Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



VIDEO: Why the rising use of biometric authentication is driving states to regulate privacy

By Byron V. Acohido

Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.

As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.

Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.

I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:

Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.

Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.

“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. … more

VIDEO: How CIA cyberweapons are increasingly being used to hack banks, credit unions

By Byron V. Acohido

When WikiLeaks released details about the CIA’s arsenal of hacking tools last month, it was like Christmas arrived early for hackers who specialize in cracking into the business networks of financial services companies.

Mandiant, the forensics division of malware detection vendor FireEye, affirmed as much in its M-Trends 2017 report, issued shortly thereafter. The Mandiant report disclosed how cyber criminals have quickly embraced CIA-type tools to juice up their banking system attacks.

I spoke to Bob Thibodeaux, chief information security officer, at Seattle-based DefenseStorm, about this. DefenseStorm provides a security service for community banks and credit unions that monitors network traffic—specifically event log data—for malicious activities.

“What we are seeing with the leak of the CIA’s attack tools are that cyber criminal elements are actually taking advantage of the knowledge of those tools for their attacks,” Thibodeaux told me. “We are seeing them actually using the kinds of tactics that the government actors are using to exploit financial firms, specifically.”

These cutting-edge attacks are showing up in banking systems in southeast Asia, according to Mandiant. But it may be only a matter of time before use of similar tactics, leveraging the CIA leak, spread to banks in other regions. “The attackers are using tools that Windows system administrators would use to actually stay on the network, monitor traffic, figure out how the banking process works, and then steal tens to hundreds to millions of dollars,” Thibodeaux says.

Community banks and credit unions in the United States are likely to be targeted because they are less well-defended than the big multinational banks.

It is all too typical for a small bank or credit union to rely on basic network defense systems, even though malicious probes and communications with criminal command-and-control servers are nonstop.

Unfortunately, it’s not going to get any easier for smaller banks and credit unions to play catch-up, much less neutralize cyber attacks over … more

VIDEO: The implications of privacy rules stiffening in Canada, Europe

By Byron V. Acohido

As a partner at the Canadian law firm Borden Ladner Gervais, Éloïse Gratton advises her clients on legal, practical and ethical ways to protect an individual’s privacy while conducting business nationally and internationally. She has testified before Canada’s House of Commons and other federal bodies and conducted training workshops attended by judges and members of the Parliament.

LastWatchdog sat down with Gratton just after she appeared on a privacy panel at CyberScout’s Privacy XChange Forum. Here’s the gist of that conversation. The text has been edited for clarity and length.

LastWatchdog: Europe and Canada are oriented toward preserving privacy for the individual; in America, not so much. Can you frame how that plays out in global commerce?

Gratton: I would say in Europe and in Canada, we’ve been a little bit ahead on the data-protection front, so we probably have laws that are a little bit more stringent. Yet we’re a little behind on everything that has to do with security-breach notification. In the States, it has been mandatory for quite some time. In Europe, it will be mandatory with the upcoming General Data Protection Regulation in May 2018.

In Canada, there’s one province where, if the breach triggers significant harm for the affected individuals, it’s mandatory to notify. So in Alberta, that has been a legal requirement since 2009. In coming months, this will also become a federal legal requirement to notify upon a security breach taking place. So we’re following the U.S. on this issue.

LastWatchdog: Cyber threats continue to evolve so rapidly; can regulators keep up?

Gratton: Yes, the threat is evolving, so at the end of the day, organizations need to ensure that they are ready for the new threats. We’ve seen it recently in Canada with the Ashley Madison hack. So you have to have a breach-incidence response plan and make sure employees are trained, so that they’ll know exactly what to do. Upon … more

VIDEO: Why cyber insurance is needed to protect intangible assets, i.e. business data

By Byron V. Acohido

More organizations than ever, especially small and medium-size ones, will seek to account for the fast-rising risk of suffering a cyber attack in 2017 by buying a cyber liability policy.

The general state of security of U.S. business networks remains anemic when compared to the vast and growing capabilities of hackers with malicious intent. Companies are beginning to realize the value of offsetting this risk to an insurance carrier—and insurance companies and underwriters recognize a golden goose when they see one.

The fledgling cyber insurance market topped $3 billion in 2015, and ABI estimates the global cyber insurance market is swelling at a clip that will top $10 billion by 2020.

Related: Cyber insurance increasingly includes value-added security services

ThirdCertainty sat down with Tim Francis, cyber insurance enterprise lead at Travelers Bond & Financial Products, and Graeme Newman, chief innovation officer at CFC Underwriting, shortly after the pair spoke on this topic at IDT911’s Privacy XChange Forum 2016 this fall. Here’s their forecast. (IDT911 sponsors ThirdCertainty. This text has been edited for clarity and length.)

3C: Could you frame the emerging cyber insurance market for us?

Newman: The cyber insurance market has been around for 15 or 16 years now, which in insurance terms, is a short period of time, but it’s growing fast. It’s very much U.S. dominated, and it also falls into some specific industry verticals. You get a lot of buyers in the financial services, within retail and within health care. But that’s starting to change.

Francis: Part of what’s driving this shift into different industries, and also smaller-size companies, is the recognition that cyber is not just a product for companies with large amounts of data. A lot of coverages go beyond that to things like business disruption, which could affect any company virtually. For instance, ransomware has nothing to do with the excavation of data.

