Ride The Lightning

Apparently Congress thinks so according to a recent report from Bloomberg. What's truly amazing is that the hacking occurred in 2007 and 2008 and we are just finding out about it. It makes one wonder what they are doing now.

The allegations are contained in the final draft of the annual report by the U.S.-China Economic and Security Review Commission which is scheduled to be released in November. The bottom line is that the report states that hackers, perhaps from the Chinese military, "interfered" (whatever that means) with two U.S. satellites four times in 2007 and 2008 through a ground station in Norway.

As the report notes, "Access to a satellite's controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite's transmission."

From my foxhole, the Chinese military (assuming it was responsible) is far less likely to blow things up than to deny or forge transmissions. The report does not charge the Chinese government itself with involvement in the hacks - rather, it says the breaches were consistent with Chinese military writings which advocate disabling an enemy's space systems, particularly "ground-based infrastructure, such as satellite conrol facilities."

What is indisputable in these, and so many other hacking incidents, is that they come from Chinese IP addresses. As the report correctly states, finding the true source of the attacks is difficult because the perpetrators obscure their involvement.

A spokesman for the Chinese Embassy in Washington says the Commission has "been collecting unproved stories to serve its purpose of vilifying China's image over the years", further saying that China "never does anything that endangers other countries' security interests."

And if you believe that, I've got a bridge to sell you . . .

Hat tip to colleague Sean Harrington for passing this story along.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

At many companies, the answer is apparently yes. Information Week has reported that a recent survey of 300 IT professionals, 2/3 of them working in companies with more than 10,000 employees, showed that 25% of them knew at least one co-worker who used privileged login credentials to inappropriately access confidential information. 42% indicated that the IT staff freely shared passwords and access to multiple systems and applications.

25% also indicated that at least some of the superuser passwords granting God rights to the network were less complex than what was required of end users. A whopping 48% reported that privileged account passwords had remained the same for at least 90 days.

My guess is that management is largely clueless about these practices, but they are clearly an engraved invitation to disaster, so it would behoove those in charge to monitor the security practices of their IT departments. "IT Pros" should certainly know better!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

On October 10th, it was reported in the press that the Maryland law firm of Baxter, Baker, Sidle, Conn & Jones had lost the medical data of 161 patients in a malpractice suit.

This was especially significant since it is so rare to hear of law firm data breaches - understandably, law firms are loathe to have such stories become public. So how did this one come to light? The Baltimore Sun obtained a copy of one of the notifications sent to the patients.

Here's what happened: One of the law firm's employees brought home a hard drive containing backup data - this was the firm's method of ensuring that it had an off-site backup. She took the Baltimore light rail system home and - you guessed it - left the drive on the train. Though she returned just a few minutes later, the drive was gone. And - can you guess - yes, the drive was unencrypted.

This happened on August 4th. Federal law requires that individuals affected by a breach be notified "without unreasonable delay and in no case later than 60 days following the discovery of a breach." It looks like it took pretty much the whole time to get folks notified since the October 10th story referred to the fact that the letters were sent "last week."

The firm said it sent a formal letter to the hospital involved on September 16th though it said it had notified the hospital within days by phone. The hospital, when interviewed by the Sun in October, said it had been "recently informed." Hmmm.

In any event, it should be clear that traveling with unencrypted backup data is a very bad idea. You will be shocked (not) to hear that the firm has begun encrypting its data and is looking into off-site data storage.

The question is, why does it take an incident like this to get so many law firms to take information security seriously? It's a rhetorical question because there is no good answer.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Cell phone and other electronic devices are an essential component of 21st century protests.

This is a quote from the recently issued Cell Phone Guide for Occupy Wall Street Protestors (And Everyone Else). That quote really made me stop and think - and brought back memories of simpler times protesting the Vietnam War when real time communications during protests were in person - with no instantaneous media or outside world contact. Times really have changed the nature of protest in this country and around the world.

The tips offered by the Electronic Freedom Foundation (EFF) are not rocket science, but I daresay many protesters have not thought of many of them. Throwaway phones with no sensitive data are a good option when you reasonably anticipate that you might be arrested and your phone searched and/or seized. And don't expect to get a seized phone back for a LONG time.

And encryption - we love encryption for sensitive data.

Don't bother arguing the law with a law enforcement officer who says he/she is entitled to the phone. Just make it clear that you are not consenting to the phone being searched and politely ask for an attorney. You might well be angry but hostility tends to make a bad situation worse. Let the lawyer handle the legal problems. But in the meantime, the tips offered by the EFF are worth considering.

Somewhere in my house, I know the love beads and peace signs still lurk.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

There is no conference John and I look forward to more than ABA TECHSHOW which will be held March 29-31 in 2012 in Chicago. Honestly, the only regret we ever have is that our own TECHSHOW responsibilities keep us from seeing all the educational sessions we want to see.

