Articles Posted in Cybersecurity

In recent years, we have all heard the expression before, but how does someone really “break the Internet?” Recently, an incident arose where a large network of electronic devices joined together resulting in a major interference with online businesses and services. Amazon, Netflix, and Yahoo, were hobbled temporarily due to various flaws in the Internet of Things. This flaw allowed individuals to create what’s known as a botnet, to launch a massive DDoS attack to effectively shut down services.  So, how would we prevent a similar incident from occurring? Should you be concerned about your smart devices? What about your websites and online services?

How did the Internet of Things become weaponized?

As it stands, the Internet of Things, which comprises of smart devices that connect online for the convenience of individuals, became weaponized against service providers, and created a “botnet.”  Effectively, some type of malware was downloaded onto these smart devices prompting them to send requests to certain websites. When these websites become overwhelmed by the requests, it resulted in websites crashing, or becoming generally unavailable to the users.  Here, one might wonder how, but the real answer was due to a lack of knowledge, training, and security. Unlike regular computers, tablets, and cellphones, smart devices do not always have the capability for security updates. With this, even for those devices that might be on a more secure network, the Internet of Things still entails those devices being connected online. This makes them vulnerable to more pinpointed attacks.  From there, the controller of the botnet can use the Internet of Things to launch the DDoS attack and crash a network.

As it stands, the Internet of Things can be a dangerous proposition. Due to various hacking techniques, like rubber ducks, pineapples, and pivoting, one must wonder, if it can be hacked into, and if so, then what can we do about it? What about cars, planes, trains, and power plants? To this point, the U.S. Government has launched the Cybersecurity National Action Plan or CNAP. The idea is to add more information and resources into the system, increasing the amount of resources to help build up cybersecurity and investing resources into security measures. So, what is the government doing with CNAP? How might this help a business? How might this help individuals?

What does CNAP do?

It’s a set of guidelines and goals that the Obama Administration has implemented to help build the cybersecurity network, protect against attacks on the Internet of Things, and the general national network as a whole. The first, and easiest way it plans to do this is through the 2017 budget, allocating approximately 19 billion dollars for cybersecurity, up by 35% from the previous year’s budget.  It also incorporates and promotes other existing goals and changes, such as the BuySecure Initiative requiring credit cards to incorporate smartchips, and making large businesses use the smartchip option rather than the traditional magnetic strip.  CNAP also incorporates other ideas, such as multifactor authentication, identity for Federal Government digital services, training for small businesses, and relaunching identitytheft.gov.  Therefore, it is less of a new initiative, but rather a continuation of previous actions.

Nowadays, we’re using the web for numerous purposes, including, but not limited to, online banking.  So, we should be able to protect our financial information. There are many options for hackers to gain access to financial information, and without the prerequisite security, financial information can be accessed by hackers.  The law outlines the rules for financial institutions, such as data protection, data sharing, data preservation, security breach notification, or insurance requirements.  Also, there are different standards when it comes to consumer and business bank accounts.  For example, businesses face different prerequisites that must be fulfilled prior to submitting a claim towards a financial institution.

How might hackers commit banking fraud?

Looking at how hackers may even access your financial information, there are a few tools that need to be highlighted. Among them are Pivoting, Rubber ducks, and Pineapples. While this perhaps sounds odd, the way they can work is terrifying. Pivoting is a process hackers can use to break into a computer system by accessing it through an already-compromised device. For example, a hacker may access a web server by gaining access to an email server within the same network.  These discrepancies can also occur between smart devices, which indicate a downside to the Internet of Things. Rubber ducks are special USB drives with small processors. They act as a “Trojan Horse” by downloading and re-uploading information quickly and autonomously without causing alerts. Pineapples, in comparison, are more likely to come across, but more difficult to avoid.  These are devices that “clone” Wi-Fi networks. They will function in the same way, allowing individuals to connect and access the web, but can also be used to access and hack data after someone is connected. Pineapples and Rubber ducks are dangerous because they can download “keyloggers” onto computers, which would record and transfer confidential information (e.g., passwords, financial data) to the hacker’s computer.

This one isn’t an April Fools’ prank.  On April 1, 2016, the Federal Communications Commission (“FCC”) announced its proposed rulemaking to create regulation that would bind Broadband Internet Access Service (“BIAS”) providers in the interest of enhancing privacy towards consumers.  This proposal has raised objections from AT&T, Comcast, USTelecom, and the Application Developer’s Alliance, claiming that the ensuing regulations would create a morass of regulation in the privacy sphere.  Yet, the FCC’s regulations are to prohibit the monetization of the information that these providers would have due to the use of their services.  So, what is a BIAS and how could these rules possibly protect privacy?

What is a BIAS provider?

The BIAS providers provide internet service through wire or radio.  The FCC even expands this to any functional equivalents to BIAS providers. Of some note is which entities are not BIAS entities.  For example, companies like Facebook, Apple, and to some extent, Google, would not be bound by the terms here and could use the information that is collected through their services.  This is because none of them actually provide the internet service that their consumers use.  There is some room for Google to be prohibited as it provides internet service in some locations through Google Fiber, but the regulations would only prohibit the information that was gained through the use of its internet services, but not services that it provides towards online consumers.  Thus, Google’s Fiber service would likely be prohibited from using consumer’s personal information, while Google’s YouTube service would not.

On August 24, 2015, the United States Court of Appeals for the Third Circuit handed down its decision in favor of the Federal Trade Commission (FTC) against Wyndham Worldwide Corporation.  This lawsuit was against the defendant and its subsidiaries for their failure to implement proper cybersecurity measures and protect consumers’ personal information against hackers.  The FTC alleged that defendants did not use encryption, firewalls, and other commercially reasonable methods for protecting personal information.

