. Despite the relatively narrow scope of the trial, the use of mobile applications for voting purposes in the midterm elections has raised significant concerns about the security of the system.

As blockchain-based applications continue to develop and mature, the potential benefits to the provision of government services make it likely we will see more frequent public-private collaborations of the sort currently being tested in Ohio and West Virginia.

A new ransomware, dubbed “Ryuk,” has surfaced in the last few weeks that is said to be targeting large organizations in the United States.

The attackers behind Ryuk have reportedly made over $640,000 in just two weeks, and are allegedly connected to the well-known hacking group out of North Korea—Lazarus.

According to security company Check Point, the attackers are carefully targeting large organizations that have the ability to pay large ransoms for valuable data, and are exploiting vulnerabilities in order to get a quick pay-out of large sums of Bitcoin.

The attackers conduct very specific campaigns against large companies, including mapping the organizations’ network, compromising the networks and stealing credentials in order to install Ryuk to encrypt the systems. Once the organization’s system is compromised, the victim receives one of two standard ransomware notes. One ransom note is polite and advises the company that a vulnerability in their system has resulted in the encryption of all files on the system and requests a payment in Bitcoin to get the keys to the data and reminds the victim that the attackers “are not scammers.” The message goes on to tell the victim that all files will be destroyed unless the ransom is paid (but they aren’t scammers). The victim is given an email to contact and a Bitcoin wallet address to pay the ransom.

The second ransom note is more to the point and outright threatening—files are encrypted and will be destroyed unless you pay, and here is the email to contact to pay.

What is very concerning about this new ransomware is that the ransom is very large—between 15 and 35 Bitcoin, and adding one half a Bitcoin each day the victim doesn’t pay. That is roughly $224,000. This is unusual and alarming.

Unfortunately, because the attackers have cashed in a large amount in such a short time indicates that it is a well-planned attack, that the attackers have researched their victims to determine their ability to pay the ransom, that their strategy has paid off and therefore, more will likely come. Another reason to check in with your IT folks and to invest in and test back up plans, continuity plans and disaster recovery operations.

Companies doing business in Illinois should consider getting up to speed on the Illinois Biometric Information Privacy Act (BIPA). We have reported on numerous (but not all) cases filed against technology companies and employers for alleged violations of BIPA [view related posts here]. The class action lawsuits continue to get filed at a rapid pace, providing additional urgency for companies to comply with BIPA.

Another proposed class action lawsuit was filed recently against Hegewisch Development Corp. alleging that it violated BIPA because the plaintiffs were not informed in writing and did not give their consent to collecting their fingerprints, nor were they provided with written notice of the purpose and length of time that their fingerprints were being collected, stored, disclosed and used, or when the information would be destroyed.

Employers using biometric time clocks (and other technology using biometric information) may wish to consider becoming knowledgeable about BIPA and its requirements, and implement measures designed to comply with it so they don’t get hit with a class action lawsuit like so many companies have in the past year. A little prevention can go a long way. BIPA has become the new gold rush for class action lawyers like TCPA litigation was a few years ago.

Last week, the Kansas Department of Transportation (DOT), in coordination with 30 other Kansas groups, flew a drone beyond visual line of sight (BVLOS) as part of the Federal Aviation Administration’s (FAA) Unmanned Aerial Systems (UAS) Integration Program (IPP). Kansas-State Polytech Flight Operation Manager Travis Balthazor said, “Currently, we’re restricted to a visual line of sight operations. So, anytime you fly a main aircraft, you have to keep it in the visual line of sight, and we’re trying to advance those regulation to allow more UAS technology for the general public.”

The BVLOS operations took place in Gypsum, Kansas with about 50 observers watching. Director of Kansas Aviation, Bob Brock, said, “The [FAA] has given us authority and a partnership to be able to do brand new things with drones that people aren’t allowed to do anywhere else in the country. We can fly drones out of our sight, which gives us the ability to do a search and rescue in county or state parks. These drones are an actual lifesaving tool and can positively impact the state’s economy.”

The operations are conducted by pre-programming the drone’s flight path; the pilot can track it remotely and track its progress on a monitor. The drone has way points on a map and its pre-programmed so that those waypoints have a specific location, a specific altitude and a specific speed. That way, as it’s progressing to each of those waypoints, it has a specific flight profile. During the flight, the operator can change the drones profile to go in a different direction or end the flight earlier.

The goal of this program is to improve drone technology so that drones can be used in many industries such as infrastructure and agriculture in Kansas.

Over 2,800 applicants applied for this opportunity to conduct BVLOS operations and the FAA only gave Kansas and four other states their approval.

