NSA + FBI Warn Defense Contractors of Russian Hackers

When the National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) get together to issue a joint warning, you may wish to listen up.

The NSA and FBI recently alerted the defense industry through a Cybersecurity Advisory of the risk of malware attacks targeted at the defense and aerospace sectors by Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, also known as Fancy Bear,  APT28 or GRU. The attacks are specific to Linux systems.

According to the Advisory, “[T]he malware represents a threat because Linux systems are used pervasively throughout National Security Systems, department of Defense and the Defense Industrial Base” so “stakeholders should take action as appropriate.”

Following the Advisory, security experts are suggesting that if an organization uses Linux systems, assessment of security tools to detect and prevent malware is a top priority.

California Consumer Privacy Act (CCPA) Regulations Final

The California Consumer Privacy Act (CCPA), touted as the toughest privacy act in the country, went into effect on July 1, 2020. Although the enforcement regulations have been tweaked three times during the last year, this week California Attorney General Xavier Becerra (AG) issued the final set of rules that his office will use to enforce the law.

According to the AG, the regulations were approved on August 14 after non-substantive changes were made by his office. Therefore, companies can use the final regulations to assist in determining their compliance with the law.

Although the AG has not yet publicly commenced an enforcement action under the law, the AG has stated that those efforts started on July 1. We anticipate that those efforts will be strategic and well thought out by the AG, as we have seen with the enforcement actions of other privacy laws. We believe that enforcement actions will be determined based upon the brands targeted, the substance of the violations, and where guidance can be the most impactful.

Now that the regulations are final, if they haven’t done so yet, companies may wish to review their compliance efforts with CCPA.

Northrop Grumman Enlists the Expertise of Start-Ups to Bring Autonomy to the Military

Northrop Grumman and hundreds of small technology defense firms are making new efforts to fast-track robotics and autonomous systems to war, by seeking new, non-traditional, start-up firms to explore unique new innovations. Hunter Hudson, Director for Northrop Grumman said, “We are working on autonomy, sense and avoid technology and robust navigation in a GPS-denied environment.”

The company held an “Autonomy Pitch Day” recently, which they used to help identify promising start-ups that offer military technological solutions able to make a fast and substantial impact upon emerging weapons systems. This outreach is based on the fact that many start-ups have (and will) come up with unprecedented innovations that may have autonomous applications for the military. Essentially, these non-traditional entities could help spur an influx of product development efforts in this industry.

As the pace of technological change continues to increase, military development of robotics, autonomous systems and unmanned drones and drone systems will become increasingly important. Autonomy in the air is less challenging than ground autonomy (although still difficult), given that there are fewer obstacles in the sky. Algorithms enabling ground navigation are much different due to how quickly obstacles emerge and how drones and unmanned systems need to quickly maneuver or change direction in relation to other moving objects. Nevertheless, the Army expects that its armored vehicles of the future will function with a small fleet of nearby drones for attack or reconnaissance missions, while the Navy anticipates using a “Ghost Fleet” of unmanned surface vessels to carry out missions, share information and transmit time-sensitive data to human commanders. The Air Force hopes to launch autonomous drone swarms from airborne motherships or fighter jets.

Northrup Grumman is looking to start-up innovators to help address the issues that remain for these plans for the future. It is important for large players such as Northrup Grumman to look to these extremely promising, but not yet tested, new solutions to generate significant technological breakthroughs.

Privacy Tip #248 – Social Media Data Leak Exposes Millions of User Profiles

If you use social media frequently, especially TikTok, Instagram and YouTube, you may want to take note of a recent report by a security research team at Comparitech that an unsecured database has exposed 235 million Instagram, TikTok and YouTube user profiles. The exposed information may have included profile names, real names, profile photos, and account descriptions, and some might also have included telephone numbers and email addresses. In addition, users’ statistics were exposed, including the number of followers, engagement rate, growth rate, audience age, gender, location, user’s age and likes. 

Although some of the information is publicly available, according to Comparitech, “…the fact that it was leaked in aggregate as a well-structure database makes it much more valuable than each profile would be in isolation.”  This is because it saves the scammers a lot of time and effort with having to aggregate all the data elements together to prepare a profile of the user.

