Akerman Data Law Center makes cybersecurity law accessible

Virtually all industries are being affected by the complexities of cybersecurity and privacy law. In addition to being somewhat confusing, aspects of cybersecurity and privacy law can change practically overnight. With this in mind, the international law firm Akerman now offers a constantly updating web-based legal knowledge platform on cybersecurity and privacy law named the Akerman Data Law Center. Developed in conjunction with Thomson Reuters and Neota Logic, the platform makes the international rules and regulations regarding cybersecurity more accessible. This tool will be useful for law firms everywhere, since cybersecurity and privacy are “likely to have accelerated growth in the law market for 2016,” as explained by Akerman’s Data Law Practice co-chair, Martin Tully. In addition to always being up-to-date, the platform can be used to research changes that only pertain to specific regions or industries. This could be extremely useful to law firms that operate in several jurisdictions and want to be able to keep track of the differences in regulations between regions.

Though access to the research compiled in the Akerman Data Law Center will require a subscription fee, Akerman states that the platform will save users up to 80% on research costs. When compared to the number of hours associates could spend accumulating the research already available within the platform, the Akerman Data Law Center is more efficient and less expensive. To make the platform even more user friendly, Akerman even allows users to contact them directly for particularly challenging questions, which will prove useful for firms that do not have the funds to consult with experts constantly.

Article via Legaltech NewsNovember 20, 2015

Photo: Chained and locked via Vivek [Creative Commons Attribution-NonCommercial-NoDerivs]


International cyberwar policy to be updated

International law experts are on track to publish a manual amending the current Geneva convention for cyberwar in late 2016. The Tallin Manual 2.0 – an update of the original Tallinn Manual on the International Law Applicable to Cyber Warfare—is backed by a NATO-run military think tank based in Estonia.

Military strategists deem cyberspace the fifth dimension of warfare, the others being land, air, sea and space. An example of an “armed attack” in cyberspace is the Stuxnet worm, an Israeli-U.S. programmed computer virus that caused severe disruptions to Iran’s nuclear plants. By the original manual, similar attacks in the future would legally validate proportional retaliation, considered in this case to be self-defense.

The Tallinn Manual 2.0 will discuss peacetime international law, including human rights law in regards to cyberspace. The current question begin argued is whether international human rights norms apply to different widely practiced cyber activities, such as the collection of metadata by national governments.

“If the answer is yes, we then have to examine whether the state has actually violated the individual’s rights. For instance, assuming the collection of metadata implicates human rights norms, under what circumstances is a state authorized to engage in such activities?” asks Liis Vihul, managing editor of the Tallinn Manual and legal researcher at the NATO Cooperative Cyber Defence Centre of Excellence.

Additionally, the updated manual will include sections on diplomatic law, the responsibilities of international organizations, global telecommunications law, and peace operations.

Article via The Register, October 12, 2015

Photo: Satsop Nuclear Plant via Michael B. [Creative Commons Attribution-NonCommercial-NoDerivs]

New bill protecting companies from cyberattacks compromises individual privacy

The US Senate voted this past Tuesday to pass the Cybersecurity Information Sharing Act (CISA), which allows companies to share evidence of cyberattacks with the US government, even if that data includes the personal information of individuals.

Those in favor of the bill argue that CISA will help the government protect companies. Most big tech companies comprise the opposition, and say that the new act is another loophole that allows the US government to snoop on citizens. President Obama supports CISA.

Al Franken, a senator from Minnesota and one of 21 who voted against the bill, said in a statement following CISA’s passing, “There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security. This bill doesn’t do that.”

Companies are supposed to remove personal information about customers—such as emails and text messages—before sending data to the government. Currently, however, no accountability system exists to ensure that personal identifiers are in fact deleted before reaching government databases.

CISA was most likely passed in response to recent high-profile hackings, such as those committed against Sony Pictures, Ashley Madison, and United Airlines.

“With security breaches like T-Mobile, Target, and [the US government’s Office of Personnel Management] becoming the norm, Congress knows it needs to do something about cybersecurity,” said Mark Jaycox, Legislative Analyst of the Electronic Frontier Foundation. “It chose to do the wrong thing.”