National security concerns related to drones range from illicit intelligence gathering to smuggling drugs and guns over the border or into prisons, to attacks like those conducted by terrorist groups. However, currently, unmanned aerial systems (UAS) counter technology (or counter-UAS) legal authority is limited.

Only the Department of Defense (DOD) and Department of Energy (DOE) have the authority to enforce flight restrictions by taking direct action against drones. To address this limited authority, a Senate bill was introduced that supports the expansion of this authority of the Department of Justice (DOJ) and Department of Homeland Security (DHS). That bill would mean that the FBI, Secret Service, Coast Guard and Customs and Borders Protection, as well as several others, to use counter-UAS technology against malicious drones. This bill has yet to be promulgated into law. We continue to monitor it and other counter-UAS legislation.

However, it isn’t only the legal challenges that present a problem for counter-UAS technology, but technical limitations as well. Current counter-UAS technologies were developed for military applications for the most part, which means that they rely on imprecise modes of interference (e.g., radiofrequency jamming). These technologies may not be entirely safe for domestic facilities, and the remote signals that much of this technology relies on could interfere with manned aircrafts or lawful drone operations.

In order to better counter-UAS technology, the regulatory landscape will likely change to allow for those stakeholders in the industry to test more technologies and expand federal authority to identify, track and counteract criminal drone activity.

I am speaking at a conference in one of my favorite cities (okay, it’s Chicago) and I was having dinner at the bar when the patron next to me asked me what I do for a living. I am a friendly sort of person and like to meet new people, so I told her what I do and she asked me for three cybersecurity tips. I started with my first one, which is about online banking. After a brief explanation, she commented that I am very scary. No, I am not scary—bad guys and gals make my profession scary.

This Privacy Tip is a bit scary, but it’s not my fault.

Security professionals are all about multi-factor authentication and I am a believer as well. Multi-factor authentication is when there is a second level of authentication to prove that you are actually you and not some hacker who is pretending to be you. Most companies implement multi-factor authentication for consumers to get into sensitive accounts, such as bank accounts, mobile telephone accounts, and other financial accounts where fraud can occur, and organizations use multi-factor authentication for employees to get access to company information. Many companies use customers’ or employees’ mobile telephone numbers for the second authentication and will send a text or code in order to get into the account. The thinking is that you are the only one who has access to your mobile phone and therefore, it is really you and they can trust that it is you and give you access if you have the code.

Well, criminals will continue to come up with ways around security measures, and they have done so with using mobile phone numbers as the second authentication validator.

The fraud is the SIM card swap. Several individuals were arrested recently for using the SIM card swap fraud to steal millions of dollars of cryptocurrency, including one individual who lost over $24 million from a SIM card swap.

Here’s how it works: every cell phone has a SIM card. That’s basically the guts of your phone that makes it work. That SIM card can be popped into any compatible phone, so when you buy a new phone, the SIM card is swapped out to the new phone, so you can use the new phone. A SIM card swap happens when the SIM card of your phone is taken and put into someone else’s phone, and now your phone is hijacked.

Okay, it can’t be done online. But it is done more frequently than you think—with the help of employees at the mobile telephone stores who are paid by the fraudsters to swap the SIM cards.

How do you know if your SIM card has been swapped? Your phone goes dead. And now the criminal has your mobile phone number which has been linked to your bank account, your employer’s VPN, your social media accounts, your music and video accounts, etc. and can change all of the passwords and credentials linked to the mobile phone number.

Three tips to prevent SIM card swapping or limit its risk: 1) Don’t let the employee at the mobile telephone store have access to your SIM card outside of your presence and witness the swap in person; and 2) protect your mobile account from SIM card swapping by activating a personal identification number with your mobile telephone provider; and 3) Don’t attach your mobile telephone number to high risk accounts.

Scary, but better to be armed with solutions than be a victim.

Just days after the FBI issued a private warning to the banking industry (read more here), the botnet network known as Necurs began a spamming campaign that targeted the banking industry. The activity was discovered by the security research firm Cofense. According to Cofense, the Necurs network started a concentrated spear phishing campaign against approximately 2,700 banks on August 15.  The campaign lasted for approximately eight hours and was designed to spread Remote Access Trojans (RAT).

As noted by several sources, one of the more interesting aspects of the campaign was that it appeared to only target actual bank employees, adding an element of true spear phishing. Typically, spear phishing campaigns are not part of Necurs’ modus operandi. The emails contained either a Microsoft Publisher file or PDF document that was weaponized with RAT malware capable of providing hackers complete access to the host.