Category Archives: cybersecurity

General Cybersecurity topics

Grasping blockchain, it’s more than just bitcoin

OK, OK, I said I wouldn’t mention the “ransomware that shall not be named” again, but…

With all the focus on how people are supposed to pay to have their files decrypted, a lot of people have been asking about bitcoin.  There are many types of cryptocurrency, bitcoin is simply one of them.  Each cryptocurrency, though, relies on a technology called “blockchain.”

Blockchain, in turn, is much larger than cryptocurrency.  It is really a technology that can help track real estate ownership, transfer of tangible property, contracts,  and other agreements.

Now, I’m not going to get into the nitty-gritty.  There are a bunch of articles, books, websites, and YouTube videos that can explain the cryptography and protocols underlying blockchain.  What I would like to do is give a very high explanation of blockchain.  So, from 40,000 feet:

  1. Someone wants to transfer something to someone else (bitcoin, property, contract)
  2. That person creates a transaction with the other party.
  3. The transaction is grouped with other transactions to create a “block”
  4. The block is transferred to nodes responsible for validating the block (miners)
  5. Once the block is validated, it is added to the blockchain

The blockchain is  then autonomously distributed to a peer-to-peer network.  In effect blockchain is a widely distributed write-only ledger, so blocks cannot be altered without the entire network becoming aware of the modification.  This transparency adds to the technology’s security.

For an idea of where blockchain could be headed, check out an article I co-wrote for the e-commerce times.

DocuSign breach leads to more effective phishing

While the world was focused on WannaCry (I promise that’s the only time I’ll mention it), a significant security issue seems to have slipped through the cracks.

DocuSign, is an application to digitally sign business documents like real estate loans, business contracts, statements of work, etc.  OK, I think we’ve already established that I tend to be more paranoid than most folks.  I don’t trust many online applications, especially for important things like loans and contracts.  But I’ve used DocuSign many times in the past and found it to be a very convenient tool for reviewing and signing documents while mobile.

Unfortunately DocuSign had a breach last week that exposed the email addresses of users.  That combined with the attackers access to a DocuSign server enabled the attackers to send very, very realistic phishing emails to real DocuSign users.

Let me make this clear:  at this point there is no indication from DocuSign that any information beyond users’ email addresses was exposed.

The phishing scam asked users to open a Word document with malicious code.  Now DocuSign does not ask users to open files within an email (they are notified to sign into the site to sign), but many didn’t suspect any nefarious business.

If you are a DocuSign user, be on the lookout.  More phishing messages are likely.  If you get an email to sign a document, don’t click the link.  Sign into the DocuSign site to sign any documents.

 

Attorney – Client in the cloud

Over the past few months I’ve been asked several times about the status of attorney-client privilege when attorneys use cloud technology.  It is an interesting question and there are a couple concepts that need to be explained about A-C.  So buckle up, this is a long one.

First (and very broadly speaking), A-C is lost when disclosed to a third party intentionally or inadvertently.  So an attorney and client discussing a case in a busy coffee shop could potentially lose A-C since a third party could overhear the communications.  I know the attorneys reading this post will likely come out of their chairs with exceptions, but I’m trying to paint a high level picture.

This loss of A-C does not mean that attorneys have to hide everything in locked safes buried in concrete.  The comments on the model rules of professional conduct state:

“…unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. ” (emphasis added).

So, this brings us to Harleysville Insurance Company v. Holding Funeral Home, No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017).  In Harleysville, an investigator for the parent company of Harleysville uploaded surveillance video of the underlying event to a file sharing site.  He then emailed a link to the video to another party.  The same investigator later placed the case file in the share.

The share was not password protected or otherwise protected.  In fact anyone with the link or anyone who found the share could see the information.  Remember the language of the model rule above?  The Virginia court echoed this language in their opinion stating that inadvertent disclosure can be caused “by failing to implement sufficient precautions to maintain its confidentiality.” (emphasis added)  The court continued “With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure.” (emphasis added).

The court concluded that A-C had been waived by posting the information to a publically available website.

As I’ve counseled clients in the past, whether A-C will survive in the world of cloud usage depends on the steps taken to prevent disclosure.  Encryption, access control, and logging are your friends.

Breach notification laws: Better privacy or the 10th circle?

Today (April 19th) New Mexico became the 48th state to enact a data breach notification law.  Only Alabama and South Dakota do not have a notification law on the books.

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.