Author: enigmaforensics

NIST 800-53: Security & Privacy Controls

NIST National Institute Standards and Technology

Video Discussion on: National Institute Security and Technology

Enigma Forensics CEO & President, Lee Neubecker and Cyber Security Expert Gary Rimar sit down to discuss NIST 800-53 and it is a security controlled catalog. NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. Lee and Gary disect how this agency works to keep your company’s technolgy systems safe.

Find out the top 3 parts of this framework.

The transcript of the NIST 800-53 Framework video follows:

Lee Neubecker: Hello, I’m here today with Gary Rimar he’s here to talk a little bit about one of the NIST frameworks that can be very helpful in helping you to keep your organization safe. Gary, Gary’s a CISSP, it’s great to have you on the show. Can you tell me a little bit about the framework your going to talk to us about today?

Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53 and it is a security controlled catalog. So if there is a security control for whatever you’re going to need in an organization it’s going to be in there. In something, it’s where your government actually did earn there keep because this is your tax dollars hard at work and it’s available publicly. Most people, and this is one of the things that always bothers me Lee, is that most people go for these real exotic threats and they’re real, they’re real, but there’s so many people out there that don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security, they tell them that their IT guy, “Oh, you can do security, it’s okay, “you don’t have to worry about it, “you’ll get it good, I’ll except the risk “of you doing security.” when the IT guy barely knows how to do computers. And so what ends up happening is they don’t know anything about security which is very deep and important and technical. And so when it comes to things like how do you do access control? What can you do to do access control? Today at work one of the people, and I work with a security guy, we have something where for what ever reason they can’t do two-factor authentication. Two-factor authentication is definitely a better way to go, but they can’t. So they said, “What mitigating factors “are there that you can use to help us “be able to do a one-factor authentication “and be less in danger?” And so I looked through the catalog IA5 and there’s a bunch of different things you can do just to make it simple and safer. You know they’ve done all the imagination for us.

Lee Neubecker: What would you say are the more important, if you had to pick the top three parts of this? What would you advise companies to focus on first if they’re starting down the road of trying to implement this framework?

Gary Rimar: Well first is planning, because, and that’s the PL family, if you don’t do planning nothing works right because you have to have a basis for security. If the CEO and senior management aren’t on board then when security says, “You need to do X” and operations says, “We don’t feel like doing that. If the CEO doesn’t say, “No, I need “to be secure, you need to do X.” then your hosed. So that would be the planning family. Second would probably be access control, which is actually 20% of all of it. You know, you’ve got several hundred controls and access controls 20% of them.

Lee Neubecker: Do you feel sometimes that companies don’t really care about security and just want to ignore it and pretend it’s going to take care of itself.

Gary Rimar: Well I don’t know that that’s necess… that could be. I think it could be willful ignorance, what I don’t know won’t hurt me, but it’s not true. For example, the Sony hack. The Sony hack they said “You know, I’m not “going to spend $10 million fixing a $1 million problem.” and that in its self makes sense. Cause you don’t want step on a dollar to pick up a dime. However, it was a lot more than a million dollar threat that they were compromised on and had they done it correctly and had they taken security seriously things would have been a lot better for them.

Lee Neubecker: So Gary are there any portions that deal with some of the current vulnerabilities involving hardware and firmware that this could apply to?

Gary Rimar: You know, yeah. Cause hardware and firmware are definitely part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head without looking I think it would probably be SI7, because that, if it’s the control I think it is it deals with hardware it deals with software it deals with firmware because if your firmware’s corrupted your done, your owned. If your hardware’s corrupted your done, your owned. In fact supply-chain management is even a factor in NIST 800-53. I don’t have it remembered exactly which control that one is. But it’s important, you have to have all of your system protected from the beginning to the end and monitored and audited in the middle.

Lee Neubecker: Yeah, but there was a notice last month from the NSA about Cisco routers being compromised in that there aren’t fixes yet out. So if that still accurate it’s a concern and one of the ways using this framework IT professionals might try to assess this would be to open up the routers, get inside and dump the firmware off the microchips and compare that against the manufactured supplied hash values, but the challenge I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router I’d be challenged to see how many home consumer routers have the manufacturers listing the firmware version with hash and really letting you get there to apply the software, because the ISPs are controlling that for the most part.

Gary Rimar: Yeah, but you also have to recognize that your definitely going down a very valid, but also very deep rabbit hole, just as an example, one time I was talking with this guy it was like 1999, I lived in the Detroit metropolitan area and I was at a coffee house and this guy, who looked like Boss Hog, but tall said, “Everybody’s stupid, they’re “buying windows, they should build “their own operating system, they can use Linux.” And I looked at him and I said, “Your an idiot.” He said, “Well, why would you think that?” I said, “We have people who can hardly “find the on/off switch. Your going to tell them they’re supposed to compile their own OS.” and so when your talking about no, I don’t know. The thing is when your talking about the level of inspection you probably need to have somebody do some appropriate, professional vetting. That’s over the skill level of a significant number of professionals that your going to meet in the market. Your right. Your totally right. But you probably need to get some people who eat and drink and breath this stuff and real experts to do this. I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it. Inside a USB chip, I’m thinking you know this, but not everybody knows this, is that there’s this own little operating system inside the USB. So if you have an 8 gig USB, you know a small one these days, that used to be huge, it’s small now, that there’s actually more chip behind it that’s its own operating system and if that operating system is compromised its firmware and if that firmware’s compromised then whatever you plug that in is potentially owned.

