Cybersecurity

Unauthorized Wiretapping Laws

Published on: March 13, 2017 | by Law Offices of Salar Atrizadeh

In addition to California’s precautions against unauthorized email access, there are additional Federal measures to protect privacy. Compared to state measures, this gives another way for an individual to seek legal remedies in a federal court. This is broken up into three different statutes, as part of the Electronic Communications Privacy Act, first regarding wiretapping, unlawful access, and pen registers. Yet, to a business only the first two have real consequence, with the final one applying in a narrower scope. So, what is the difference between anti-wiretapping and unlawful access laws? Why might someone choose to sue under the wiretapping statute, but not unlawful access? Can either provision provide an individual the ability to recover for lost or misappropriated sensitive information from electronic mail?

Federal Laws

Federal wiretapping laws are outlined in 18 U.S.C. 2511, which focuses on prohibiting the intentional interceptions of electronic communication unless it is for valid government purposes. Yet, while it is called a wiretapping statute, it’s far more expansive. An unlawful interception would result in a fine and, at most, five years of imprisonment. However, the civil remedies for a violation come from Section 2520, which allows equitable relief (e.g., injunction), punitive damages, and attorney’s fees. The computation of damages is limited to the greater between the actual damages or statutory damages of $100/day for each day of violation or $10,000.

Unauthorized Access To Email

Published on: March 6, 2017 | by Law Offices of Salar Atrizadeh

This article discusses the remedies for unauthorized access to email in the State of California. Now, email is an essential part of our lives and has been granted extensive protections in the state and federal spheres. Beyond that, it can occur in a variety of ways such as: (i) leaving an unlocked device on your desk; (ii) lending someone your email password; (iii) getting hacked by someone; or (iv) simply failing to properly update security on your device. Yet, what laws are in place to punish those who would unlawfully access an email account? What are the consequences? How might this help business owners protect their confidential information and intellectual properties?

California Laws

In California, there are statutes for computer crimes, which would prohibit individuals from unlawfully accessing another person’s email accounts. For example, Penal Code 502 prohibits access without permission of computers, networks, internet websites, electronic mail, and similar things. Although, it should be noted that Penal Code 502 lists other criminal acts, such as knowing misuse of domain names, introductions of contaminants, and deletion of data.

Who Are Script Kiddies?

Published on: February 27, 2017 | by Law Offices of Salar Atrizadeh

There are few things that you consider when forming a cybersecurity framework. Naturally, chief among them are the perpetrators such as hackers who engage in mysterious online threats by constantly adapting to new technology. These hackers might seem indomitable, clever, and always working to break down security. Yet, this is not necessarily the case. What if the nature of the threat was different? What if anyone could become a top-level hacker without sufficient knowledge of computer programming? How might a business address this issue and anticipate a different threat?

What is the nature of the threat?

On the issue of hackers, while there are certainly those who have the skills to access systems, but they are not the only threat. There are three kinds of hackers: First: “white-hat” hackers, who will hack to expose security flaws for a company. Second, “black-hat” hackers who hack to cause harm or gain profit. Third, “script kiddies” who are an offshoot of black-hat hackers. These script kiddies tend not to have the technical skills of a black-hat hacker. Instead, they rely on pre-existing tools that black-hat hackers disseminate. This allows a script kiddie to engage in a more advanced attack and cause harm. One particularly notorious instance occurred on February 7, 2000, where a 15-year old launched a massive DDoS attack using a slightly modified tool that was downloaded online.

What Are Ransomware Laws?

Published on: February 13, 2017 | by Law Offices of Salar Atrizadeh

Now, we know what ransomware is and a little on how to fight against it. So, what are the applicable statutes and how can you recover? Naturally, after a person pays the ransom, or loses their data, they have been harmed by a violation. This could be potentially devastating to a small business or an individual. Yet, there’s no explicit way to recover the funds or recover from the harm except through a lawsuit. While, there is a statute specific to ransomware in California, individuals do have other avenues and claims. What is this new statute? What can someone recover in a lawsuit? Are there any difficulties for ransomware lawsuits?

