VPNFilter Worse Than Previously Reported

We previously reported that the FBI has warned consumers about a nasty malware, known as VPNFilter and believed to have been launched by a Russian government hacking group is infecting hundreds of thousands of small business and home router [view related post here].

Apparently the malware is much worse than anyone thought and Cisco’s Talo security team says the malware is more powerful and is infecting a larger number of routers than originally reported.

The new research shows that the malware is capable of implementing a man-in-the-middle attack (which we have seen an increase in over the past few weeks) on incoming web traffic, and is targeting not only home and small business routers, but the router owners themselves. Cisco reports that the attackers use the infected router to inject malicious payloads into traffic as it passes through the infected router. It can also steal sensitive data that is passed between internal end-points and the internet.

According to the senior researcher at Cisco “[t]hey can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

A list of devices that are affected can be accessed here.

What is even more concerning is that the malware is particularly sneaky and works in stages. So if you heeded the FBI’s warning to reboot your router, the malware cold still be persisting on your device. For those of us who are non-techies, this means that the attackers could have infected your device and put the malware in a listening mode that can then be activated at a later time. Security experts are recommending that if your router is more than a few years old, you should just buy a new one. Another security expert recommends “Run DD-WRT/OpenWRT/Tomato or similar, never use a stock vendor-created firmware if you can help it. The open-source stuff isn’t perfect but at least it represent pooled resources shared across many hardware platforms and with the broader OS community, rather than one vendor’s overtaxed engineering department that’s under-incentivized to worry about security.”

LabMD Wins Against FTC—11th Circuit Vacates Enforcement Order Against It

We have been watching the LabMD/FTC case for a long time. We have written about it [view related posts here], read the book about it that was hand delivered to our office by the CEO of LabMD, debated it in privacy law class and marveled at the energy and focus of Mike Daugherty over the years to fight what he believed to be an injustice against him and his company by the federal government.

The case has taken many turns and at times is very hard to follow. Suffice it to say that the FTC alleged that LabMD did not have sufficient security measures in place to protect the information of patients and started an enforcement action against it. The facts of the case are fit for a mini- series, with characters you can’t make up. To try to make a long story short, the FTC proceeded in an enforcement action, the administrative law judge found in favor of LabMD, the full Federal Trade Commission reversed the ALJ’s decision and the FTC issued an order directing LabMD to create and implement a variety of security measures. LabMD appealed to the 11th Circuit Court of Appeals.

Yesterday (6/6/18), the 11th Circuit Court of Appeals issued its decision on the appeal and found in favor of LabMD. The 11th Circuit stated “LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.”

This case has great significance to the ability of the FTC to enforce data security against companies. The FTC alleges that Section 5 of the FTC Act gives it authority to enforce data security measures, and alleged that LabMD committed an unfair act or practice by engaging in practices that failed to reasonably secure the information of patients. The 11th Circuit found that the FTC failed to allege specific unfair acts or practices engaged in by LabMD. It further found that the FTC failed to “explicitly cite the source of the standard of unfairness it used in holding LabMD’s failure to implement and maintain a reasonably designed data-security program constituted an unfair act or practice.”

Finally, the Court held that the prohibitions set forth in the FTC’s cease and desist order were not specific, and therefore, unenforceable.

This long-awaited opinion has wide reaching implications for companies facing enforcement actions by the FTC now and no doubt long into the future.

FAA to Require Recertification for Commercial Drone Pilots

Last week, the Federal Aviation Administration (FAA) announced that it will require recertification for those who receive a Remote Pilot Airman Certificate under Part 107 small unmanned aircraft system (UAS or drone) regulations. The certification will only have a 24 month shelf life, and then the pilot needs to recertify their knowledge through additional testing. The additional test will question pilots about weather, loading and performance of the drone and updates on regulation and airspace requirements—these questions will take up about 70-80 percent of the recertification test. The remaining questions will focus on remote operation knowledge, emergency procedures, and drone maintenance. Be sure to keep up with the FAA’s recertification requirements before flying your drone for commercial purposes.

FAA’s LAANC Expands to Western North United States

As planned, the Federal Aviation Administration (FAA) has launched its next wave of its beta Low Altitude Authorization and Notification Capability (LAANC) system, in the western north region of the United States. LAANC helps to support the integration of drones into the national airspace. LAANC allows drone operators to obtain real-time airspace authorizations from air traffic controllers, which greatly decreases the lag time associated with the manual airspace authorization process. LAANC uses airspace data provided through temporary flight restrictions, NOTAMS and facility maps that indicate the maximum altitude around airports where the FAA will authorize drone operations under Part 107 (the federal small UAS rule).

The next launch is set for June 21, 2018.

How Artificial Intelligence is Helping the Drone Industry

Drones may be a relatively new technology, but artificial intelligence (AI) is already taking over. Autonomous drones are becoming more and more prevalent across all types of industries –from agriculture to construction to insurance. AI has actually started to become a force to be reckoned with in the drone industry –AI not only has taken on the task of autonomous flight but also processing data collected during missions and turning it into actionable information and insights. Now an operator can press a button and fly its mission; but the drone (through its AI technology and software systems) also patches photos together and picks out important data relevant to the mission and the underlying business purpose. Of course, in the areas that require the more complex decision-making, humans will remain in charge for the foreseeable future to offer their expertise and experience.

However, overall, AI in drones can bring significant benefits, such as:

  • Improved Efficiency: A drone camera and sensors can gather over 70 terabytes of data in one flight. As AI improves, the data can be mined and product insight about just about anything almost instantaneously.
  • New Insights: Tasks that used to be cost-prohibitive (e.g., counting pallets of mulch) will be automated. It will allow businesses to gain new insights into their inventory and revenue streams. Drones with AI will also be able to automatically track inventory, which will automate procurement and allow supply chains to respond better to changes in inventory (in real time).