Lee Neubecker: There’s no cryptic graphic process that checks and validates that software’s authentic on many devices. So it’s easy for nation-state malware to get into the chips and you know when WannaCry wreaked havoc on many hospitals. I saw there was one out east that they said that they replaced all the hard drives and all their systems and it’s like well that’s great.

Gary Rimar: Did they replace them with ones that went through appropriate supply-chain risk management?

Lee Neubecker: But even if they did replace all the hard drives if malware injected into the chips of the mouse, the CD-ROM, the printer then that was a waste of time because those computers are going to quickly become compromised.

Gary Rimar: You’re right about that, but again, this goes back to supply-chain risk management. If you don’t know where you’re getting your stuff you don’t know what you’re getting and what I did read is that China has actually started making their own chips for themselves. They don’t market them out of their country. Now one can determine is that their motivation that they don’t want to be infiltrated by another country or do they want to infiltrate their country because of their politics. I don’t know. I can’t know. However, it might be a good thing for countries, at least as big as us, with such a big target on our backs, to start creating our own chips and our own designs in our own country. Where we can control the entire process from picking up the sand off the beach to handing you a laptop.

Lee Neubecker: Yeah.

Gary Rimar: And your right, it’s not just the laptops or the hard drives it’s all the peripherals,

Lee Neubecker: Yeah, you know that’s the struggle because we want cheap, affordable products, but your…

Gary Rimar: Mm-hmm, well you can…

Lee Neubecker: Quality, cheap, fast.

Gary Rimar: You have good, fast, cheap pick which two. Yeah, I understand.

Lee Neubecker: Actually it was interesting to see that they brought Broadcom is coming back into the US and we’re seeing some of these moves of the President trying to get key industries back in to protect from some of these compromises and you know Apple some chips are going to be made outside of China now and other things happening there, but it’s a real concern and it’s one that the frame work identified here can hopefully help companies just have an outline to go through to evaluate where are we? What have we worked on? What do we need to do more work on?

Gary Rimar: Yeah, you know. And back to our original topic of NIST 800-53 it’s in there, that’s it’s in there supply-chain risk management, you know. If you know, when I was first starting in IT in like 2000 I knew enough about security to know I didn’t know enough about security. That I hired it out. And had I been availed of this book I would have probably been able to do a much better job and I would have probably gotten into this career sooner cause this stuff is cool.

Lee Neubecker: Okay.

Gary Rimar: But I didn’t know it then. Know I know it.

Lee Neubecker: That’s interesting stuff.

Gary Rimar: Yeah.

Lee Neubecker: So do you have any other advise you’d like to give to our viewers as it relates to helping to keep themselves secure?

Gary Rimar: Well, I used to joke about always practicing safe hacks, but really, the one thing that I think that people aren’t doing, and this is totally off topic, is even though all the concerns we talked about there are still people who are getting owned because they’re surfing in places that are unsafe. And there are a couple companies out there I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser. Like browsers a service, so you log into their site and then they fire up an ubuntu instance and then put a Firefox browser behind it and the only thing that touches your computer is pixels.

Lee Neubecker: So your not having any risk of Java Script

Gary Rimar: Not having any risk of anything.

Lee Neubecker: Well I think that kind of sandboxing makes a lot of sense and I could almost see a point where the end user desktop is basically just a sandbox that you wipe clean and start fresh every time booting.

Gary Rimar: Yeah, I have a former computer client who does legitimate research, he’s a psychologist, and he does legitimate research into pornography.

Lee Neubecker: Mm-hm.

Gary Rimar: I mean believe it or not, there is such a thing and his computer at home is, is his one computer, he’s computer stupid and so he had his HIPPA data on there and he’s surfing these kinds of websites and it scared the heck out of me. So I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and I set it up so nothing could ever touch anything and the only thing he could swap is pixels and when I found out about one of these services I called him. You know he hasn’t been my client for years now cause I moved, but I called them up and says, “Hey Marty, you should use this.”

Lee Neubecker: Yeah.

Gary Rimar: And so now he can continue to do his research and not put his client records at risk.

Lee Neubecker: Well thanks for being on the show today. It’s been a great interview, I appreciate you being on Gary.

Gary Rimar: Thank you very much. I’m happy to have been here.

Trade Secret Theft Litigation

Enigma Forensics CEO & President Lee Neubecker and Johnson & Bell Attorney Joseph Marconi sit down to discuss Trade Secret Theft Litigation. They identify ways a company can safeguard themselves against trade secret theft. Lee discusses how Enigma Forensics provided a forensic copy of a critical hard drive that won an important case. Joseph emphasizes that when an employee leaves a company the importance to verify what information was there, where it went, and to whom it was sent. If you suspect someone in your organization is stealing trade secrets call Enigma Forensics or Johnson & Bell to help you recover your information and minimize the damage.

The transcript of the Trade Secret Theft video follows:

Lee Neubecker: Today I’m here with Joe Marconi from Johnson and Bell, who’s going to talk a little bit about trade secret litigation cases he’s been involved with, and how computer forensics has played a key role in getting success for him and his clients. Joe, thanks for being on the show.

Joe Marconi: Thank you Lee, it’s good to see you again.

Lee Neubecker: Joe, we started working together a long time ago. The first case that we had was one of my very first forensic expert cases ever. I think it was back in 2002 or 2003. It was the Lebert matter. Can you tell us a little bit more about what the issues were involved there and ultimately what happened in that case.