Gee, do you think the smartphone folks will have something new to say? What about the data security speakers? Might predictive coding in EDD be mentioned? Seriously, it is astonishing how much happens in a year - this conference is a great way to catch up with the moving targets of technology and e-discovery.

So don't delay - register now and take advantage of the early bird pricing. We look forward to seeing many of you in Chicago next year!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

When Apple released its new iOS 5 operating system to go with the iPhone 4S, it ballyhooed an app called "Find My Friends" which was designed as a way to track and meet up with friends. If they agree, you can see their location on a map on your screen.

Divorce lawyers - listen up - this is precisely WHY we tell you to advise your client not to accept a cell phone as a gift. According to a chat posting on MacRumors, a man said he got his wife a new iPhone 4S and loaded "Find My Friends" without her knowledge. He was suspicious that she was having an affair - and the app tracked her to the suspected lover's home. So he posted a thank you to the iPhone and the app - apparently the wife has money and he expects to do well in divorce court with his evidence.

The app works with both the iPhone or iPad and uses their built-in GPS to see your friends' locations - accurate to within a few feet.

I love to see people come bearing gifts - but I will never accept a smartphone as a gift. Spyware could always be loaded on the phone as well since the giver would have had physical access. No thanks, I'll buy my own smartphones!

Hat tip to Jason Foltin for sending me the story.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Only 17% of those working for medical practices said that they would report an instance of medical identity theft according to a recent study by the Healthcare Information and Management Systems Association. Pretty shocking in light of the fact that 46 states now have data breach notification laws.

It made me feel only marginally better that 38% of those working for hospitals would report a breach. The study results are interesting - lots of stats - so take a look if this is an area that interests you.

In medical practices, 33% have not performed a risk assessment vs. only 14% of those who work for hospitals. So at least most folks in the medical industry are thinking about security, even though most of them wouldn't report a security breach. Apparently the thing they are not thinking about is the law.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Thanks to attorney Shannon Brown for sending along one of her blog posts about a relatively new phenomenon - and invasion of our privacy - undeletable cookies.

It appears that some companies are tracking our online activity with cookies that circumvent our privacy and security settings. These "malcookies" have spawned a rash of suits. Shannon does a good job covering a couple of cases in Pennsylvania that are moving through the courts and I found another case in Kansas.

In the case I found, a Kansas man has sued Facebook, alleging that it violates wiretap laws by tracking web browsing history even after a user has logged off Faceook. The battle is all uphill since courts have been finding that these cookies do not violate wiretap laws - and that the users cannot prove harm.

This is yet another example of an assault on our privacy and a gaping hole in the law that needs to be filled. I, for one, am forwarding this post to friends in the Virginia General Assembly.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

SC Magazine recently reported that federal security incidents are up by a whopping 650%. Considering how much personal data the feds hold - not to mention national security data - that's more than a little alarming. The article is based on a report from the U.S. Government Accountability Office - a name which invokes laughter even as I type it.

Federal agencies reported 41,776 incidents in 2010 - including malware, unauthorized access and denal-of-service - there were just 5,503 in 2006. All 24 major agencies were assessed and had deficiencies related to access controls, configurations and security management. In spite of being given suggestions for tightening security, most of the suggestions have not been fully implemented.

The IRS was specifically cited for not sufficiently restricting employee access to databases along with failure to address previously reported security issues.

Not a single one of the 24 agencies have fully implemnted an agency-wide information security program as required by the Federal Information Security Management Act (FISMA).

In the dismal swamp that is Washington, D.C., "information security" is clearly a misnomer.

E-mail: snelson@senseient.com   Phone: 703-359-0700

www.senseient.com

This was the question posed to me by Monique M. Ferraro, the principal of Technology Forensics in response to my last post. It is certainly true, as she pointed out, that law enforcement has a pretty easy time of getting data - it's much tougher in civil cases.

Generally speaking, if you are involved in a lawsuit, you can subpoena records that might give you dates and times of calls, the phone numbers involved, call duration, customer information, etc. However, if you want content (texts or e-mails) you are up against two things - first, most carriers don't hold the content at all - or for very long. Second, they will (appropriately) decline to hand over any content citing The Stored Communications Act.

Thus far, all the court cases have upheld the principle that the SCA prohibits divulging stored content. However, you may find what you're looking for on the opposing party's phone - or, if they sync to a computer, on the computer in the backup files. Where content is involved, you'll need to go the user - exactly as you must do when you want the content of social media sites.

By the way, I neglected to say in my last post, which described how long carriers store your personal cell phone data, that the information sheet I reference was dated 2010. An investigator specializing in this area confirmed to reporters that the sheet was still basically correct.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq