To overcome his anxiety with flying, IOActive’s researcher/author, Ruben Santamarta, began “spending some flights hacking stuff.” In his December 20, 2016 blog post, “In Flight Hacking Systems,” Santamarta describes how he  tried to gain a better understanding of the In-Flight Entertainment Systems (IFE) manufactured by Panasonic Avionics and installed in major airline carriers such as Virgin, KLM and American Airlines. After learning how the IFE operates, other reports indicate Santamarta was able “to hijack in-flight displays to change information such as altitude and location, control cabin lighting and hack into the announcements systems.” Santamarta also claimed he could access the credit card information of frequent flyers’ information stored in the in-flight automatic payment system.

Santamarta’s hacking activities prompt the question of whether he could have hacked the aircraft controls using the IFE as “an attack vector.” Santamarta claims that, depending on the hacker’s abilities, it would be “totally feasible” to take over an aircraft’s controls using the IFE systems as an access point. Santamarta advises airlines to isolate or segregate systems controlling airplane from the IFE systems.

Santamarta’s blog post indicates that many commercial aircraft’s networks are divided into the following “four domains” based on the type of data they handle:  (1) passenger entertainment; (2) passenger owned devices;  (3) airline information services; and (4) aircraft control. Based on his findings, Santamarta believes the best solution to reduce the chances that hackers take control over an aircraft’s controls involves physically isolating these systems from each other; “this means that as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.”

Santamarta concludes the blog post with the following advice, “the responsibility for security does not solely rests with an IFE manufacturer, an aircraft manufacturer or the fleet operator. Each plays an important role in assuring a secure environment.”

In its December 20, 2016 statement, Panasonic disagreed with Santamarta’s findings and has called them “inaccurate and misleading” and further claims the blog post “mixed hypothetical vulnerabilities with specifics about Panasonic’s systems to come up with its results.” Panasonic’s statement also rejects the portion of the report stating that access can be gained to credit card information. Panasonic further offered the reminder that hackers could be criminally charged for trying to access any system on an aircraft.

Regardless of whether Santamarta or Panasonic are correct about the security of IFE systems, Santamarta’s point that the various systems of the aircraft should be completely isolated from each other cannot be overlooked. While common sense tells us that we should not keep the crown jewels in the garage with the gardening tools, it is easy to abandon this common sense approach when it comes to cyber security. In the same way you don’t want the IFE systems providing “an attack vector” to get to an aircraft’s controls, our businesses and homes should not only try to completely avoid a cyber incident, but should limit the amount of damage if a cyber incident takes place.

The post First Class Hack: Researcher Claims Airplane In-Flight Entertainment Systems Give Path to Flight Controls appeared first on Privacy Risk Report.

In August 2015, Privacy Risk Report published a post regarding Target sealing its documents associated to the massive 2013 data breach in order to protect itself from hackers. Target contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to “detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.” Following Target’s lead, there is more litigation stemming from the inadvertent disclosure of private information on a court’s online website.

In its October 18, 2016, decision, a court in McCoy v. Fisher dismissed a plaintiff’s complaint against a law firm that failed to redact personal information in a court document that ended up on the court’s website for a short time. In April 2015, defendants Jeffrey B. Fisher and The Fisher Law Group (Fisher Law), initiated a foreclosure action against plaintiffs Antonio McCoy and his former wife after they defaulted on their Maryland home loan. During the foreclosure action, Fisher Law filed a document that McCoy claimed included his loan number and his social security number. In May 2015, Fisher Law sent McCoy a letter notifying him of the inadvertent disclosure of personal information and further stated that the unredacted documents may have included McCoy’s loan number and his social security number.

As is the case in many jurisdictions, Maryland Rule 1-322.1 states, “the filer of any paper or electronic filing with a Maryland court must redact or omit certain ‘personal identifier information’ from the document before it is filed, including an individual’s social security number.”

On February 4, 2016, McCoy, a pro se litigant, filed his complaint seeking recovery under the Gramm-Leach-Bliley Act for the alleged disclosure of private information, the Ninth Amendment of the U.S. Constitution and negligence theories.

In its motion to dismiss, Fisher Law argued first that McCoy failed to establish he had standing to bring the action. Specifically, Fisher Law asserted McCoy’s action should be dismissed because McCoy merely claimed he could be the victim of identity theft in the future. And, as seen on a number of other occasions,  under the Clapper decision, the U.S. Supreme Court has held that “standing must be based on the ‘substantial risk’ that harm will occur, so long as the future injury is ‘certainly impending.’” That is, “allegations of ‘possible future injury’ are not sufficient” to sustain a cause of action.

While the McCoy court found it had no controlling law in the 4th U.S. Circuit Court of Appeals on this standing issue, it relied on the holding in Khan v. Children’s Nat’l Health Sys., where the court found the named plaintiff could not prove injury in fact because the plaintiff failed to allege “facts indicating that the hackers have attempted to engage in any misuse of [the hospital] patients’ personal information since the breach was discovered.” In Khan, the court held “the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute any injury sufficient to confer standing.”

In dismissing the complaint, the McCoy court found McCoy’s claims of future injuries to be speculative at best. “At most, Plaintiff alleges that his information was accidentally made publicly available for a period of time, introducing the risk that a bad actor could obtain such information.” The McCoy court found no evidence that McCoy’s information was accessed or misused during the six days it was viewable by the public on PACER, the court’s online website.