Joe Marconi: Yeah, that was Lebert versus Maiser. It was a trade secrets case. And we actually tried it in a bench trial and it went to the appellate court twice. And the appellate court actually quoted from your testimony at the trial and in that case, it was a sales distributor who we sued their top salesman. We represented the manufacturer and the local distribution company. And you were able to prove that before their key employee sales representative left the distributor, he downloaded a number of files. Shortly before or a couple of weeks before. And as with other trade secrets cases that I’ve been involved in, and I’ve tried several, computer forensics are very important. And you’ve been helpful, I think in three or four of them, Lee.

Lee Neubecker: I remember we had one case we worked on where your firm was being accused of exploitation of evidence. Can you tell people a little bit about that?

Joe Marconi: In that case, that case involved again, and typically what happens, the trade secrets case, it’s usually an employee leaves the company or a sales distribution company, terminates a contract with the manufacturer. And in the process, they take trade secrets. In this case, again, it was a local distributor. The case involved a company that distributed wines from all over the world. The new employer of the local distributor hired us to defend it and its former, and its now current employee. And we had her computer and we did and you did a forensic hard drive of the computer. You made a forensic copy of the hard drive, and it was blank. And the courts accused not the firm, but this particular distributor of destroying evidence. And that was the key issue in the case. And during trial, we had an unusual moment. In the night before the testimony by your forensic expert, you were able to open it up and show that nothing was really destroyed. And at trial that day, the other side’s forensic expert made a big point about how this hard drive had been wiped, and it had been wiped to destroy evidence of her misappropriation of trade secrets. And we then put on your forensic expert, and he testified. And we displayed it with a screen and everything, and he opened it up and the judge threw her pencil down on the desk, looked at her law clerks who were sitting there and said, “this does not happen every day.”

Lee Neubecker: I recall that was a situation where the hard drive, the other experts said the hard drive was completely wiped clean based on his testing of that drive on a PC, but in fact, I had my expert stay late that night and connect the drive to all different types of computers, and when it was connected to a Macintosh computer, lo and behold, it prompted for a password to decrypt the hard drive, so the hard drive was actually encrypted. And once a password was supplied, voila, it wasn’t a drive empty, but it had all the data. And the judge certainly was animated. I think the transcript on that was a really interesting case.

Joe Marconi: And the opponent’s expert had no clue, that was the, and the lawyer said to me afterwards, “I’m going to sue that guy.” The lawyer for the opponent.

Lee Neubecker: I felt bad for the expert, but that’s one of the problems that happens when you hire a computer forensic expert that hasn’t been doing it for a very long time. Problems can happen and mistakes happen.

Joe Marconi: Right. And for the most part, in the times that we’ve used you, have dealt with trade secrets. And I also remember the case that we recently tried last year in federal court, regarding a Chinese manufacturer. And again, an employee left a manufacturing company, started a competitive distributorship here in Chicago, and employed a Chinese manufacturer to make products for the same market. And the local manufacturer claimed that he had taken the plans and designs of the products and had given them to the Chinese manufacturer. And you helped us disprove that, or also helped us to prove that they couldn’t prove that that happened. So that’s another example of a trade secrets case. So I find computer forensics almost an essential part of any trade secrets case.

Lee Neubecker: So you’ve had experience being on kind of all sides, the firm that lost employee, the firm that hired the employee, and you’ve been able to get good results for your client, whether they’re plaintiff or defense.

Joe Marconi: The issues are the same no matter what side you are, and there’s not really only plaintiffs trade secrets lawyers, and defense lawyers. You either defend them or you prosecute ’em. And I’ve done both over the years. It’s a fascinating area of the law. And it’s something that every company deals with when they lose an employee, when they lose a manufacturer. And you know, as a matter of course, when one of my clients lose a sensitive employee that has confidential information, one of the first things I do is call you to make a forensic hard drive of that person’s computer before anyone opens the file and in any way causes it to change at all. And you can explain why that’s important.

Lee Neubecker: Well, I appreciate you calling me when that happens. Thanks, Joe. Well if you want to know more about computer forensics, please check out our blog. My blog’s at leeneubecker.com. And you can also find Joe and Joe’s contact information there. Thank you, Joe.

Joe Marconi: Thank you.

GDPR and Online Trademark Infringement

Enigma Forensics CEO & President Lee Neubecker and Trademark Attorney Paul McGrady. They disect what is the GDPR and internet and domain name enforcement. Tune in to find out more about how complicated trademark infringement and what to do if you find out your product is being sold by another company online.

Online Trademark Infringement

The transcript of the video follows

Lee Neubecker: So I’m here today with attorney Paul McGrady and Paul, can you tell me a little bit about what type of attorney you are?

Paul McGrady: I’m a really good attorney.

Lee Neubecker: Okay.

Paul McGrady: Yeah.

Lee Neubecker: So what type of matters and problems do you help solve for your clients?

Paul McGrady: So I’m a trademark attorney, so a lot of what I do involves trademark litigation and involves trademark prosecution, clearing marks, protecting those marks from infringing uses of third parties. I developed a reputation in this space as someone who is heavily involved in the internet and domain name enforcement. I’m heavily active in ICANN, involved in policy development, but also contractual compliance issues and things of that nature. And so clients come to me often times, at least initially, for help dealing with an online infringement or counterfeiting problem.

Lee Neubecker: So what happens when a company finds that their products are being sold online, but not by them? Knockoffs and other products that might have fake labels on. Do you handle any of those type of projects?

