Texas CoA Addresses Electronic Community Property and Invasion of Privacy

August 5, 2016

Reference:

Miller v. Talley Dunn Gallery LLC, 2016 Tex. App. LEXIS 2280

(Tex. App. – Dallas March 3, 2016) (mem. opinion)

(Cause No. 05-15-00444-CV)

Relevant Documents:

Memorandum Opinion:  March 3, 2016, Cause No. 05-15-00444-CV

Texas Penal Code 33

In this case, part of the original trial court’s decision determined that Talley Dunn and the Tally Dunn Gallery LLC had “established a probable right to recover on their claims under the HACA. [Harmful Access to Computers Act]”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 19]

In his appeal, Bradley B. Miller argues that, while he admits that he took screenshots of information contained on the phone, the screenshots do not qualify as “access” and that he had effective consent to do so because the cell phone was community property.  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 21-22]

Texas Penal Code § 33.01(1) defines access as:

“to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system.”

Neither party disputes that a cell phone is a computer, and the appellate court found that in order to take the screen shots Miller necessarily HAD to access the the computing device, within the definition of the penal code.  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 22]

Regarding his argument that he had effective consent to access the cell phone because it was community property, the CoA relied upon the penal code definition of ‘owner’ as:

“a person who:

(A) has title to the property, possession of the property, whether lawful or not, or a greater right to possession of the property than the actor;

(B) has the right to restrict access to the property; or

(C) is the licensee of data or computer software.”

Dunn used the cell phone on a daily basis, had the right to place a password on it (and had), and the court determined Dunn had a ‘greater right to possession of the cell phone’.[March 3, 2016, Cause No. 05-15-00444-CV, pg. 23]  Further, the CoA notes earlier in the opinion that “[N]othing in the Texas Constitution or our common law suggests that the right of privacy is limited to unmarried individuals.”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 20]

Interestingly, the court does not address the multiple licenses that are part of the software and operating system that users have to acknowledge and accept to use a modern cell phone.  I would expect that will start coming up as another layer to the definition of ‘owner’, though.

Accordingly, the CoA concludes that “the trial court did not abuse its discretion by determining appellees established a probable right to recover on their claims under the HACA.”  [March 3, 2016, Cause No. 05-15-00444-CV, pg. 23]


‘Shellshock’ In Plain English: Latest Security Vulnerability is a Big One

September 25, 2014

Many network administrators and information security folks are feeling the effects of the ‘Shellshock’ bug, this morning.  The bug has been confirmed as ‘worm-able’, and proof-of-concept code is already bouncing around.
(source: Errata)

In many ways, Shellshock is worse than Heartbleed.  Here is a quick, plain English breakdown of the vulnerability:

What Shellshock Is:

It’s an attack that does not require the attacker to ‘authenticate’ to the system or server being attacked.  In other words- the attacker does not have to have a username/password, or break passwords.

What the attacker can do:

Everything up to full control of the compromised device/system/server.

What Shellshock affects:

Linux, Mac OS/X or any device that uses a ‘Bash’ Linux command-line (most internet connected devices).

If you read that it only affects Linux systems/servers- don’t breathe a sigh of relief just yet!  Most of the ‘Internet-of-things’ devices (Cameras, refrigerators, TVs, etc.) use a form of Linux, and are potentially vulnerable.  In addition, if you are running ‘SOHO (Small Office/Home Office)’ wireless access points, managed switches, and routers, or if you are using a store-bought Firewall/Cable modem then you may be vulnerable.

If you rely on IT support, and they tell you that there is ‘No problem- we don’t allow shell or terminal access to the outside world’, then you need to point out to them that is not the entire attack vector:  Any process, or program that IS accessible, that sends commands to the shell, is potentially vulnerable.  It is not always obvious which programs or services do this, behind the scenes.

So what can be done?

Review and Confirm: Check your systems, servers, and devices to see if they are, in fact, potentially vulnerable.

Patch:  A number of the primary Linux shell versions had patches available within hours.

Keep an eye out for firmware updates for your internet devices: Internet connected TVs, Wifi access points, SOHO-class firewalls, Network storage devices, internet connect cameras, etc.

Kill Non-essentials: Consider turning off, or disconnecting, non-essential ‘internet-of-things’ devices until a patch is available for them.

BE ALERT FOR PHISHING SCAMS:  So-called ‘spear phishers’, and scammers of every ilk, like to use these well-publicized security issues to trick people into downloading malicious programs.  Always deal with a known security site, or directly with the manufacturer.

