Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Wireless Live CD Alternative: ZeusGard

Brian Krebs discusses ZeusGard, a little USB flash drive that boots into a usable browser within about 30 seconds after starting the machine to avoid potential issues with banking malware such as Zeus or its variants.

Zeusgard allows you to safely bank online from any machine — even from a system that is already riddled with malware. That’s because it lets you boot your existing PC into an entirely different operating system. Even better, it is capable of connecting to the wireless network.

Priced at $40 for both the flash drive and the wireless adapter, it
may be a perfect tool for small to medium-sized businesses who conduct online banking.


Cyber Insurance May Assist in Addressing Risk Posed by OpenSSL Vulnerabilities and Malware

The Department of Justice estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers and so far caused “direct and indirect losses to consumers and businesses exceeding $100 million.” Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now “dead.”

With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance. In April 2014, members of Hunton & Williams LLP’s
Insurance Counseling and Litigation and Global Privacy and Cybersecurity practices participated in a webinar regarding cyber insurance, discussing the nature of cyber risk and possible insurance solutions.

Listen to a recording of the seminar.


2014 Verizon Data Breach Investigations Report

Verizon's annual data-breach investigations report makes a strong case for behavioral analytics technology that looks for anomalies among user activity to spot hackers.

Such technology could help detect the use of stolen credentials, which were one of two ways most Web applications were compromised, according to the report released Tuesday. The other way was exploiting a weakness in the application.

Read the full report


F5 Security Gurus Discuss Heartbleed

Many major corporations and banks use F5 Application Delivery Controllers in their data centers to provide various security and load balancing services to their mission critical sites.

Fortunately, it seems that because F5 uses a custom version of OpenSSL there are only a few configurations where F5 devices would expose the vulnerability to backend servers running affected versions of OpenSSL. This should give the network gurus some time to update the certificates on affected systems.

In this video the F5 security team discusses the vulnerability and takes live questions from an online forum. (F5 is a former employer).


Would a Proprietary OpenSSL Have Been More Secure than Open Source?

I’m a proponent of open-source software, but in the wake of Heartbleed this is an issue that should at least be revisited. I think the author takes an honest look at the questions that should be asked.

“The OpenSSL Heartbleed vulnerability has resurrected the age-old debate of whether or not open source code is more or less secure than proprietary code. Before putting on your open source or proprietary jerseys and launching into this (frankly not-very-productive) fight, first consider a few things.”

Read the whole article here:


Report: Healthcare has seen a 13 percent increase in botnet activity

Using real-world case studies and findings from over 3 billion analyzed attacks, the 2014 NTT Global Threat Intelligence Report (GTIR) demonstrates strategies to minimize threat impact and compress the threat mitigation timeline. Among key findings of the study:

* The cost for a "minor" SQL injection attack can exceed $196,000;
* Anti-virus applications fail to detect 54 percent of new malware;
* Healthcare has seen a 13 percent increase in botnet activity.

Read the full report


‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Oh my. The potential ramifications...

This vulnerability is particularly unique because the sequence of the fix is important. If the keys and certificates have to be replaced, folks must wait to change their passwords until they confirm that action has been taken. Otherwise the new password is vulnerable as well.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.



Borders' Customer Data Will Not Disappear With The Company


With all the attention on the closing of the almost 400 remaining Borders stores, the chain's IT jewel—purchase history and other CRM data on tens of millions of its customers—is still to be sold to the highest bidder. When that happens, any privacy promises Borders made to loyalty-program customers are out the window.



FDA To Regulate Mobile Health Apps?

The FDA proposes to regulate at least some mobile apps, according to the Washington Post.

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

The full draft of the proposal is available at the FDA's website.


E-Commerce in China: Perspective From Chinese Graduate Students

Last year at this time I was in Xian, China as part of an effort to establish a law school exchange program between my law school and Xian Jiaotong University. It was a fascinating trip for a number of reasons (including the famous Terracotta Soldiers), but I was particularly interested in the legal and technical development of a country that has expressed a strong desire to control the flow of information.

Xian, China
During my visit I was invited to speak with a group of graduate students at Xi'an Jiaotong University specializing in Internet security. Both the professor leading the group and his students began the conversation by asking how American consumers protected themselves against e-commerce fraud and online identity theft. It was striking how passionate they spoke on the issue. When I asked what recourse Chinese citizens had if victimized with online fraud or identity theft, the professor stated that websites not handling data properly could be charged under the 7th Amendment to Criminal Law.

But in reality building a privacy policy off of judicial action would be nearly impossible because China lacks a common law system founded on stare decisis. In its place judges have a great deal of individual latitude to determine outcomes without taking precedent into account. During one morning walk I happened to meet a visiting professor from Wisconsin who had taught summer classes in China for nearly a decade. Upon hearing what I was studying he dryly noted that Chinese law "is still nothing but a theory." Lacking a solid legal foundation, it was no wonder that the Chinese graduate students asked for practical advice on how to protect themselves against fraud.

Read More . . .