3C: What are some of the obstacles?

Newman: The … more

VIDEO: NY holds companies accountable for cybersecurity

By Byron V. Acohido

Banks and other financial services companies wishing to do business in the state of New York will soon have to prove they are using first-class cybersecurity policies and practices.

Officials at the New York State Department of Financial Services (NYDFS) were so concerned that a catastrophic network hack in the financial sector could have dire consequences that they took it upon themselves to draft a far-reaching set of mandatory cybersecurity requirements.

Two years in the making, it is called the Cybersecurity Requirements for Financial Services Companies. And it is set to take effect Jan. 1.

Heading off hacks

A comment period on the draft proposal closed Nov. 14. Officials now are reviewing the comments, and modifications could yet be made. However, if the rules as drafted stay mostly intact, as expected, we could witness a paradigm shift driven by hefty new regulations.

New York’s effort to compel financial services companies to do much better at cybersecurity goes miles further than California’s pioneering data loss disclosure law. In 2003, California lawmakers required companies that lose personal information to inform the individuals whose data has gone missing. And with the U.S. Congress in perpetual gridlock, 46 other states followed suit and passed similar data loss notifications laws.

It’s going to be fascinating to see if the cycle repeats itself. “There have been some articles from the insurance sector welcoming regulation,” says Richard Borden, a cybersecurity attorney at Robinson & Cole. “Others see this as overbearing, especially for smaller entities. It’s going to require a large compliance regime, and smaller companies are going to have a lot of trouble with that, from an operational and a technical standpoint.”

Long and detailed checklist

Under New York’s new rules, an institution must establish a program capable of ensuring the confidentiality and integrity of its information systems. The scope of the new rules is broad, and the specific requirements are very detailed. Minimum requirements call for … more

VIDEO: Good guy hacker Chris Vickery hunts exposed data

By Byron V. Acohido

Two more stunning disclosures from self-styled internet watchdog Chris Vickery underscore how organizations continue to routinely expose sensitive data in the cloud, risking dire consequences.

“My findings clearly demonstrate that data breaches happen more often than the general public realizes, and companies are quick to deny and cover up these issues,” Vickery says.

Last Friday, Vickery revealed how Habitat for Humanity of Michigan had been making use of two backup virtual hard drives without taking steps to block public access to those drives, which contained “lots of background/credit checks for volunteers and applicants, as well as thousands of Social Security numbers,” he says. The nonprofit organization helps build and renovate affordable housing for needy families.

Leaked files show grim reality

In mid-October, Vickery broke news at IDT911’s Privacy Xchange Forum 2016, describing how a California law firm similarly neglected to restrict access to an internet cloud storage location where it kept copies of case files. (IDT911 sponsors ThirdCertainty.) The legal documents Vickery located included notes and surveillance footage appearing to show guards at a police holding cell in La Habra, California, failing to take any action as a 49-year-old prisoner, Daniel Oppenheimer, hanged himself.

The notes of the lawyer—whose firm specialized in defending alleged police misconduct—revealed that he looked at the surveillance video and saw “shadows” of a person twice walking past Oppenheimer’s cell during the strangulation, Vickery says. The shadows weren’t noted, though, in the district attorney’s report investigating any wrongdoing by police in Oppenheimer’s death, and Vickery questions whether the person walking past the cell could have stopped the suicide.

Oppenheimer strangled himself with a telephone cord and the zipper of his jail-issued jumpsuit on Jan. 2, 2015. Earlier that day, Oppenheimer was arrested and charged with attempting to strangle his wife at their La Habra home.

Vickery says he contacted the city lawyer’s firm and an attorney representing Oppenheimer’s daughter who filed a wrongful-death lawsuit against the … more

Q&A: How hackers manipulate domain names to spread malware

By Byron V. Acohido

When Seattleite Jay Westerdal bootstrapped a company called DomainTools in 2002, it was to support his activities in the domain name speculation game that was red hot at the time.

DomainTools set out to gather domain “whois” records in order to serve those immersed in speculating on owning domain names, like chocolate.com. Unbeknown to the founders at the time, the company did a couple of things that would position DomainTools to reinvent itself down the road as a security vendor, once the domain name market ran its course.

First, the company kept historical records of everything. And, second, DomainTools started gathering, not just “whois” records, but also web server and email server records, all of which would prove to be valuable for tracking the activities of cyber criminals.

ThirdCertainty recently visited with Tim Helming, DomainTools’ director of product management, to outline how the company today sheds light on the cyber underground. Text edited for clarity and length.

3C: How do domain names come into play with malicious internet activities?

Tim Helming, DomainTools’ director of product management

Helming: Everything that happens on the internet happens with IP addresses and domain names. You’ve probably received phishing emails once or twice, right? We all have. So a phishing email has domains in a couple of places. Usually there’s a link that they want you to click on, and that link has some domain in it. Sometimes it’ll be an intentional typo that looks like a legitimate site. They want you to click on it. So that domain name actually is a key to a lot of valuable information about the attacker.

Related: DNS vulnerabilities expose businesses to attack

From that one domain, you can often expand and see other domains that they own. And that could tell you things like, ‘Oh these other domains are all targeting businesses in my industry. So this attacker’s interested in my industry.’ Or maybe they’ve got a … more