Ransomware Statutes

In September 2016, California passed a ransomware statute under SB 1137, which in essence amended Penal Code § 523. This was prompted by an uptick of the attacks on hospitals. In the statute, the use of ransomware is punishable by 2-4 years in prison. This is in line with treating ransomware like extortion crimes. Furthermore, it defines ransomware in the statute as a “computer contaminant or lock placed or introduced without authorization into a computer . . . which the person responsible for the placement or introduction of the ransomware demands payment . . . to remove the computer contaminant . . .”

What Is Ransomware?

Published on: February 6, 2017 | by Law Offices of Salar Atrizadeh

A business’s computer network, which may comprise of network and database servers, is the operation’s lifeline. A successful business should require its computer network to be secure and protected. There are many ways that these measures can go wrong. Yes, sometimes hackers can get in and access sensitive information (e.g., trade secrets, intellectual property) without authority. There are countless ways for a hacker to obtain unauthorized access to a private network. However, what happens when the hacker has gained unauthorized access? In the hacker’s tool belt is a special kind of malware known as “ransomware.” What can ransomware accomplish? How can you spot it? How dangerous can it be to your business?

What is Ransomware?

As the name might suggest, ransomware is a program that holds (or claims to hold) data hostage. It then encrypts data, and renders it inaccessible until the data owner pays off the hacker. Generally, the hacker will place the malware on the host computer through an email attachment, special program, unverified email, or malware that accesses a computer through pivoting, and then releasing the “payload” which consists of the malware. After ransomware is activated, it sends an alert on the electronic device, usually demanding payment to an account, in the form of cryptocurrency (e.g., Bitcoin) or credit card payment.

What Is the Future of Internet of Things?

Published on: October 24, 2016 | by Law Offices of Salar Atrizadeh

So, where do we go from here? After the Internet of Things was effectively used as a way to crash various online stores and services, it leaves us with the question of how can we fix this gaping hole in our security that would allow this new technology to continue to exist without causing further risk? As mentioned last week, the most likely solutions are either in the private sector, through consumer choice and manufacturer investment, or through government action. What actions should individuals take? What is the government doing now? What might the government do in the future?

What is the private sector currently doing?

The private sector is not doing much at this time. While consumers could demand more secure smart devices, the focus of the demand for these devices tends to be towards their functioning. In general, less sophisticated consumers buy smart devices for the sake of convenience, with security being a distant thought when compared to the more sophisticated consumers. These smart devices, like any other internet-connected device, occasionally need security updates to remain resistant to online bugs (i.e., malware). So, as the world becomes smarter, this technology will need to adapt and advance, accordingly, in order to mitigate the risks. Yet, without some motive to do so, it’s less likely that resistance to the botnet will emerge, and it may be due to the government’s intervention.

Can Internet of Things Be Misused?

Published on: October 17, 2016 | by Law Offices of Salar Atrizadeh

In recent years, we have all heard the expression before, but how does someone really “break the Internet?” Recently, an incident arose where a large network of electronic devices joined together resulting in a major interference with online businesses and services. Amazon, Netflix, and Yahoo, were hobbled temporarily due to various flaws in the Internet of Things. This flaw allowed individuals to create what’s known as a botnet, to launch a massive DDoS attack to effectively shut down services. So, how would we prevent a similar incident from occurring? Should you be concerned about your smart devices? What about your websites and online services?

How did the Internet of Things become weaponized?

As it stands, the Internet of Things, which comprises of smart devices that connect online for the convenience of individuals, became weaponized against service providers, and created a “botnet.” Effectively, some type of malware was downloaded onto these smart devices prompting them to send requests to certain websites. When these websites become overwhelmed by the requests, it resulted in websites crashing, or becoming generally unavailable to the users. Here, one might wonder how, but the real answer was due to a lack of knowledge, training, and security. Unlike regular computers, tablets, and cellphones, smart devices do not always have the capability for security updates. With this, even for those devices that might be on a more secure network, the Internet of Things still entails those devices being connected online. This makes them vulnerable to more pinpointed attacks. From there, the controller of the botnet can use the Internet of Things to launch the DDoS attack and crash a network.

Internet of Things: Is It Safe or Dangerous?