Paul McGrady: Sure those things come up all the time in this practice. So, there’s a couple of different things. Sometimes they’re being sold online through websites that the infringers own themselves. That is one track. Other times, they show up on various sales platforms and that’s handled by a completely different track. Should we talk about both a little bit?

Lee Neubecker: Sure.

Paul McGrady: So when it comes to websites that the infringer may own themselves, that’s very often handled with take down notices to hosts. It’s, back in the day, when whois was as, more accessible than it’s going to be in the future, and we can talk a bit about that too, you would use whois searches, you would run reverse registrant searches, find out the full universe of what the bad guys were up to. More hosting take downs, maybe a UDRP complaint, which is an informal domain name complaint on the papers only. And then sometimes you’d have to go in and file lawsuits, either for trademark infringement or cyber squatting, or both. Just depending on the facts of the case. But, as I mentioned, whois is changing, we can talk a bit about that.

Lee Neubecker: Paul, can you tell me a little bit more about the platform issues?

Paul McGrady: Sure so the platform issues are different than in the cases where the bad guy owns a domain name them self. The bad guy may be taking advantage of legitimate platforms to sell infringing counterfeit goods. In those cases, many of those platforms will have a notice and take down mechanism. Those are not meant to be used just to keep your trade channels clear, but rather to be used to report actually infringing, counterfeit materials and sales, to have those taken down. If you have repeat offenders, it can get a little messier because you do ultimately need to find out who they are and unlike domain names, who have up until very recently had a predictable whois framework, the platforms don’t have anything like that.

Lee Neubecker: Let’s say you identify a website that is selling your clients’ products. How have you gone about unmasking those entities in the past when they’re hidden behind proxies?

Paul McGrady: Sure, so historically I’ve had really great relationships with many of the proxy privacy providers. A lot of them are legitimate outfits that have a mechanism by which you can alert them to a concern and either they write to their customer directly and tell them to contact you or they may even reveal the underlying customer information, depending on how egregious the situation is. However those proxy providers are moving into a new era where the European privacy law is going to dramatically change what information ICANN will allow the privacy proxy provider to disclose and to whom.

Lee Neubecker: Great. So Hide My Stuff might not actually work, or whatever it’s called.

Paul McGrady: Yeah, so in the coming months we are going to be seeing registrars, many of whom have privacy proxy services, implementing ICANN’s new proposed GDPR compliance model. And that model basically boils down to this, there’ll be essentially almost every domain name will be hidden behind some sort of privacy proxy service and brand owners who are concerned about abuse of their trademarks, either in the domain name or in the content of the website, will have to try to get access to that whois information through an accreditation process. The problem is, is that GDPR compliance begins in May with stiff penalties, but there’s so far no accreditation process that ICANN has even sketched out. And so, we are maybe going into a period of time where there truly is a blackout of whois between when whois is shut off and when accreditation begins. And that will be an interesting time because brand owners will have no choice, but to go to court, issue subpoenas, try to get records from the registrars, and the privacy proxy services. And then engage in forensics experts to come in and try to help them determine the entire universe of the infringing actors, domain name, portfolio, and things like that. Track them back through credit card issues, IP addresses, you name it. So the good old days of whois are winding down.

Lee Neubecker: And Paul, just so you remember, as part of our practice we often can unmask people online by looking at other data. Operators often point to their websites from various places. They get lazy. They’ll use the same DNS servers, they’ll use the same mail routing services, and often times we’ve been able to unmask people even when the legal means can’t identify them. But, you know when it really comes down to it, once you get your hands on the entity, what have you had to do to get the court to allow you to do forensics to inspect the computers?

Paul McGrady: Well, I mean that’s fairly straightforward right? Because we’re usually talking about demonstrably bad guys and you know going in and essentially seeking discovery orders to have the computers turned over, to be looked at. It’s, you know fairly straightforward these days. Several years ago it was not quite as common as it is now, but we’re going to see an uptick in that kind of thing because without easy access to whois, therefore leading to easy, you know UDRP compliance to deal with the problems, you know essentially in a Whack-a-Mole fashion. Once a brand owner is forced to go to court, they’ve already gone through the effort of being there, they’re going to try to get the full resources of the court behind them in trying to get the infringing material stop.

Lee Neubecker: You mentioned before, GDPR and its impacts on your process. Can you tell us a little bit more about how that’s going to impact your clients in the coming year as it relates to internet domain disputes?

Paul McGrady: Sure, so back in the day and I mean last month, it was easy to conduct a whois search on a domain name, figure out the email address, then do a reverse registrant search on that email address, and essentially take a look at the entire portfolio and understand the universe of problem that you’re having with a particular bad guy. And that would also draw out uses by that particular bad guy of third party marks, which was a bad faith factor for the UDRP complaint that helps you win your UDRP arbitrations. But as I mentioned, a lot of that easy access is essentially going away and so from now in order to prove, you know, the kinds of bad faith multiple infringements that were easy to prove just a few weeks ago, unless ICANN confirms that the tiered access accreditation process will result in searchable whois data. You know, that easy method is going to go away and we’re going to have to figure out how to do that by piecing together information, like you mentioned Lee, that you know, you are able to go in and see where the bad guys are pointing, what DNS records they have, but of course that’s a bit more work than just a simple reverse registrant search. So, you know what is new maybe became a little common place, but now it’s back, mostly because of how ICANN is handling the GDPR law.

Lee Neubecker: Well thank you Paul for being on the show today and if you need to reach Paul, his contact information is available on our blog post at leeneubecker.com. Thank you.

Paul McGrady: Thanks Lee.