There should be no doubt that the potential use of information found in documents maintained on court websites by criminals should be a concern. Consequently, Target’s argument to file documents under seal to protect private information from hackers may be justified in certain situations. However, the McCoy decision demonstrates that when private information inadvertently ends up on court websites, a person will need to meet the same standards as any litigant in a data breach case. That is, a litigant will need to demonstrate that harm was done by the disclosure with more than speculation.

The post Failure to Redact Personal Information from Court Document Does Not Result in Private Cause of Action appeared first on Privacy Risk Report.

There has been significant discussion since 2015 on how the “internet of things” is expected to impact our daily life, including our homes. In general, the term “internet of things” (IoT) refers to a network of “smart” devices found in the typical home that collect and exchange data over the internet. However, despite the risks posed by the IoT and the integration of technology into our homes, there has been little discussion of  insurance policies that are available to homeowners or renters to provide coverage for these claims.

In 2016, the IoT became an emerging issue for cyber security claims under first-party insurance policies:

As the IoT becomes more ingrained in our homes and business, we can expect insurance coverage issues to continue to flourish. The vast majority of these issues caused by the IoT will raise questions under first-party insurance policies. Consequently, we anticipate cyber security and first-party insurance coverage to be an emerging trend in 2016.

In addition to issues caused by the IoT, homeowners and renters face many of the same risks corporations and governments face including malware attacks, online fraud and data breaches of valuable information. It is also clear that hackers are no longer focused solely on large corporate and government targets. Less sophisticated hackers will search for smaller and less sophisticated targets, finding a windfall in homes and residences.

These recent developments in cyber security make the idea of having personal cyber insurance valuable to homeowners and renters. Therefore, it was only a matter of time before insurers started to market cyber coverage directly to homeowners and renters.

On June 14, 2016, Hartford Steam Boiler Inspection and Insurance Company (HSB) announced that it was offering what it billed as “the first personal lines cyber insurance program for consumers.” This new product is offered to homeowners and renters, along with family members living in the household, to protect against a variety of issues generally related to cyber security. In particular, HSB’s press release states its new “Home Cyber Coverage” policy provides homeowners with the following coverage:

• “Computer Attack to remove malware and reprogram computers and tablets, Wi-Fi routers or other Internet access points.”
• “Home Systems Attack restores devices connected to the Internet, including smart phones, thermostats, smart appliances and security and monitoring systems.”
• “Cyber Extortion with professional assistance on how to respond to a ransomware attack and payment of ransom when approved.”
• “Data Breach including forensic IT and legal reviews, notification and recovery services when private non-business data entrusted to an individual is lost, stolen or published.
• “Online Fraud for losses due to identity theft, phishing schemes, illegal bank and credit card transfers, forgery, counterfeit currency, and other deceptions.”

The HSB policy does not provide coverage for cyber bullying, but other insurers have been offering this coverage to homeowners.

While the IoT has received substantial publicity recently, discussion about these claims and insurance for these claims will likely go through a similar evolution as was the case with cyber insurance for corporate and governmental bodies. Homeowners will likely question whether cyber insurance is valuable until eventually concluding that this coverage has merit. As this evolution takes place, homeowners and renters are likely to see more cyber coverage products developed in this market space in the coming years.

The post Home Is Where the Hacker Is: Cyber Coverage Becoming Necessary for Homeowners appeared first on Privacy Risk Report.

It appears that large retailers and hospitals are no longer the only targets for hackers as evidenced by the hack at the Panamanian law firm, Mossack Fonseca, generally referred to as the “Panama Papers.” While the identity of the hackers is still unknown, the extent of these crimes is starting to be fully realized. Reports indicate the hackers took millions of documents, including emails belonging to the law firm’s clients. There has already been substantial fallout from this hack including the resignation of Iceland’s prime minister and uncertainty for a number of other world leaders.

Perhaps the most startling fact about this crime is the lack of sophistication needed to steal sensitive client information. The combination of outdated safeguards and highly-sensitive information provides a ripe target for hackers. Specifically, commentators believe this attack originated when the law firm failed to update its web servers:

The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”

In addition to the “Panama Papers” incident, there should be little question law firms hackers are looking to exploit vulnerability at law firms. It has recently come to light that hackers have launched “phishing” attacks aimed at law firm employees and personnel. In an attempt to gain access to documents related to corporate mergers, authorities recently learned of a scheme offering to pay hackers $100,000 in addition to half the profits of the first $1 million taken from law firms. In particular, after gaining access to law firm networks, the hackers were instructed to conduct key word searches to find documents related to pending mergers or other transactions that the hackers could use to turn a profit.

In response to this scheme, the FBI recently issued an alert through the American Bar Association warning law firms of this threat. The FBI alert describes the scheme as follows:

A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.

The evolution of the hacker threat from large (highly secured) targets to smaller (lacking security) targets has not been a surprise. What has been surprising is the fact that the smaller targets did not see the threat evolve to put them in the crosshairs. Further, the fact that a number of international law firms have found themselves to be targets demonstrates difficulties in protecting against hackers. The threat to law firms should also provide insight to accounting firms, real estate brokers and any other smaller operation about the value of cyber security.

The post Law Firms’ Work Product Has No Privileges Against Hackers appeared first on Privacy Risk Report.