The information is a set up for massive phishing schemes.  If you use TikTok (consider twice before using TikTok in the first place), Instagram or YouTube, and you have a user profile, be especially aware that you will be targeted more than ever before with phishing attacks.

Carnival Cruises Hit with Ransomware

Adding insult to injury for cruise ship company Carnival Corporation (Carnival) following the hit from the pandemic to the travel industry as well as a class action lawsuit relating to the Diamond Princess’ fate during the pandemic, Carnival disclosed in its August 17, 2020 8-K filing that it recently  experienced a ransomware attack. According to reports, Carnival disclosed that the successful attack accessed and encrypted a portion of its IT systems and the attackers demanded a ransom to provide the encryption key. A double whammy for a company that has been hit hard by the pandemic. It reiterates that cyber criminals just don’t care if you are down on your luck and will hit victims whenever they can.

It also is reported that Carnival has confirmed that the attackers exfiltrated and downloaded some of its data, which may have included the personal information of customers and employees. Unfortunately, if the attackers were Maze or ReVIL/Sodinokibi, this may signal that Carnival is in for a second request for ransom if they don’t pay the first one to obtain the encryption key.

Carnival is the largest cruise ship operator in the world, employing over 150,000 individuals. It is estimated that more than 13 million people book a Carnival cruise each year, so depending on the data that were stolen and how long the company stored employee and customer personal information, the incident could involve the data of tens of millions of individuals.

Carnival is in the midst of its investigation and is working with law enforcement and cybersecurity experts. It has stated that the attack has not materially affected its business operations or financials.

Maze Continues to Strike Companies

It is being reported by ZDNet that the Maze ransomware group has attacked two companies that, apparently, refused to pay the requested ransom, so Maze, as it promises, recently released approximately 76GB combined of the companies’ data on the Internet.

True to its threat, once Maze is able to infiltrate a company’s system, it exfiltrates data without the company’s knowledge, then encrypts the data and drops a ransomware note. If the company elects to migrate to its back-up system and refuses to pay the ransom, Maze notifies the company that it has already exfiltrated data and that if the company does not pay a ransom for a certificate of destruction, it will release the data online.

So far, based on our research, Maze has, in an oxymoronic kind of way, been men of their word, as we have not seen any reports that they have reneged on their promise to destroy the data. Criminals who will keep their word! It is a difficult concept to wrap one’s brain around.

Of course, it does make sense, because if they were to accept Bitcoin for a certificate of destruction and then share the data with other criminals or post it online, the word would get out quickly and no companies would ever pay for a certificate of destruction, as they would have no confidence that the criminals would keep their promise. This would destroy Maze’s entire business plan and their flow of income. Ransomware is here to stay and the attacks are becoming more and more sophisticated.

Capital One Settles with Bank Regulator for $80M for Data Breach

The U.S. Office of the Comptroller of the Currency (OCC) announced this week that it has entered into a Consent Order and fined Capital One $80 million for the data breach the company experienced last year. The OCC announced the fine and stated that it was the result of an investigation that found that Capital One failed to adequately identify and manage risk as it moved significant portions of its technological operations to the cloud.

In its Consent Order, the OCC stated that the company lacked sufficient network security and data loss prevention controls and that when the internal audit department did identify issues, the bank’s board of directors failed to hold management accountable to address them.

The data breach affected the information of 100 million individuals from the U.S. and 6 million Canadians. Of the data that were compromised, approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were affected.

The OCC also is requiring Capital One to enhance security measures to adequately guard against general cybersecurity risks as well as risks specific to cloud operations, which are required to be submitted and reviewed by the regulator.

Privacy Tip #247 – TikTok in Multiple Cross Hairs

I have never been a fan of TikTok [view related post]. In general, I do not trust any Chinese technology companies because of the influence and requirements the Chinese government wields over them. The Chinese government has been stealing U.S.-based companies’ intellectual property for decades, has required U.S.-based companies to provide computer code in order to do business in China, and represses free speech on social media.