Anatomy of Computer Forensics In Trade Secret Misappropriation

Enigma Forensics CEO & President Lee Neubecker attends Legal Tech 2018 in New York. Lee sits down with Attorney David Rownd who is a partner at Thompson Coburn to discuss trade secret misappropriation and the role of Computer Forensics. They share their experiences in litigation concerning trade secrets and the misapporiation of information.

The transcript of the video follows

Lee Neubecker: So I’m at LegalTech New York and I’m here with David Rownd. He’s a partner at Thompson Coburn and David and I had a past working on cases involving trade secret theft and misappropriation and I just asked him to come here today and share a little bit about his experience using computer forensics and what role that’s played in cases and helping him to get good results for his clients.

David Rownd: Well computer forensics can be an amazing tool, particularly in a trade secret misappropriation case where a departing employee takes valuable company information. Often almost all of the information that is relevant to a company’s business is stored on the computer and the most common situation that you see is where the employee mistakenly believes that no one will catch him if he just emails stuff to a personal account and that is, at this point a well-worn trick, but it still happens. And most employees, what they are doing, is a see that they are going to pursue another option and they want to use information that belongs to the company so they do what they can to obtain that information. And they may realize that it’s traceable, but they may not. But what they probably don’t realize is the extent to which it really is traceable. And that every little move can be captured with a forensics expert such as me.

Lee Neubecker: Thank you. So are there any recommendations you’d have to clients that have an employee that leave that might have sensitive client data and trade secrets? What would you advise those clients to do?

David Rownd: You mean before they leave or after they leave?

Lee Neubecker: They find out their Head of Sales and Marketing leaves and goes to a competitor, how would you advise that client if they called you up and said, Dave, what should we do? We’re concerned that this person took stuff.

David Rownd: Well, first of all, any computerized data, if there was a desktop computer that that employee worked at, you should immediately evaluate the desktop computer to see if in fact any data has been moved or transferred in any way. And there are a variety of different ways that it can be done. And you know better than I do all of those different ways to identify the potential use of data. There’s also the issue about what information may be on your iPhone or a handheld device. I mean those are more and more becoming part of the way business gets conducted, especially in terms of sales, these salespeople are on the road, they’re communicating with customers by text, by email, and being able to trace the activity that went on on personal handheld devices is obviously an important thing to do as well. And to try to get a grip on, okay, what exactly did this person do prior to leaving?

Lee Neubecker: Now, have you ever had a company call you up where they hired this person who left and took stuff?

David Rownd: Oh that happens all the time. I mean the typical scenario is, in a lawsuit such as this, is that the departing employee and the new employer are both named as defendants, and the new employer can be potentially aiding and abetting the misappropriation of information, they can be tortuously interfering with agreements that the departing employee had with his prior employer. And you know one of the things we didn’t talk about is what sort of agreements are these employees operating under? Good prevention measures obviously to have an employment agreement with people who are going to have sensitive, proprietary information where they acknowledge that the information is confidential and that it’s proprietary and that it’s valuable.

Lee Neubecker: And just to add Dave, one of the most important things before, if an employee is leaving, you want to make a forensic image as soon as possible, done in an appropriate matter so that the data doesn’t get altered ’cause that can introduce chain of custody attacks

David Rownd: Correct

Lee Neubecker: and other allegations.

David Rownd: Correct. And the quicker that’s done and the more process oriented the way that it’s done, the better because you’re going to want to ultimately demonstrate to a court that this is reliable and that’s the key. And so if you can show that it was done almost contemporaneously and if you can a show a step by step process by which this mirror image was created so that a court can look at that data and say yes, this is in fact what was in existent at that time.

Lee Neubecker: Can you tell us what other type of case matters you work on to help your clients? Just a little bit more to our viewers about your practice?

David Rownd: Well my practice is, I am a business litigator is the generic term, but that can mean a lot of different things. I’ve done a lot of trade secret misappropriation in the past. These cases with a departing employee goes to a new employer, I’ve been on all sides of those cases in the past. A lot of my work is business to business litigation where it’s centered around some sort of business arrangement usually documented by a contract, but there can be other issues which are extraneous and in your typical straight up litigation matter today, the importance of electronically stored information is significant because that’s the way we do business now.

Forensic Imaging

Forensic Imaging

Forensic Imaging Tools Used By Computer Forensic Experts

Leading computer cyber forensics Expert Lee Neubeckers discusses FTK Imager (forensics imaging tool) and Write Block Technology with Alex Gessen renowned forensics expert.

The transcript of the video follows

Lee Neubecker: So, I hear you recently uncovered a problem with forensic write block technology can you tell me about that?

Alex Gessen: Oh, yes. Not only with write block technology, but even more importantly with… Forensic imaging tool, which is used by basically everybody in the industry, called FTK Imager. And what I discovered, I also used that tool for years, and didn’t realize the fault, but what I discovered. Basically, two weeks ago, and I did some tests and analysis and I asked Kevin to help me, that FTK Imager produces a wrong serial number when USB storage devices are imaged and that serial number basically is useless for the purpose of verification if specific device was plugged into a specific computer, which, with USB devices, is almost always. When you analyze these devices, 90% of times, it’s of critical importance, and–

Lee Neubecker: So, how is that information used when you are doing a trade secret misappropriation investigation to assist you?