Article via CNET, October 27, 2015

Photo: The Capitol, in Washington, D.C. US Senate and The House of Representatives via DeusXFlorida [Creative Commons Attribution-NonCommercial-NoDerivs]

Countries using spyware exposed

A Citizen Lab report released Thursday revealed that 33 countries are likely using FinFisher, a prominent spyware program. Many of these countries—including Ethiopia, Bangladesh, and Egypt—have suspect human rights standards.

FinFisher enables an organization or government to capture the keystrokes of a computer, as well as use the device’s microphone and camera to surreptitiously eavesdrop on a target. This type of surveillance tool was once only used by advanced governments, but is now available to anyone willing to invest in the service. In the U.S., journalists and dissidents are especially targeted.

Hackings in the past two years have informed researchers about the mechanics of spyware companies. FinFisher was hacked last year, revealing confidential company logistics, and its competitor Hacking Team was hacked this past year, exposing vital emails and files. Errors in spyware servers help Citizen Lab researchers figure out which governments are using the services of companies like FinFisher or Hacking Team.

Spyware servers used by governments often infect and control target computers with malware disguised behind proxies. Researchers found that 135 servers matched the “technical fingerprint” of shady spyware after scanning the Internet, yet they were always directed to a decoy page after typing the server’s Internet address into a Web browser. The decoy pages were most often www.google.com or www.yahoo.com.

However, the decoy sites showed local search results of the server’s origin, and not of the location that the researchers were in when they used the site. One proxy server seemed to be from the United States, then returned an IP address from Indonesia, indicating that the country’s government may be using FinFisher’s services.

Article via The Washington Post, 16 October 2015

Photo: Patrons use computers in an internet cafe via World Bank Photo Collection [Creative Commons Attribution-NonCommercial-NoDerivs]

Apple remedies cyber breach in app store

In the past, only five malware-infected applications have made it into the Apple App Store. That number has grown, though, as 25 apps have been identified and pulled from the App Store for containing malware. This cyber breach is due to a program called XcodeGhost, an imitation of the program Xcode, which is the platform develops utilize to make programs for iOS and Mac. While the official Xcode program takes about half an hour to download in the United States, the time is almost triple for developers in China. Most decide to download the program from local servers, which allowed the counterfeit XcodeGhost to be substituted for the real Xcode program and downloaded in in its place. Thankfully, apps developed using this malware have not been observed to steal any sensitive information from users that have downloaded them. Still, though the apps appear to be harmless, the attack on the App Store is notable according to Palo Alto Network’s Director of Threat Intelligence, Ryan Olsen. The firm was the first to report the existence of the malware-tainted apps, and Olsen states that the cyber breach reveals that the Apple App Store isn’t impenetrable.

To prevent another cyber breach, Apple will provide a way for Chinese developers to download an official copy of Xcode domestically, and Apple is “working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps” according to an Apple spokesperson.

Article via CNETSeptember 22, 2015

Photo: Apps via Pixel Fantasy [Creative Commons Attribution-NonCommercial-NoDerivs]

Hackings in healthcare, education, and government

Recent hackings have been found to especially target three main platforms: healthcare, education, and government. This has compromised the security of healthcare provider Excellus BlueCross BlueShield, the Cal State University System, and the U.S. Department of Energy.

It was discovered last week that over 10 million people are at risk due to a Excellus computer system hacking that’s been occurring since December of 2013. It doesn’t appear that the hackers stole or utilized any important personal information, though they were able to access and view customer names, birth dates, social security numbers, and financial claims. The attack was one of the worst 20 breaches in healthcare of all time. The hacking also parallels recent incidences at Anthem, Office of personnel Management, Sony and Ashley Madison. In all cases, the attacks were committed by people disguised as employees, using stolen credentials to gain access to corporate networks.

Roughly 80,000 students from the Cal State University System lost general information after enrolling in a class on sexual harassment. Their names, numbers, emails, gender, race, and relationship status were provided to a contractor as part of a program on sexual harassment. The contractor, “We End Violence” was hacked, as reported in the Los Angeles Times earlier this month.

The U.S. Department of Energy’s computer systems were attacked 159 times between 2010 and 2014. Officials declined to comment, however, on the nature of what was accessed by hackers or whether any foreign governments were responsible.

Article via ECT News NetworkSeptember 16, 2015

Photo: Longmont Power and Communications-3 via You Belong in Longmont [Creative Commons Attribution-NonCommercial-NoDerivs]