Published on: October 10, 2016 | by Law Offices of Salar Atrizadeh

As it stands, the Internet of Things can be a dangerous proposition. Due to various hacking techniques, like rubber ducks, pineapples, and pivoting, one must wonder, if it can be hacked into, and if so, then what can we do about it? What about cars, planes, trains, and power plants? To this point, the U.S. Government has launched the Cybersecurity National Action Plan or CNAP. The idea is to add more information and resources into the system, increasing the amount of resources to help build up cybersecurity and investing resources into security measures. So, what is the government doing with CNAP? How might this help a business? How might this help individuals?

What does CNAP do?

It’s a set of guidelines and goals that the Obama Administration has implemented to help build the cybersecurity network, protect against attacks on the Internet of Things, and the general national network as a whole. The first, and easiest way it plans to do this is through the 2017 budget, allocating approximately 19 billion dollars for cybersecurity, up by 35% from the previous year’s budget. It also incorporates and promotes other existing goals and changes, such as the BuySecure Initiative requiring credit cards to incorporate smartchips, and making large businesses use the smartchip option rather than the traditional magnetic strip. CNAP also incorporates other ideas, such as multifactor authentication, identity for Federal Government digital services, training for small businesses, and relaunching identitytheft.gov. Therefore, it is less of a new initiative, but rather a continuation of previous actions.

Avoiding Banking Fraud

Published on: October 3, 2016 | by Law Offices of Salar Atrizadeh

Nowadays, we’re using the web for numerous purposes, including, but not limited to, online banking. So, we should be able to protect our financial information. There are many options for hackers to gain access to financial information, and without the prerequisite security, financial information can be accessed by hackers. The law outlines the rules for financial institutions, such as data protection, data sharing, data preservation, security breach notification, or insurance requirements. Also, there are different standards when it comes to consumer and business bank accounts. For example, businesses face different prerequisites that must be fulfilled prior to submitting a claim towards a financial institution.

How might hackers commit banking fraud?

Looking at how hackers may even access your financial information, there are a few tools that need to be highlighted. Among them are Pivoting, Rubber ducks, and Pineapples. While this perhaps sounds odd, the way they can work is terrifying. Pivoting is a process hackers can use to break into a computer system by accessing it through an already-compromised device. For example, a hacker may access a web server by gaining access to an email server within the same network. These discrepancies can also occur between smart devices, which indicate a downside to the Internet of Things. Rubber ducks are special USB drives with small processors. They act as a “Trojan Horse” by downloading and re-uploading information quickly and autonomously without causing alerts. Pineapples, in comparison, are more likely to come across, but more difficult to avoid. These are devices that “clone” Wi-Fi networks. They will function in the same way, allowing individuals to connect and access the web, but can also be used to access and hack data after someone is connected. Pineapples and Rubber ducks are dangerous because they can download “keyloggers” onto computers, which would record and transfer confidential information (e.g., passwords, financial data) to the hacker’s computer.

FCC Proposes New Broadband Privacy Regulations

Published on: March 28, 2016 | by Law Offices of Salar Atrizadeh

This one isn’t an April Fools’ prank. On April 1, 2016, the Federal Communications Commission (“FCC”) announced its proposed rulemaking to create regulation that would bind Broadband Internet Access Service (“BIAS”) providers in the interest of enhancing privacy towards consumers. This proposal has raised objections from AT&T, Comcast, USTelecom, and the Application Developer’s Alliance, claiming that the ensuing regulations would create a morass of regulation in the privacy sphere. Yet, the FCC’s regulations are to prohibit the monetization of the information that these providers would have due to the use of their services. So, what is a BIAS and how could these rules possibly protect privacy?

What is a BIAS provider?

The BIAS providers provide internet service through wire or radio. The FCC even expands this to any functional equivalents to BIAS providers. Of some note is which entities are not BIAS entities. For example, companies like Facebook, Apple, and to some extent, Google, would not be bound by the terms here and could use the information that is collected through their services. This is because none of them actually provide the internet service that their consumers use. There is some room for Google to be prohibited as it provides internet service in some locations through Google Fiber, but the regulations would only prohibit the information that was gained through the use of its internet services, but not services that it provides towards online consumers. Thus, Google’s Fiber service would likely be prohibited from using consumer’s personal information, while Google’s YouTube service would not.