Alex Gessen: I… Quite often, I have to image a computer. Usually work computer, where the person works, or worked, and then, first of all, I find out, analyzing the computer, that certain devices were plugged in, in this specific instance. There are other ways to steal intellectual property or trade secrets. You can upload them to the Cloud, you can email important attachments to yourself. But, quite often, because it’s the most time effective, is to copy data to external devices. So, first, you find out which devices were plugged into the computer, and then you have to get these devices and analyze them. And when you have these devices, you have to be sure that this is device which was plugged into the computer in question and for that you need serial number, and FTK Imager didn’t provide serial number. And people, whole industry, was using that for years and years.

Read Below to Learn More About Computer Forensics

Computer Forensic Expert Witness Reports & Testimony

EMR Audit Trails

An electronic medical record (EMR) audit trail is a log file required by HIPAA of all electronic medical record software systems. The EMR audit trail documents all points of access of a patient electronic medical record system including any actions to modify, view, print or amend the record by replacing or adding new data.

Electronic Medical Record (EMR) Audit Trails are key to effective electronic discovery during medical malpractice litigation. Renowned EMR Computer Forensics Expert, Lee Neubecker interviews Insurance Defense Attorney Bill McVisk who usually helps defend hospitals embroiled in medical malpractice litigation. McVisk discusses common areas of confusion during discovery of patient medical records. Neubecker relays some of his past experiences helping plaintiffs uncover important medical records that are often hidden from plaintiffs during discovery. Enigma Forensics has assisted counsel with conducting depositions relating to Electronic Health Records (EHR) and EMR. The two discuss how electronic medical record systems have often made the process of discovery more difficult and confusing to attorneys and litigants.

The transcript of the interview follows:

The transcript of the interview follows:

Lee Neubecker: Hi. I’m here today with Bill McVisk. He’s a patient medical records expert, a litigator. He works with hospitals that are dealing with EMR-related patient medical records and whatnot. I had him on my show today because I want to talk a little bit about electronic medical records. Bill, they said that electronic medical records were going to revolutionize everything and make everything so much better. What’s the reality of what’s happened since we’ve brought about medical records?

Bill McVisk: A lot of EMR has been great. I mean, there’s an ability of doctors to provide records to other people that they couldn’t have done before. There’s the ability, for instance, of a radiologist to look at a film that was taken, and he can be in San Diego, and the patient can be in New York, and it still works. The problems, though, there are some problems. I mean, the biggest problem I see is that anyone who’s ever gone to a doctor’s… the doctors are focused on their computers instead of focusing on the patient. What they’re doing is hitting all sorts of drop-down menus and stuff, and I think we’re losing something from the standpoint of presenting physicians and nurses in malpractice cases. It creates a situation where you don’t really get a sense of exactly what that nurse or doctor is thinking, and so the records just aren’t quite as helpful in medical malpractice cases as they used to be. On the upside, we can read them now, whereas in the past we had to worry about doctors’ handwriting.

Lee Neubecker: Yeah. I know from experience working as a EMR, a patient medical record expert, that discovery can often become challenging. When an attorney is preparing a witness for deposition related to patient medical records, what are some of the things that you look for and care about in that process?

Bill McVisk: Well, the first thing, quite frankly, is to make sure I have the entire record. I can’t tell you how often I’m getting records where I get part of the record, and for some reason, I don’t know if it’s stored on a different server or what, I’m not getting all of the record. I may get all the physician’s part of the record but not the nurse’s part of the record, and obviously, that’s essential. Other problems, like when I’m preparing a witness for a deposition, the big problem is that they’re not used to seeing these records printed out. I mean, in the past, they would look at the chart, it would be exactly the same as the chart they were looking at in the hospital. Now, they are looking at the chart on a computer screen when they’re in the hospital, but when you’re preparing them for a deposition, you’ve got a paper chart, and the paper chart prints out terribly. Every time there’s a slight change of any kind in the record from one minute to the next, the chart prints out the page again and again and again, so there’s all this stuff, and it’s just getting the nurses and the doctors to know where in the chart their entry is going to be makes it a little bit harder.

Lee Neubecker: Yeah. I have experience working with that, and I know that HIPAA requires that every instance of that medical record, pre-editing and post-editing, that that data be preserved and discoverable, but in reality, a lot of the software packages, they only have reports that run the last version, so to get into the true audit trail, you often have to get into the database backend to get access to that information.

Bill McVisk: Well, and I think audit trails are the other aspect of things that makes it a little bit harder in this situation. In the past, we basically, I could give the original medical record to the plaintiff’s attorney to inspect. If somebody had erased something or done something like that, it’d be pretty obvious. I would hopefully know about it before the plaintiff’s attorney would know about it. Then I’d deal with that. But, it may not be obvious now because people can go in, change records, and now, if an audit trail is suddenly showing me, “Oh, my god, somebody was in and did something “to the record,” and it’s two or three weeks after the treatment was over, or, say, two or three hours after a terrible incident occurred, that’s going to make it look concerning. So I think from our standpoint, it’s a matter of making sure healthcare providers are aware of how to do it in a way that isn’t going to look like you’re trying to fake or lie.

Lee Neubecker: And there’s a big difference between accessing a medical record, and editing it.

Bill McVisk: Right.

Lee Neubecker: That’s where sometimes attorneys on both sides become confused about the significance of what’s happening with the patient record.

Bill McVisk: Right. I mean, records get accessed all the time. Maybe it’s to prepare for a deposition. You have to access the record to look at it. Maybe it’s because there’s followup treatment and you need to access the record. That happens all the time, but sometimes, on these audit trails, it’s not always easy. Is this just an access, or is somebody going in and changing something?

