People always ask me if law enforcement is having any luck in combatting cyber criminals. Let me be clear: it is a very tough job to take down cyber criminals located in other countries or sponsored by foreign nations. Our government is focusing on cyber criminals more than I have ever seen before, and the effort is promising.

Not only did the Department of Justice (DOJ) lead an effort to recoup ransomware paid by Colonial Pipeline, but it also just took down (I love that term), with the help of international law enforcement, an online marketplace, Slilpp, that was selling stolen login credentials for banking and online payment platforms.

An unsealed affidavit for a warrant requested by the DOJ states that victims have reported over $200 million in losses in the U.S. The Slilpp marketplace sold login credentials for more than 1,400 account providers before law enforcement took them down.

According to the DOJ: “[W]ith today’s coordinated disruption of the Slilpp marketplace, the FBI and our international partners sent a clear message to those who, as alleged, would steal and traffic in stolen identities: we will not allow cyber threats to go unchecked…. We applaud the efforts of the FBI and our international partners who contributed to the effort to mitigate this global threat.”

The FBI and DOJ are tirelessly chasing cyber criminals and their efforts are paying off for all of us. They deserve huge credit for their persistence and efforts.

On June 3, 2021, the U.S. Supreme Court issued its first-ever interpretation of the Computer Fraud and Abuse Act (CFAA), the federal criminal and civil statute intended to deter and punish unauthorized access to computer systems. The decision in Van Buren v. United States adopts a narrow construction of a key provision of the CFAA addressing whether a computer user “exceeds authorized access.” In doing so, the Court echoed the concerns of many commentators who have warned against a broad reading of the statute that might over-criminalize computer activity.

The Court’s decision removed the CFAA as a tool to address certain circumstances when someone accesses a computer in violation of an authorized purpose, such as violations of workplace technology policies or a website’s terms of service. In Van Buren, the Court rejected the argument that violation of a purpose-based restriction can be the basis for a violation of this portion of the CFAA. Because this type of conduct is not actionable under the CFAA, companies may turn to technological access controls to control sensitive data rather than relying on internal policies.

The Court’s limits on the scope of the CFAA may be favorable to cybersecurity researchers, who often access computer systems in violation of terms-of-use to detect security vulnerabilities or other threats. Until Van Buren, white-hat cybersecurity researchers were deterred from carrying out such tests due to the threat of criminal prosecution under the CFAA for exceeding authorized access. Click here to read the full article on this and get more details.

This week, Ancestry.com Inc. prevailed in a class action which alleged that it misappropriated consumers’ images and violated their privacy by using such data to solicit and sell their services and products. The court granted Ancestry.com’s motion to dismiss the amended complaint with prejudice because the plaintiffs “did not cure the complaint’s deficiencies” after being granted leave to amend the first complaint.

As we previously wrote in November 2020, Ancestry.com was hit with a class action in the Northern District of California for “knowingly misappropriating the photographs, likenesses, names, and identities of Plaintiff and the class; knowingly using those photographs, likenesses, names, and identities for the commercial purpose of selling access to them in Ancestry products and services; and knowingly using those photographs, likenesses, names and identities to advertise, sell and solicit purchases of Ancestry services and products; without obtaining prior consent from Plaintiffs and the class.” In March 2021, the court dismissed the lawsuit based on lack of standing, but allowed the plaintiffs to amend and address the deficiencies. Although the plaintiffs added allegations of emotional harm, lost time, and theft of intellectual property, that didn’t sway the court. U.S. Magistrate Judge Laurel Beeler said that the new allegations “do not change the analysis in this court’s earlier order.” The court held that the plaintiffs still did not establish Article III standing because they had not alleged a concrete injury.

Additionally, the court noted that even if standing were established, Ancestry.com is immune from liability under the Communications Decency Act (CDA) because it is not a content creator. Magistrate Beeler said that Ancestry.com “obviously did not create the yearbooks [. . .] [i]nstead, it necessarily used information provided by another information content provider and is immune under [the CDA].”

I know I sound like a vinyl record that has a scratch in it, but I write it as I see it. And right now, I am seeing that the companies hit with cyber-attacks, ransomware attacks, double extortion attacks, and data theft are unprepared to respond because they either don’t have an incident response plan or haven’t tested it.

A cyber-attack is going to happen. Waiting until it does to figure out how to respond is not the best strategy. Most companies know what they would do if the electricity should go out or there is a snow storm; very few companies are prepared to respond to a cyber-attack.

Cyber-attacks are more frequent and more sophisticated than ever before. Even a company that has an incident response plan and has completed table-top exercises and simulations finds that it to be a chaotic time. If they haven’t prepared at all, it is even more chaotic.

As a first step, figure out who should be on your incident response team and make sure they have each other’s cell phone numbers. Figure out whether you have appropriate insurance and who you would call to assist with the incident and quarterback the plan. Get your counsel and vendors pre-approved so you can make one call and not miss a beat. Planning the details before an incident occurs will save valuable time during the incident, allowing you to concentrate on responding instead of addressing now-necessary administrative tasks that could have been dealt with in advance.

Take the time to plan and prepare for a security incident. It will save you valuable time and resources and you will recover faster and less painfully.