PCI Mobile Payment Guidelines At Least 10 Months Away

First, a bit of background for those that might be new to PCI:

The PCI Security Standards Council (PCI SSC) was formed in 2006 by five global payment companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. These five companies agreed to incorporate the PCI Data Security Standards (PCI DSS), to provide technical and operational requirements for protecting cardholder data. Generally these requirements are not laws, but are enforceable under private contract and stipulated by each card brand. A few states however, including Minnesota, have passed laws that force components of the PCI DSS into law.

But as technology evolves, so must the standards. One major development has been the emergence of mobile payment options. As retailers like Starbucks busily develop their own mobile payment applications, the PCI SSC must now formulate a strategy to deal with the changing environment. According to the website Storefront Backtalk, that evaluation may take a while:

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

In the meantime, retailers are sure to continue developing their mobile payment systems in spite of this uncertainty. Evan Schuman from Storefront Backtalk provides an excellent analysis of the pros and cons related to moving forward without PCI standards in place. It's worth reading the entire article.

UPDATE (6/24): Schuman now reports that there may be an interim fix before the end of summer.

How the Stolen Card Market Works

Walt Conway at PCI DSS News and Information for Higher Education points out a couple of interesting reports on NPR last Friday. Each covers much of the same ground, but they provide some interesting background regarding the market for stolen credit cards. Here are the links:

How to Buy a Stolen Credit Card (NPR, 6/17/2011)

The FBI Agent who Broke the Black Market (NPR, 6/17/2011)

Conway also links to a podcast from PlanetMoney on the dark market and the how credit cards get stolen and fenced, summing up the issue in two sentences: "The bad guys are out there. They go for credit cards because (of course) that's where the money is."

Finally I recommend reading Kimberly Kiefer Peretti's 2008 law review article on the topic. Peretti is the former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS).


P.S., Where Does the Money Go?

A quick note to wrap up last week's posts discussing fraudulent electronic fund transfers . . .

I was talking with a friend who works in network security about the issue. He was outlining ways banking networks could be more secure when he went a little off-topic.

"I wonder what the thieves - especially abroad - are doing with the money," he mused. "Not enough people seem to ask that question. All I ever hear about are the costs involved for the company."

Later, I came across a couple of facts that provide one frightening possibility. Kimberly Kiefer Peretti, former Senior Counsel with the United States Department of Justice's Computer Crime & Intellectual Property Section (CCIPS), discussed the national security implications of credit card breaches in a 2008 law review article. Among her points:

  • In his 280-page autobiography, Imam Samudra, a convicted terrorist in Indonesia, specifically referred to credit card fraud as a means to fund terrorist activities.
  • The 2002 Bali nightclub bombing funded partly funded through online credit card fraud.
  • In 2007, a “Terror Webmaster” in Britain used $3.5 million in fraudulent charges to aid jihadi groups in the field.

I'm not an alarmist by nature, but just like credit card breaches fraudulent EFT transfers would seem to have national security implications. And it turns out that I'm not alone in thinking so: in 2010 FBI special agents were embedded with police forces in Romania, Estonia, and the Netherlands to combat cybercrime.


Businesses, Viruses & Online Banking Pt. II

This is the second of a two part series discussing how small businesses need to be aware of the threats posed by fraudulent electronic fund transfers (EFTs), and why the banks may not lend a helping hand. To read Part I, click here.

How do cyberthieves get the authentication credentials again?

Victims of online EFT fraud have frequently had their credentials stolen through a virus - often a version of the Zeus trojan - that has infected the computer used to access the business’ online banking system. The infection usually occurs after employees click on a link to an infected website, or open an infected email attachment through a process known as “phishing.”

Once a victim’s computer is infected, Zeus records the keystrokes used when logging into specified online banking websites. After the user successfully logs in, Zeus may intercept and modify the details of the transaction, initiate a new transaction without the user’s knowledge, or use the network connection to transmit the recorded authentication credentials to the cyberthief.

Who do they target?
Small and medium sized . . .

Read More . . .

Businesses, Viruses & Online Banking Pt. I

This weekend Joseph Flanders at Solo in Minneapolis added to his “Starting a Law Firm” series by discussing how to choose a business bank account. His post brought to mind a major topic that I feel still isn’t getting enough attention among small business owners (or the attorneys that advise them): fraudulent electronic funds transfers that result from the theft of the business’ online authentication credentials due to a computer virus.

This is the first of a two part series discussing how small businesses need to be aware of the risks fraudulent electronic funds transfers pose, and why the banks may not lend a helping hand.

Image credit: frko at stock.xchng
The Scenario:

A medium-sized business discovers that over $800,000 in unauthorized wire transfers was removed from their business account without their knowledge. $600,000 is eventually recovered, but $200,000 remains outstanding. The business claims that evidence in the form of IP addresses logged by the bank show that the transfer requests were initiated from Europe and sent to accounts in eastern Europe and the former Soviet Union. This behavior was unprecedented and according to the business should have raised a red flag with the bank.

The bank, on the other hand, alleges that the business is responsible for the lost funds because the business computer used to initiate online transfers was found to have a virus. This particular virus (the Zeus trojan) intercepted the business’ authentication credentials (username/password), then transmitted that information to foreign cyber-criminals who initiated the fraudulent transfer. Because the computer systems of the business are beyond the bank’s control, the bank argues that the business is solely responsible for the loss.

Read More . . .