Lee Neubecker: And there’s a whole other layer, too. I know from my experience working with many of the packages that the hospitals often use systems that have something known as sticky notes, where they can put comments about a patient. There’s a wide perception that those notes aren’t discoverable. Just because the software doesn’t have a report that will run it, doesn’t mean that if someone like me is coming in, and I get access to the backend database, those comments about the patient and whatnot become apparent. But unfortunately, it’s difficult to get at that data if you don’t know what you’re looking for.

Bill McVisk: And that creates a real problem if you’re defending the hospital, because if I don’t know about these sticky notes in the beginning, first of all, I’m not going to be thinking, “Oh, my goodness.” Then, if you come and discover them, it obviously is going to be, “Oh. I was trying to hide those notes,” or, “The hospital was trying to hide those notes,” which is always the worst thing you can do as a defendant in litigation. And they’re clearly, if there’s something about a patient in those notes, it’s almost never privileged, it is discoverable, and it should be provided immediately.

Lee Neubecker: Also, you know, there’s a tendency I see for the hospitals to try to cover things up. Do you think that there’s some value in bringing in, when you’re defending a hospital, your own forensic expert to dig around and find out what’s really happening?

Bill McVisk: See, I don’t think the hospitals are intentionally trying to cover stuff up. I really don’t think that’s, I’ve almost never seen that happen. There may be, you know, one or two, but in most of these cases, I think the hospitals are trying to find out what the truth is. That being said, the hospital may not be aware that some of these things, because the risk management for the hospital might not be fully aware of all of the situations that are involved in electronic medical records, and yes, at that point, it may be a good idea for me just to have somebody like you go through those records, let me know. Before I produce them to the plaintiff, I would like to know what’s out there.

Lee Neubecker: It would probably be a lot more useful for you to get just a listing of the changes on the record so you’re not looking at the whole document, but maybe here’s a first instance, and then change one, change two, change three, so you can see before text, after text.

Bill McVisk: Sure.

Lee Neubecker: That’s the type of thing that, unfortunately, there’s not canned reports that are in the software that do that. I think that could be by design of the software makers because they don’t want to make it worse for their clients, the hospitals, but it’s certainly possible that it’s just something that was never asked for.

Bill McVisk: That’s quite possible, and I don’t know any of these software makers, but to me, it would be really helpful to know what those are. Of course, that does make it more discoverable, easily discovered by the plaintiff’s attorneys, but on the other hand, I as a defense attorney need to know about it, and if there’s a change that’s improper, I need to know about it right away.

Lee Neubecker: Yeah. What kind of problems can occur when different providers have different EMR systems?

Bill McVisk: Well, that can create problems of a number of ways. Sometimes, the software of one hospital doesn’t communicate with the software of another. There have been situations, for instance, where a physician enters an order for something to happen, and then because of the software problems, it doesn’t get to the provider who’s supposed to do it, and they don’t know that they’re supposed to do it. That creates serious problems for patient care. And similarly, it’s like, if a hospital is discharging a patient to a nursing home, and they want the nursing home to have a certain specific type of care regimen afterward, that can create problems if they don’t communicate well.

Lee Neubecker: Well, thanks a bunch, Bill, for being on the show. I appreciate it.

Bill McVisk: Lee, thanks so much.

Other Medical Related Posts:

Understanding EMR Audit Trails
Preventative Measures: Medical Devices
Patient Medical Records: Metadata as Evidence in Litigation
FDA Cybersecurity Regulations: Medical Devices
Computer Forensics in Medical Malpractice

Related Links on the Web:

Related Links on the Web:

Taking the Deposition of an Entity Representative or Custodian of Records and Seeking Electronically Stored Information

Cook County Security

This is Part 2 in the Cook County Election Security Interview

Last week, I sat down with Cook County Clerk Karen Yarbrough and her Deputy, John Mirkovic to discuss the many cyber security changes. Clerk Yarbrough gave an excellent interview discussing changes she has helped bring about during her tenure to protect the ballot box. As a followup to that interview, I sat down with her Deputy who provided more technical details regarding the current state of cyber security readiness and efforts to adopt leading technologies to streamline and secure government from cyber attacks. To view, Part 1 Please watch this followup to the previous interview with Clerk Yarbrough by clicking the image below.

The transcript of the interview follows:

Election Cyber Security Safeguards

Lee Neubecker: Hi, I’m here today with Karen Yarbrough, the Cook County Clerk and Recorder, her deputy, John Mirkovic is her data wizard. He’s come on my show to talk a little bit about Election Cyber Security and some other interesting topics. John, thanks for coming on today.

John Mirkovic: Thanks for having us, Lee.

Lee Neubecker: So, the Clerk and I were talking a little bit about Microsoft’s open ElectionGuard and I wanted to get your take on what’s happening with that. If you could tell everyone what the platform’s about and what brought this about in terms of Microsoft’s involvement.

John Mirkovic: Yeah, we’re pretty excited about this and one reason, our vendor is participating. So, generally, this is an idea to build really the best voting machine out there or kind of establish the software and hardware standards that the government would like jurisdictions across the country to adopt to really open-source standards. So, what this is about is, as you know open-source, it’s about doing all the work on the front end, publishing your code and your set-ups and inviting the world to attack it and try and penetrate it. So, our vendor is working with this system. We are monitoring the progress. It’s moving a little slow but we’re excited that there are finally people talking about open-source in government because it’s really the most important.

