SEC Brings Fraud Action Against ICO Creator

In its first lawsuit targeting Initial Coin Offerings (ICOs), the Securities and Exchange Commission (SEC) has filed fraud charges against the creator of the ICOs marketed as “REcoin” and “DRC.” The action, filed in the United States District Court for the Eastern District of New York on September 29, 2017, alleges that Maksim Zaslavskiy, operating through two wholly owned companies, raised over $300,000 from investors based on false claims the digital “tokens” or “coins” being marketed were backed by investments in either real estate or diamonds. According to the SEC’s Complaint, not only were funds raised by the ICO not invested in any assets, the digital tokens did not actually exist. Despite representations by Zaslavskiy, no digital tokens and actually been developed or issued on a blockchain, leaving investors with no value in exchange for their payments. Continue Reading

McAfee Report Lists Health Care Sector as Most Targeted Industry for Cyber-Attacks

In its cyber security incident report outlining vulnerabilities for the second quarter of 2017, security firm McAfee lists the health care sector as having suffered the most security incidents, which surpasses the public sector for the first time in six quarters. It confirmed that cyber-attacks against the health care sector continue to increase.

Although that statistic is disturbing, but not surprising, alarming statistics from the report include that there was a 67% increase in new malware samples in the second quarter of 2017 which equates to a whopping 52 million different kinds of malware in that quarter alone. The total number of malware samples were up 23% to close to 723 million different types of malware. That number is staggering and hard to grasp.

New ransomware increased 54% in the second quarter of 2017, and the total number of ransomware samples grew 47% in the past year totaling 10.7 million samples.

These statistics reinforce how companies are getting inundated with malware and ransomware on a daily basis and that it continues to be a major problem in protecting company data. It is hard to fathom trying to defend against 52 million new types of malware and 10.7 million new types of ransomware in a three month period of time, but that is the reality that exists for IT professionals.

U.S. Treasury Warns Financial Institutions of Venezuelan Corruption and Money Laundering

The Financial Crimes Enforcement Network (FinCEN) of the U.S. Department of the Treasury issued an advisory on September 20 warning U.S. financial institutions of “money laundering schemes used by corrupt Venezuelan officials.” The advisory was addressed to Private Banking Units, Chief Risk Officers, Chief Compliance Officers, AML/BSA Analysts, Sanctions Analysts and Bank Legal Departments, and identified a number of red flags to help financial institutions spot instances where corrupt senior politicians may be attempting to use Venezuelan government contracts to embezzle funds and receive bribes.

If identified during the course of its regulatory and operational due diligence processes, a red flag should alert the financial institution to the heightened possibility of money laundering and warrant further inquiry by the financial institution. The red flags include:

  • Transactions involving government contracts that are directed to personal accounts, shell corporations, general trading companies, companies that lack a general business purpose or companies that operate in a line of business unrelated to the government contract.
  • Transactions involving the purchase of luxury real estate, particularly in South Florida or Houston, by current or former government officials, their family members or associates.
  • Invoices and other corroborating government contract documents that lack traditional details, are overly simple, or include charges that are significantly higher than traditional market rates.
  • Payments, especially cash deposits, involving Venezuelan government contracts that originate from accounts in jurisdictions outside of Venezuela.

Although the advisory does not create any new regulatory obligations, FinCEN reminded U.S. financial institutions that, in additional to general account opening due diligence requirements, Anti-Money Laundering and Suspicious Activity Reporting obligations should also be considered when dealing with Venezuelan officials and government contracts.

The FinCEN advisory with a complete list of red flags can be viewed in full here.

Home Depot Settles Data Breach Class Action Case with Financial Institutions and Counsel for $42.55 million

Following its data breach in 2014, Home Depot was sued by thousands of financial institutions requesting recovery of costs associated with the issuance of new credit and debit cards to 50 million individuals affected by the breach.

Last week, an Alabama federal judge approved a proposed settlement with the financial institutions for $27.25 million.

The judge also approved a request for $15.3 million in attorneys’ fees for the attorneys representing the financial institutions in the class action case.

Sonic Latest Food Chain to Suffer Credit Card Breach

After being notified of “unusual activity” on credit cards by its credit card processor, Sonic Drive In has confirmed that it is working with forensic experts and law enforcement on a potential credit card breach. It has not been reported of whether or not debit cards may be involved as well.

Sonic operates approximately 3,500 restaurants in 44 states and it has stated that it is “working to understand the nature and scope of this issue.”

These compromises of credit cards being used at food chains is a reminder that paying cash for small purchases is a good practice for one’s privacy and security hygiene and protection.

Study Finds 73 percent of Medical Professional Use Others’ Passwords

We all know by now that we are not supposed to give our passwords to anyone else or use someone else’s passwords to access an electronic system.

Despite this basic data security tenant, a new study by Healthcare Informatics Research reports that 73% of medical professionals admit that they have used another’s password to access an electronic medical record (EMR).

The survey asked 299 medical professionals in hospital settings if they had ever used someone else’s password to access an EMR. Of those questioned, 100% of the medical residents said yes, they had, and 57.7% of nurses admitted they had as well.

The study found that the reason the residents had violated basic security hygiene was that they had not been given a user account of their own, or did not have access rights to access information that was needed to fulfill their duties.

The authors of the study recommended:

  • work on having less burdensome processes for workers to attain appropriate access credentials for their job duties
  • extend EMR access to Para-medical, junior staff, interns and students in understaffed hospitals during on-call hours and delegate administrative tasks
  • allow maximum privileges for one-time use in lifesaving conditions to junior staff so using someone else’s password is not necessary

These recommendations will have to be individually evaluated by hospitals in the context of their HIPAA compliance programs.

BZZZ! Research on the Annoying Noise of UAS

The National Aeronautics and Space Administration (NASA) released the results of a study that determined how annoying the ‘bzzz’ of unmanned aircraft systems (UAS or drones) really is to the public on the ground below. NASA researchers compared the noise generated by drones to that of cars, and found that indeed, there was a greater degree of annoyance with drone noise than cars by the public at large. The report, “Initial Investigation into the Psychoacoustic Properties of Small Unmanned Aerial System Noise,” deals with more than just the annoyance level of drone noise, but also analyzes the effects on the environment around the drone. Because the noise of drones is unlike that of other aircraft, and because there are not yet other studies on this issue, NASA researchers are trying to record the noises of various types of drones (known as a ‘psychoacoustic test’) and analyze that data. This could help to create better technologies and designs for drones to limit the noise (and the annoyance) that drones bring to our airspace. Not only did researchers in this study record the noise from drone flights, but they also recorded the noises from a passenger hatchback, utility van and a diesel-powered box truck. They also incorporated computer-generated noises of a quadcopter and a small civil aviation plane.

The human subjects—38 people who were not told the sources of the sounds, were asked to rate each noise from not at all annoying to extremely annoying (with slightly annoying, moderately annoying and very annoying in between). Most subjects noted that they found the high-pitched noises to be more annoying than the low-pitched ones, as well as the noises that appeared to linger were also generally described as more annoying. NASA researchers are still reviewing this data and will certainly conduct more tests. One issue with this study could be, according to researchers, that the subjects were familiar with the noise of a car as opposed to the buzzing of a drone.

This is certainly an important issue for the commercial drone industry, so that the consumer public on the ground below will accept the operation of drones above. And according to NASA researchers in this study, flying the drones higher may not be the only solution –design revisions and noise reducers may alleviate the annoyance and lead to more acceptance by the public at large. There will likely be more studies to come in this subject area as more drones hit the skies.

Drone Use Prohibited at DOI Landmarks

The Federal Aviation Administration (FAA) has prohibited drone flights at 10 Department of the Interior (DOI) landmarks across the country. Title 14 of the Code of Federal Regulations (14 CFR) § 99.7 – “Special Security Instructions” is being used by the FAA to address concerns about drone use at the 10 sites.

Staring on October 5th, drone flights will be prohibited up to 400 feet within the lateral boundaries of these landmarks:

  • Statue of Liberty National Monument in New York City;
  • Boston National Historical Park (U.S.S. Constitution) in Boston;
  • Independence National Historical Park in Philadelphia;
  • Folsom Dam in Folsom, Calif.;
  • Glen Canyon Dam in Lake Powell, Ariz.;
  • Grand Coulee Dam in Grand Coulee, Wash.;
  • Hoover Dam in Boulder City, Nev.;
  • Jefferson National Expansion Memorial in St. Louis;
  • Mount Rushmore National Memorial in Keystone, S.D.; and
  • Shasta Dam in Shasta Lake, Calif.

A few exceptions to the ban will allow drone operators to fly near these sites, but they must be handled directly with the facility and/or the FAA. Drone operators who do not comply with this ban may be subject to criminal charges and other civil penalties. An online map with the restrictions has been created by the FAA, and the FAA’s mobile app, BFUFLY, will soon be updated to include the restrictions. Although this is the first time the FAA has placed restrictions for unmanned aircraft systems (UAS) at DOI sites, such restrictions exist over military bases. Other federal agencies have made requests to the FAA as well, which are being considered.

Privacy Tip #108 – October is National Cybersecurity Awareness Month: Beware of Scam Netflix Email

Happy National Cybersecurity Awareness Month. I wish it was more uplifting than the current state of affairs, but it has never been so important.

One of the most recent scam to hit consumers is by impersonating Netflix.

If you are a Netflix user, beware of a new scam that looks like an email that comes from Netflix that tells users that their account is disabled and asks users to input bank account information to enable the account. It uses the Netflix logo and looks very real. It says they are having “trouble with your current billing information,” that they will try later, but in the meantime, please provide current information like telephone number and bank information.

When users input the information, the hackers now have access to the users’ bank information.

The email is sent to users from supportnetflix@checkinformation.com. When users click the embedded link within the body of the email, it forwards them to a fraudulent Netflix page where they enter their bank information, which hackers then have access to and can use.

Don’t relay your bank account information through a website or online and beware of this scam using Netflix’s logo. Enjoy your movies—but always be safe with your bank account information.

To Be Cyber Secure – May Not Mean You Are Export Secure

Ensuring that technical data is compliant with both export regulations and cybersecurity requires an understanding of what export controlled technical data/technology relate to and how they work together. The two major export control regulations, The International Traffic In Arms Regulations (ITAR) and the Export Administration Regulations (EAR), define controlled technical data/technology differently. Click for the ITAR definition and for the EAR definition.

An effective approach requires incorporating export regulations into cybersecurity protocols. This means the IT architecture needs to embrace not only the encryption requirements and authentication protocols in order to access a company’s systems, files, share drives, but also to analyze what “employees” have access to once they have validly entered their companies domain.

Even though the environment is secure by cybersecurity standards – it may not be “export” compliant.

Example – if a company has export controlled data, which could be cyber security compliant (i.e., encrypted) –  a potential export violation could occur if the person accessing the data (or potentially able to access it) doesn’t have the proper export authority based on their nationality/location. A U.S. company sets up an office in the United Kingdom (U.K.) and hires a U.K. citizen to work in that location. The U.K. citizen then gains access to the company’s server, which has export controlled technical data/technology located on it, another words, the U.K. citizen has not be firewalled out of the location where the controlled data is located. If the employee accessed the data or not (potential access) may constitute a potential export violation.

The recent trend is to have more cybersecurity measures identifying the “export controlled data” – and how it is being identified, controlled, and tracked.

LexBlog