USEFUL READING:

Patch NOW (the Register)

Shellshock bug (the Mirror)

TECHNICAL: CVE-2014-6271 (NIST.gov)

TECHNICAL: OSS Write-up


Part One: Simple Steps To Secure Your Client During Litigation

September 11, 2012

In the past year, there has been a distinct uptick in cases involving data breach and key logging malware- especially in family law cases. This uptick is not by anonymous, random third parties, but rather by the actual litigants in a case.

Part of the reason for the uptick is that “bugging” someone’s computer  or cell phone (electronic intercept) has gotten significantly easier. Most people can handle installing software.  Likewise with breaking into someone’s webmail, banking, or other online accounts.

Here are steps your client can take, right now, to protect their information and communications:

  • Create a List of Electronic Assets – Experience shows that, without a list, things will be overlooked.  Have your client list out cell phone, webmail, social network, and online banking accounts. In the same manner, have them list out things like wifi and home network assets.  This list is the starting point.
  • Change Passwords and Password Recovery Questions – Simply changing passwords is not enough. Password recovery questions (“What is the name of your favorite pet?”) are an easy way for someone who is familiar with your client to gain entry to their online resources.
  • Avoid Password Reuse – Using the same password for everything is a recipe for disaster. Understandably, it can be an inconvenience to use different passwords everywhere, but there are ways to make meaningful passwords that are easy to remember. Here is a full write-up on password reuse.
  • Review WiFi Security – If the opposing side in a matter was the one that set up the home wireless network, then all they need to do is be within range to join back on the network and gain access to systems or to “sniff” and view network traffic (including your client’s passwords, communications, etc.).
  • Review Joint Cellular Accounts – Depending on the carrier, joint cellular plans can give the opposing party access to endpoints in voice and text communications. Some carriers may actually have access to the content of text messages online. While TRO and data protection may prevent a direct change to the account or plan, your client may consider using a pay-as-you-go plan.

These are some simple steps that can be taken with minimal cost, and yet they will provide an immediate boost to your client’s security stance.

Tomorrow: Part 2- Simple Steps In Case of Breach

If you or your client feel that there has already been a breach, or you are facing a particularly aggressive or knowledgeable opposition, you may consider inquiring about our Client Information Security package (CISP).

The CISP is a flat-rate, full assessment of your client’s information security and includes a drop-in firewall with logging and 24/7 monitoring for intrusion attempts, malware activity, and other breach behavior.  Vidoc Razor not only will assess the security of your client, but fixes the issues identified.  All hardware is provided by Vidoc Razor.

You can find more information by clicking HERE.


Because One Thing Leads to Another: Data Breach and Password Re-Use

June 27, 2012

Dropping Your Breaches…

After the data breach of LinkedIn two weeks ago (6.5 million passwords leaked, a five million dollar lawsuit on the way), I have asked a simple question of some of my clients that I know are LinkedIn users: “Have you changed ALL your passwords yet?”.

The question has been met with confusion (“What data breach?”) and, in most cases, with indifference (“I don’t see what benefit having access to MY LinkedIN would provide a hacker.”). When I mention the phrase “password re-use”, I receive an almost universal response of “huh?”.

Single Point of Failure

Password re-use is seemingly an ingrained response to the presence of a password: You have hundreds of password protected resources, so it is natural that you would re-use the same password across multiple (or all) of those resources. This is the problem.

From the point of view of a hacker the world looks a little wider:

1- Breach LinkedIN passwords

2- Now leverage the email addresses, username conventions, etc. to test the password on:

Workplace accounts – Obvious information on LinkedIN. This could include work email systems, vpn access, extranets, etc.

Gmail and other webmail accounts – Possibly contains password/access information to online banking, work, other accounts

Mobileme and other “Cloud” services – Dropbox, anyone?

Online Banking – A pretty obvious target.

You can see how the seemingly “insignificant” breach can lead to much bigger issues.

In the case of the LinkedIN breach, the information obtained was posted for download by anyone that wanted to take a whack at them. Consider the scenario of an opposing party downloading your breached information and leveraging it for further access.

We know that information security is a balance between usability of information and systems, and security of those same areas. So how does one maintain separate use passwords but still easily access needed resources?

So Now What?

Fortunately there are some solutions. I have listed the top ones below:

Password Safe  (also known as PWSafe) – Windows, iPad, iPhone, Mac, Linux: This is actually my favorite. Syncing among the devices is supported by iCloud (of course then you need to make sure that Apple iCloud isn’t breached) so that a change on one device is rolled out to all the others. Password Safe is free for Linux and Windows (it’s always a nice thing to do to donate to the open-source team that keeps it going and evolving, though). The PWSafe version is $3.99 for Mac and $1.99 for iPad/iPhone.