What was the basis of the lawsuit?

In general, the FTC has the responsibility to protect consumers against unfair and deceptive business practices. These illegal practices could range from false advertising to antitrust issues. The FTC has started to prosecute companies with inadequate cybersecurity to protect consumer data. The companies that made false statements about their level of security in their terms of service also had lawsuits filed against them.  In this case, between 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s network and computer systems three separate times. One incident occurred in 2008 and two occurred in 2009.   The hackers were allegedly able to breach the network due to the use of weak and obvious passwords, lack of response to the first incident, and inadequate monitoring systems.  In one of the instances, it took approximately two months for Wyndham Worldwide Corporation to discover its systems had been accessed without authorization. The hackers successfully accessed personal information of approximately 619,000 consumers and managed to cause $10.6 million in fraudulent charges. Therefore, on June 26, 2012, the FTC brought the lawsuit against defendants.  Their motion to dismiss was denied by the district court and their appeal was heard on two issues in order to determine whether there was a valid claim.  The issues that were raised included: (1) whether the FTC had authority to regulate cybersecurity under 15 U.S.C. § 45; and (2) if so, whether defendants received fair notice that their cybersecurity practices were inadequate under the guidelines.

This year saw the data breaches of Sony Pictures, Ashley Madison, and Experian Credit Bureau. The increasing commonality of data breaches has prompted the federal and state legislatures to review their data breach notification laws.

What is a data breach?

A data breach occurs when an unauthorized user (i.e., hacker) accesses sensitive personal identifiable information. The hacker then copies the confidential information and uses it as he or she sees fit.  Often times, the personally identifiable information is used to commit identity theft and fraud.  This information can include, names, telephone numbers, email addresses, credit card numbers, or social security numbers. The target of these breaches can be businesses, financial institutions, and health care institutions.

The Internet of Things (“IoT”) is the network of electronic devices that communicate with each other via the Internet without human intervention.  It has caused concerns regarding security since vast amounts of unsecure electronic devices are being used to send and receive information. Furthermore, the data breaches that lead to the loss of privacy have become more common as the Internet is used to connect electronic devices via private and public networks.

What is the proper security level for electronic devices?

Electronic devices that connect to each other over the Internet were created to transfer information, but were not originally designed with proper security features. What is the proper security level when electronic devices are interconnected? In order to avoid unauthorized access, security precautions should be implemented within the electronic devices and computer networks. For example, firewalls, encryptions, intrusion detection systems, and multi-factor authentications should be implemented as preventive and reactive measures. The electronic devices—which are accessed via the Internet—should be segmented into their own network and include network access restrictions.  Also, consumers should change the default passwords on smart devices and implement strong passwords.

The Internet of Things (a/k/a “IoT”) functions through smart devices that communicate with each other and collect data without human interaction. These devices include smart cars, smart homes, smart hospitals, smart highways, or smart factories.  However, the lack of security protecting information is creating privacy concerns as data is collected by companies and shared with third parties (e.g., marketing firms, governmental agencies).  Also, the smart device can be accessed without authorization (i.e., hacked) by third parties and its information can be used for various illegal purposes.

What is the Internet of Things and what private information does it hold?

According to the Organization for Economic Cooperation and Development (“OECD”), one of the Fair Information Practice Principles is the collection limitation of personal data. Stated otherwise, data should be collected with the owner’s consent, through fair and lawful means, and should be limited.  The OECD has issued its guidelines that are considered as minimum standards for the protection of privacy and individual liberties.  From a practical standpoint, these principles (and relevant guidelines) should be uniformly enforced in the United States and other countries.

According to its website, the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. LifeLock has used the massive security breaches of companies like Anthem and Target to increase its membership. On July 21, 2015, the Federal Trade Commission (FTC) claimed that LifeLock—an identity theft protection company—has violated a 2010 Settlement it had made with the agency and thirty-five state attorneys general. This assertion was made due to LifeLock’s alleged misrepresentation of its security capabilities and failing to take steps to protect consumers’ information.

What is the Federal Trade Commission’s responsibility?

The FTC was created to prevent anti-competition business practices and protect consumers against deceptive or unfair business dealings. The Federal Trade Commission Act (which incorporates the U.S. Safe Web Act amendments of 2006) sets the parameters for how the agency can prosecute companies, which it believes are misleading consumers through false or deceptive advertising.  In fact, sections 45 and 52 of the statute indicate that, when a company commits an unfair act or deceptive practice, “and if it shall appear to the Commission that a proceeding … would be to the interest of the public, it shall issue and serve … a complaint stating its charges …”   In addition, section 52 addresses the illegality of false advertisements, which would be likely to induce consumers to purchase a product.  Although, LifeLock was not advertising a product, it was falsely advertising services, so consumers were induced to buying memberships.  Therefore, the FTC is utilizing its ability to prosecute companies for violating the law.

Cloud computing is a service that is offered by service providers and allows for large amounts of information to be stored in virtual servers.  These organizations are referred to as Cloud Computing Service Providers (collectively “CCSPs”) and operate within the “cloud.”  They are able to operate on a global scale, which makes their activities subject to international laws and places their users at the risk of loss of privacy.

What steps have been taken to protect user data?

In general, users of cloud computing relinquish their data, which may include confidential information, in order to store large amounts of information. Thus, CCSPs must be careful to protect privacy according to industry standards. The failure to establish proper safeguards may result in legal action by private individuals or governmental agencies (e.g., Federal Trade Commission). However, due to the security risk that users face by storing their data, governments have taken active roles in protecting against information loss. For example, the European Commission has instituted a Data Protection Directive.  The purpose of this directive is to to give citizens control over of their personal data and to simplify the regulatory environment for business.