The Federal Aviation Administration (FAA) has selected Iris Automation to participate in the FAA’s Beyond Visual Line of Sight (BVLOS) Aviation Rulemaking Committee (ARC). Iris Automation is a safety avionics technology company with Detect-and-Avoid systems and other services that assist its customers in developing scalable BVLOS operations for commercial drones. The BVLOS ARC’s mission is to provide recommendations to the FAA for regulatory requirements based on unmanned aerial system (UAS or drone) performance. The requirements will assist in normalizing safe, scalable, economically-viable, and environmentally-safe UAS BVOLS operations WITHOUT positive air traffic control.

The FAA administrator, Steve Dickson, said, “This [BVLOS ARC] will consider the safety, security and environmental needs, as well as societal benefits, of these operations. Within six months, the committee will submit a recommendations report to the FAA. I think we can all agree this is a big step forward, and it will help pave the way for routine package delivery, infrastructure inspection, and other more complex drone operations beyond the visual line-of-sight of the remote pilot.”

The FAA has sought the input and expertise of the UAS industry and interested stakeholders in the past. Now, the FAA will utilize Iris Automation’s expertise to help establish safety and performance standards for BVLOS operations. This is yet another step to integrating drones into the national airspace in a safe, effective, and efficient manner.

Another post pandemic fallout is the fact that rental car agencies have sold their fleets, for obvious reasons. In doing so, there aren’t enough rental cars for all of us who have been stuck at home and are now raring to go on vacation.

While the shortage of rental cars naturally means higher prices, and some entrepreneurs are responding to the shortage with offerings of an Airbnb-type model, scammers also are aware of the shortage and the frenzy to confirm a rental car and see an opportunity to fleece consumers.

According to a Federal Trade Commission Scam Alert, scammers are designing spoof websites to lure consumers and deceive them into believing they can provide a rental car at a deep discount. When you click on the website to rent a car, they ask you to pre-pay with a gift card or a pre-paid debit card. RED FLAG. Your gut should be telling you that a legitimate rental car agency would not be asking for payment with a gift card!

According to the FTC:

To avoid rental car scammers driving off with your money:

  • Research the rental car company by searching for the name of the company and words like “scam,” “complaint,” or “review” to check if other people have had a bad experience.
  • Verify deals with the company directly. If you need customer support, look for contact info on the company’s official website. Don’t use a search engine result. Scammers can pay to place sponsored ads in search results, so they show up at the top or in the sponsored ad section.
  • Pay with a credit card if possible, and never pay with a gift card or prepaid debit card. You can dispute credit card charges, but gift cards and prepaid debit cards can disappear like cash. Once you give the number and PIN to a scammer, the money is gone.

Before you rush to book that miraculously available rental car, take a beat and read up about things you should consider when renting a car. If you spot a rental car scam, tell the FTC at ReportFraud.ftc.gov.

And I’ll add a couple more:

  • If a deal is too good to be true, it’s exactly that—too good to be true, and probably a scam.
  • Be cautious about any “deals” you get through an email, as it may be malicious.
  • Be cautious about calling any customer support numbers you get through emails.

Happy vacationing, and be safe while reserving car rentals.

Although a patch has been available by VMware since May 25, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command this week urged users of VMware to update and apply a fix to software that is used to manage virtual machines in data centers.

The warning states, “Please patch immediately!” It is reported that hackers have already been leveraging the flaw, which allows them to remotely execute code and infiltrate environments running VMware’s server management software. The flaws are in VMware vCenter Server and VMware Cloud Foundation products.

Users and administrators of these VMware products are encouraged to “review VMware’s VMSA-2021-010, blogpost, and FAQs for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.”

These urgent warnings from both VMware and CISA merit consideration and prompt attention.

The FBI recently issued a Flash Alert to Fortinet Fortigate users that Advanced Persistent Threat (APT) groups are continuing to exploit devices that have not been patched. Although Fortinet issued patches for these vulnerabilities in 2018, 2019, and 2020, many organizations have not applied the patches.

The exploitations are random,  not against specific industries or sectors, and seem to be focused on just targeting unpatched devices. According to a Joint CISA and FBI alert issued in April 2021, the vulnerabilities could be used by threat actors to exfiltrate data, encrypt data, and stage for additional attacks.

Not patching vulnerabilities in software that is actively being used by your organization is giving threat actors easy access to valuable data, akin to not locking your door and allowing a burglar to enter and steal all your valuables. These are not new vulnerabilities nor are they new patches. Check with your IT professionals to confirm that these patches have been applied.

IT professionals leave room in their schedules for Microsoft’s monthly Patch Tuesday just as I leave room in my schedule every Wednesday night for blog writing. This month’s Patch Tuesday was light on patches compared to other months, but includes six that are designed to patch zero day-related vulnerabilities, four of which are relevant to elevation of privilege flaws.

No question, the ability of threat actors to escalate privileges in a system or application is a major concern for data security, as it may allow threat actors to access and exfiltrate the most sensitive data in a company’s system. It also may give the threat actor the ability to destroy backup systems and security tools designed to detect compromises and plant malware and ransomware unseen. This is exactly what threat actors are doing with Prometheus ransomware [view related post].

Microsoft urged users to patch these zero day vulnerabilities, as threat actors are using the vulnerabilities to launch targeted attacks against users.