AI improvements will streamline time-sensitive processes and turn raw data into useful information. Simple, repetitive tasks can be completed by a drone with AI capabilities allowing humans an opportunity to take on the more challenging tasks and increase efficiency, and ultimately revenue.

Privacy Tip #142 – Ticketfly Purchasers: Read This

If you have ever purchased tickets from Ticketfly, be aware that it took its homepage offline last week because it has experienced a “cyber incident.” It stated that “Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident…”

A hacker, self-dubbed IsHaKdZ confirmed and displayed database files proving that the incident was real. The hacker supposedly requested one bitcoin to provide the vulnerability to Ticketfly. The information exposed includes customers’ names, addresses, email addresses and telephone numbers.

Ticketfly has issued an FAQ about the incident, so if you are a user, the link to the FAQ page is here, but frankly it is more about how you can continue purchasing tickets than giving information about the compromise. It is still investigating the incident, and notes that the information accessible at this writing was name, address, telephone number and email address. No financial information is included as yet.

Opening a Bank Account with a Smartphone—Dodd-Frank Roll-Back Making Online Banking Easier

President Trump recently signed into law the Economic Growth, Regulatory Relief and Consumer Protection Act, which is already making waves in the financial sector for its repeal of certain Dodd-Frank provisions that were passed in the wake of the 2008 financial crisis. Banks and other financial institutions should take note, however, that the Act also contains provisions designed to facilitate the modernization of  certain banking practices. As one example, the new law includes the Making Online Banking Initiation Legal and Easy (MOBILE) Act, which allows financial institutions to digitally onboard new customers who provide a scanned driver’s license or personal identification card. This practice is already permitted by some states, but thanks to the MOBILE Act, banking customers nationwide will soon be able to open accounts with nothing more than a smartphone.

Remote and mobile onboarding of new customers should lead to reduced banking costs and improvements in customer satisfaction, but financial institutions thinking about making the switch need to consider whether their cybersecurity protocols, policies and procedures are up to date and are specifically tailored to prevent any possible cybersecurity threats related to new onboarding processes.

The full text of the MOBILE Act is available here.

FBI Warning: Russian Hackers Attacking Routers

Late last week, the Federal Bureau of Investigation (FBI) issued a warning to U.S. consumers that Russian hackers (dubbed Sofacy and a/k/a Fancy Brear and APT28, and believed to be backed by the Russian government) had compromised “hundreds of thousands” of home and office routers through malware known as VPNFilter in order to collect information by hijacking the devices and shutting down network traffic. VPNFilter can steal data or order routers to self-destruct.

The warning was on the heels of approval by a court for the FBI to seize a website that was being planned to deliver instructions to the hijacked routers. According to the FBI, “the size and scope of the infrastructure impacted by VPNFilter malware is significant.” It is estimated that the malware has infected 500,000 devices in 54 countries, including the U.S.

Cisco issued its own warning, saying that the malware has affected broadband routers and Wi-Fi devices from Linksys, TP-Link and Negear.

Therefore, the FBI is urging owners of small office and home routers to reboot the devices, and to download patches and software updates to eradicate the malware. Symantec notes that VPNFilter is very difficult to remove and can turn up after a reboot of the device, so it suggests a hard reset of the device to factory settings to remove the malware.

Criminals Cashing in on GDPR Privacy Notices

Over the past several weeks, as the GDPR deadline of May 25 loomed, thousands of organizations sent individuals, including U.S. citizens, notices requesting consent and opt-in to receive further communications. Riding on that wave of confusion and inundating emails, criminals have used the implementation of GDPR to their advantage by impersonating legitimate businesses, including financial firms, and sending what purport to be GDPR notices to customers. However, the notices request that consumers to provide their banking information, and other personal information which is then being used criminally. There is also the possibility of opt-in links being infected with malware and ransomware.

Amid the email GDPR notice overload last week, UK Finance, a representative of the financial services industry, issued a warning to consumers to be vigilant about opt-in notices and links, and to be “wary of any requests out of the blue asking for your personal or financial details.” A GDPR notice should not request banking information, credentials or personal information, and a legitimate bank will never contact a customer asking for their PIN, password, or to transfer funds to another account.

This is an unfortunate opportunity for fraudsters to dupe consumers by using GDPR compliance to their advantage. The same recommendations apply to these opt-in emails as any others, and continued vigilance is necessary.

Ten Drone Test Sites Expand States’ Regulatory Role

At test sites in 10 states –Alaska, California, Florida, Nevada, North Dakota, North Carolina, Kansas, Oklahoma, Virginia and Tennessee – the U.S. Department of Transportation (DOT) granted local-backed drone projects special licenses to test new ways of flying. At these test sites, drone package delivery and nighttime flights will be conducted, which are typically prohibited by the Federal Aviation Administration’s (FAA) small unmanned aerial systems (UAS) rule (Part 107) unless a special waiver is granted. The Trump administration says the goal of these test site projects is to “foster a meaningful dialogue on the balance between local and national interests related to UAS integration, and provide actionable information to the U.S. DOT on expanded and universal integration of UAS into the national airspace system.”

This increased collaboration also gives state, county and tribal governments a greater role in determining future drone regulations. This greater role may actually dilute the federal preemption principle that applies to drone operations that occur within navigable airspace in the U.S. Currently, there is a patchwork of state and local laws governing drone use, but the FAA hopes to create one streamlined set of rules and regulations that does not interfere with the FAA’s exclusive authority to regulate drones in the national airspace. However, these drone projects and state test sites indicate the FAA’s recognition that state and local agencies have a meaningful role to play in the further integration of drones into the national airspace.