TikTok is a prime example of how important it is to monitor the apps that we and our children download. The newest apps become a craze overnight, everyone starts talking about them, and to be cool, we download them without reviewing the privacy policy and terms of use. Click, click “I agree” and before you know it a foreign government is amassing additional large amounts of data about you or your children that you are freely giving to it.

Unfortunately, many TikTok users are children, and they are even less likely to understand the risks of downloading the app. TikTok is facing as many as 10 lawsuits that allege it has been using facial recognition technology and collecting biometric information of its users, particularly children, without parental consent. The lawsuits were consolidated yesterday in Illinois.

My recommendation is to delete TikTok from your phone and ask your children to do the same. I have been saying this for a long time, and if you don’t care about my recommendation, then consider that the U.S. Senate, which, following approval of a similar bill in the U.S. House of Representatives, unanimously approved a bill yesterday that requires all U.S. government employees to delete the TikTok app from their phones due to national security concerns. It is expected that the President will sign the measure into law. Now this is what bipartisan cooperation is all about. At the moment, the law only applies to federal workers, but it is a sound measure that private citizens may wish to consider.

The President will no doubt sign the bill into law as TikTok is in his crosshairs as well, and he has stated that he is on a mission to ban TikTok from the U.S.

Massachusetts Ballot Question Poses Privacy Concerns

Ballot Question 1 in Massachusetts, if passed in November, would require car manufacturers that sell cars equipped with telematics systems (i.e., a method of monitoring a vehicle by combining a GPS system with on-board diagnostics to record – and map – exactly where a car is and how fast it’s traveling, etc.) to install a standardized, open data platform beginning with model year 2022. Such a system would allow the cars’ owners to access their telematics system data through a mobile app and give their consent for independent repair facilities to access those data and send commands to the system for repair, maintenance, and diagnostic testing.

An open data platform is primarily designed to help big-data developers in creating big-data applications on a common platform. It provides a baseline model to build applications and services that can be interoperable on different platforms. While this platform would allow for use by many different users, this proposed open data platform may also presents security risks to those providing the information. From loss of confidentiality, to the higher potential for compromising personal information, releasing data inherently puts the data at risk.

Currently, Massachusetts’ Right to Repair law (signed into law in 2013), exempts  telematics systems from accessibility by car owners and independent repair facilities. This means that the car’s telematics system may only be accessed by the brand manufacturer, which may limit a car owner’s ability to choose where the system can be updated or repaired.

A “yes” to the ballot question “supports requiring manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application,” while a “no” opposes this initiative.

Tommy Hickey, director of Massachusetts Right to Repair Coalition, said, “This is really a fight for Massachusetts consumers. Without this information, people may lose the choice to bring their car to an independent repair shop.” Opposingly, the Coalition for Safe and Secure Data’s spokesman, Conor Yunits, said, “This ballot question will create easy opportunities for strangers, hackers and criminals to access consumer vehicles and personal driving data–including real-time location. It will put people at risk, without doing anything to improve the consumer experience.” Both sides seem to be part of a fight for consumers.

Size Doesn’t Matter for OCR Enforcement Actions

Small health care organizations may think they are under the radar of the Office for Civil Rights (OCR), but a settlement the OCR agreed to last week should disabuse small health care providers of that notion.

On July 23, 2020, the OCR issued a press release outlining the terms of its settlement with Metropolitan Community Health Services (Metro), doing business as Agape Health Services. Metro agreed to pay $25,000 to the OCR and to adopt a corrective action plan, including two years of monitoring, to settle an enforcement action OCR initiated against Metro.

The controversy began when Metro self-reported a data breach on June 9, 2011 pursuant to the HIPAA breach notification regulations after it discovered an “impermissible disclosure of protected health information to an unknown email account” that affected 1,263 patients.

OCR commenced an investigation and found “longstanding, systematic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any risk analyses, failed to implement any HIPAA Security rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.”

As with all settlements that the OCR enters into with regulated entities, lessons can be learned from this one, including consideration of reviewing the last time a security risk assessment was performed, review of a business’ HIPAA compliance program, including policies and procedures that comply with the Security Rule, and security awareness training for its workforce.