Tag Archive for: LLP

Are Your Mobile and IoT Devices Weakening Your Security? | Marcum LLP

/in


With over 14 billion connected mobile devices today, the Internet of Things (IoT) has become mainstream.

Unfortunately, the number of connected devices continues to increase exponentially, and most of these devices run on outdated software. This means they are vulnerable to cyberattacks.

IoT devices include more than just mobile devices, such as smart home appliances, medical equipment, and industrial machinery. Many companies now use them to monitor their employees, track inventory, and even provide remote assistance.

Today, almost every device in our homes and offices runs on some form of operating system. These systems are often insecure, and hackers constantly look for ways to exploit vulnerabilities to gain access to sensitive data.

Mobile devices such as smartphones and tablets are great for productivity, but they also pose a threat to enterprise IT security. Many organizations use these devices to access confidential data from company networks, which could be used against them.

In addition, the rise of IoT has increased the risk of cyberattacks on businesses since hackers can compromise connected devices. So now, let’s check out the common vulnerabilities so you can learn how to better secure your devices.

5 Common Mobile & IoT Device Vulnerabilities

1. Weak Passwords


Today, a common but easily fixed vulnerability in IoT systems stems from weak or unchanged default passwords. Attackers typically exploit weak or hardcoded passwords to gain access to IoT devices.

These credentials are often stored unencrypted in databases, making it easy for hackers to steal them. Once they have compromised a device, attackers can easily move across networks, gaining control of additional devices and systems.

In addition to weak or hardcoded passwords, many IoT devices are configured to accept default usernames and passwords, making them even more accessible for attackers to compromise.

As a result, attackers can connect to the device via Wi-Fi or Ethernet cable and then log in with the username and password associated with the device.

2. Unsecured Network Services

The IoT is a growing trend among businesses and consumers. However, there are risks involved with deploying…

Source…

You’ve Been Hit by Ransomware: What Should You Do? | Kohrman Jackson & Krantz LLP

/in


Despite your best efforts, you have been hit by ransomware. You are locked out of your system, and you can provide no services to your customers, clients or patients. From a business perspective, you need to get your system unlocked so you can get back to work. But, from a legal perspective, what should you do?

PAYING THE RANSOM

Recent changes in the law have made one option – paying the ransom – significantly more complicated, and those who choose this route may actually find themselves in legal trouble. First, the federal government has been threatening to go after ransomware victims who pay ransoms for violations of federal money laundering, money transfer and international sanctions laws. Second, states are actually prohibiting entities (both municipalities and some private companies) from paying ransom to get their data restored. For victims, this can mean both excess time without the ability to access your data and paying millions of dollars in damages or restoration costs rather than a more modest payment of ransom to the threat actor.

Effective July 1, 2022, Florida became one of an increasing number of states that banned the payment of ransom in certain circumstances. Florida Stat.282.3186 specifically provides that

“A state agency … a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”

This is similar to the laws in North Carolina, Pennsylvania, Texas, Arizona (HB 2145) and the proposed law in New York, all of which have either banned, or seek to ban, the payment of ransom in ransomware cases. Some of these laws apply only to state or municipal agencies (including public hospitals), but others, like that proposed in New York would apply to any businesses or health care entity.

In addition, a proposed federal law, the Ransomware and Financial Stability Act of 2021, 117 H.R. 5936, would prohibit any U.S. financial institution from making a ransomware payment in excess of $100,000 without authorization from the treasury department. Federal law also requires critical infrastructure companies to notify the government within 24 hours if they have made a ransomware payment. The laws also prohibit…

Source…

Ransomware Payments Become an Even Riskier Choice Amidst the Ever-Growing Sanctions List | Faegre Drinker Biddle & Reath LLP

/in


In February 2022, Executive Order 14024 highlighted that Russia’s invasion of Ukraine threatened not only Ukraine but also the national security and foreign policy of the United States. Pursuant to this executive order, and in the face of national security concerns, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has instituted extensive sanctions, including both economic and trade sanctions. Also, in response to the national security concerns, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Shields Up notice, urging companies to bolster their cybersecurity to protect themselves against the threat of a cyberattack.

As the conflict between Russia and Ukraine continues, the threat of a cyberattack, specifically ransomware and NotPetya-style attacks, remains top of mind. However, as entities continue to bolster their cybersecurity and protect themselves against these attacks, they should be cognizant of the implications that OFAC sanctions may have in connection with such an attack.

All U.S. persons must comply with the sanctions against Russia. U.S. persons are defined as U.S. citizens and permanent residents regardless of location, as well as all persons and entities who are in the U.S. and all entities incorporated in the U.S. and any of their foreign branches.

This analysis becomes complicated during ransomware attacks. When an entity is the victim of a ransomware attack, they typically have to make a decision about whether to pay the attacker a ransom in order to retrieve their data or to get a key to unencrypt their data. Ransom payments — including payments with cryptocurrency or payments facilitated through third parties — to sanctioned persons or entities are in violation of the OFAC regulations. In light of the Russia-Ukraine conflict, the number of sanctioned individuals and entities has increased dramatically, making it more difficult to ensure that an entity requesting a ransom payment is not subject to sanctions.

Making a ransomware payment where it is known that the ransomware attacker originated from a person or group on the OFAC sanctions list is in violation of the OFAC regulations and subjects the payor…

Source…

DOJ Announces It Will Not Charge CFAA Violations for Good-Faith Security Research | Seyfarth Shaw LLP

/in


The Department of Justice recently announced a revision of its policy concerning charging violations of the Computer Fraud and Abuse Act (the “CFAA”). Following recent decision from the Supreme Court and appellate courts that seemingly narrow the scope of civil liability under the CFAA, the DOJ’s new policy may likewise limit criminal prosecutions under the law.

As regular readers of this blog are well aware, the CFAA provides that “[w]hoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment.” The DOJ’s announced policy, however, now directs that “good-faith security research” should not be charged. “Good faith security research” means “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The new policy highlights the DOJ’s goal to promote privacy and cybersecurity by upholding the legal rights of individuals and network owners to ensure confidentiality and availability of information stored in their information systems. Thus, the DOJ will consider several factors in determining whether CFAA prosecution should be pursued, including

  1. the sensitivity of the affected computer system and harm associated with unauthorized access;
  2. concerns pertaining to national security, critical infrastructure, public self and safety, market integrity, international relations, or other considerations having broad impact on national economic interests;
  3. if the activity was in furtherance of a larger criminal endeavor or posed risk of bodily harm or a threat to national security;
  4. the impact of the crime and prosecution on third parties;
  5. the deterrent value of an investigation or…

Source…