LastPass  – Windows, Linux, Mac, iPhone, iPad, Android, PocketPC:  LastPass is perhaps the most “feature rich” password management systems out there, and even offers password management for common web-based forms. There is a free and premium version. The premium version runs $1 per month.

KeePass  – Windows, Mac, Linux, iPhone, PocketPC, Android: KeePass uses very strong encryption (SHA-256). It interested me for a couple reasons: Multiple user support and it keeps the password encrypted even in RAM memory. The only reason I don’t use this one is that I don’t find synching to be as transparent, and I was already in the habit of using Password Safe (since it’s creation by Bruce Schneier). KeePass is free for the desktop versions (I recommend donations to the open-source team that keeps it running).

So the question becomes: “How would you and your firm like to be at the center of a multi-million dollar lawsuit that could have been prevented by a series of easy to use software that costs nothing to use?”.

Coming next week: Information security breaches for law firms are on the rise. How vulnerable are you, and what easy steps can you and your firm take to defend yourself?


Financial Institutions Using Live Data Sets in Test Environments

March 16, 2010

A recently released survey finds 83% of financial firms use production data for testing.  What this means (for the non-developers) is that your customer data is used unmasked and in its full form to test systems that, by the very fact that they should be TEST systems, have an unknown level of security and integrity.

Even though the study was commissioned by a company that works specifically with data protection in test environments (important to call out bias!), I believe the numbers on this one – especially when I go back and research the number of financial institution data breaches that have occurred because “live” customer data sets were in the hands of a third party contractor, or other employee off-site.

I have done development work on health data and I understand full well the challenges of creating meaningful data sets (as well as the enormous expense) for testing purposes.  The bottom line comes to this:  There is no excuse that justifies exposing personal data in this manner.  Period.

In performing penetration tests a common tactic that we use during the “recon” phase is to look for servers that are obviously development systems.  We do this because patch levels and security are typically at a minimum on these systems and they are usually the “low hanging fruit”.

So it makes me wonder – just what justification can possibly make these guys think this is OK?

Here are some more stats from the study that should give you pause:

  • identity compliance procedures (used by only 56 percent of companies surveyed);
  • intrusion detection systems (used by only 47 percent of companies surveyed);
  • data loss prevention (DLP) technology (used by only 41 percent of companies surveyed); and
  • Social Security number usage (88 percent of those surveyed still use this as a primary identifier)

Remember these findings the next time you read a news release regarding a financial institution data breach and some chuckle-head says that they are quite certain no sensitive data was taken or misused.  The very next question to ask is: How would you even know?

Sources:

http://money.cnn.com/news/newsfeeds/articles/globenewswire/185342.htm

http://cpwr.client.shareholder.com/releasedetail.cfm?ReleaseID=448389


UCB Data Breach

August 17, 2009

I picked up the following from SC Magazine:

University College Berkeley hit by second data breach in six months

The standout here is the quote:

“…a website hacker may have had access to their social security numbers and birthdates.”

This could simply be sloppy reporting, but if it is true that someone accessed the PII via the Journalism School website then this is a fundamental architecture flaw and probably a rookie information security mistake.


YouTube Struggles With a Wretched Hive of Scum and Villainy

March 5, 2009

Information Week Article: “YouTube Wrestles With Scammer-Generated Content

InformationWeek reports that YouTube is “struggling” with posted videos showing such things as stolen credit cards, PINs, etc.  They go on to talk about how difficult it is to screen video content.

A single line mentions that meta-content can be used for screening (searching for keywords that can identify the content), but a YouTube spokesman goes on to say that they rely “on our community to know our community guidelines and flag content that violates the guidelines.”

First of all, the type of community that will be looking for that niche content isn’t going to be all that quick to flag it.

Secondly,  how hard would it be to build a signature base of meta-word and behavioral screening to remove the largest portion of objectionable (illegal) content?  Here are a few ideas to think about as you read the article – feel free to post your own:

  • Spam assassin for content anyone?  Use the meta data to help weight the red flag.
  • Watch topics that users post to/visit and use this to weight a flag.  For instance, a little old lady that is concerned about “poodles” and “identity theft” will not affect the weight as much as someone looking for “Free credit card numbers” and “MS Windows licenses”.
  • Use Natural Language Processing techniques to identify and weight actual posts (remember the “StupidFilter“?).

I realize full well that these techniques can be gamed just like anything else, but it seems to me that they are viable, not so hard to implement (I use components of them in my work – although the scale is different!), and a darn spot better than relying on the crooks to report themselves!