Lee Neubecker: Oh yeah, and it’s good too because essentially you’re putting the spotlight on the system. So, if there’s a bug, everyone’s talking about it online and it gets fixed, it’s transparent and what I like the best about this is it creates a potential for all these Clerks and other parties responsible for voting to be able to capture and preserve those votes and introduce technology to allow people to verify that their vote was cast as intended.

John Mirkovic: Yeah, exactly, and a lot of offices across the country don’t have enough resources to get the equipment they want. There are a lot of states that vote only on electronic machines which is frightening, really, and it’s kind of the worst system to have, so, any kind of sharing of resources is vital for the government to be able to quickly get the entire country up to the same standard.

Lee Neubecker: So, John has the federal government been helping get Cook County ready for the next election cycle? And if so, what has the federal government’s role been with assisting you?

John Mirkovic: Yeah, they’ve been a great partner both Department of Homeland Security and the FBI. It is a true partnership because we have adequate resources here, so we’re able to implement a lot of the cutting edge stuff that they would like to see across the country.

John Mirkovic: So, we are almost like a pilot or a laboratory really. They’re in our office on Election Day, monitoring the systems, checking how all the CyberSecurity systems work, and real-time threat sharing. So, yeah, we in Cook County are considered to be amongst the top 1% of performers in the country and we’re happy to help spread that information to other jurisdictions.

Lee Neubecker: Last time when you and I had lunch, you were telling me a little bit about some of your work in the blockchain space and some of your ideas for how you thought blockchain might be able to help Recorder officers everywhere with using blockchain technology to record deeds. Can you tell a little bit about what the premise is behind that and explain to people how that can revolutionize the recording of deeds?

John Mirkovic: Yeah, yeah, it sort of ties into elections too. You know the most famous blockchain out there is Bitcoin. And Bitcoin works so well because it’s only designed to do one thing which is transfer numbers from one ledger to another. So, really being inspired, you know, not only by the technological ability to protect that using hashing algorithms and digital signatures, just the general idea on architecture software in the same manner.

John Mirkovic: And, you know, Clerk Yarbrough said before, “It’s like …Back to the Future.”

John Mirkovic: Technology doesn’t always have to be about adding more features. And generally, when you build products in committees or groups, no one’s happy and the compromise is never what anyone wants. So, in election security there can be no compromises, we have to have the best.

John Mirkovic: So, blockchain, you know, is a way to digitally guarantee certain outcomes. So, you know, it’s not quite ready for elections yet though there have been some experiments with it. It’s a great technology for Land records and preferably only if it is applied on a large scale to protect the entire transaction. So, blockchain is a way to wrap an expensive, important transaction in CyberSecurity and ensure that it works out.

Lee Neubecker: So, right now, I know it’s common if people are trying to research property records. They’ll come down to the Recorder’s office, go into the basement, sometimes look through microfiche or something. Is there a likelihood that if this technology gets adopted, universally.. that all those old records will be retroactively kind of put back out onto the blockchain so that they exist in cyberspace?

John Mirkovic: Yeah, that’s a great question, one that we get a lot. It some smaller counties you would probably be able to do that. Cook County, unfortunately, has way too many records in various states of microfilm. And, to get those on, they would actually require the same types of effort that creates bad data in the first place which is re-keying data entry. So, really the best approach, if we were to switch to such a system would be… like the County used to insure title for certain transactions. So, in those cases we could, look at the transaction, insure over any risks from the 1950s and 60s. We know what else is out there, you know, the 50s in kind of electronic format. So, it’s too tough to get it all into the same system but when you think about how these systems work, you know, if you have a legacy database and a distributed database, it’s all feeding to one website, right. So, the public, you know, when they go and do their research, they’re not really going to see the background whether it’s a distributed database or a centralized database. So, it’s all about how you deliver the information to the people.

Lee Neubecker: Well, thanks a bunch for being on the show. I really appreciate it. Thank you.

Cook County Clerk on Election Security

Enigma Forensics’ CEO Interviews Cook County Illinois Clerk Karen Yarbrough on election security. The two discuss progress made in securing the vote against cyber attacks over the last several years.

Clerk Yarbrough has been working to streamline and improve the efficiency of the Clerk’s office while ensuring that the next 202o election is protected against rogue nation states that may want to compromise our next election cycle.

Transcript of the interview is as follows:

Lee Neubecker: I am here today with Karen Yarbrough she is our Recorder of Deeds and Clerk in Cook County here in Chicago.

Clerk Karen Yarbrough: Well not quite Recorder of Deeds anymore Lee, I am now the Cook County Clerk and will be taking over the Recorder of Deeds office in about a year. We actually went to the voters and the voters decided that they were going to do a consolidation of the two offices and so I will pick up the Recorders job in about a year.

Lee Neubecker: So you must have a lot of integration going on with technical resources.

Clerk Karen Yarbrough: You can imagine, and yes we do. I have a very capable staff and we’re trying to get our arms around you know in the clerk’s office there are a number of duties and responsibilities we have elections of course, we have vital records and then we also are involved with taxes, and so I’ve been in this job since December. And what I’m trying to do now is get ready for 2020 and the big election for sure. But also we are absorbing the duties of the recorder of deeds. Big undertaking.

Lee Neubecker: So with all the talk of election hacking and whatnot by different nation states and foreign entities. What kind of things are you involved with, with Cook County with helping to defend against the voting system being attacked the next election cycle?

Clerk Karen Yarbrough: Well for starters Lee, our approach is a multi-leveled risk management approach. We know that there’s no system is foolproof. I mean you know it’s not a perfect system. No system is. Knowing that, we tend to look at every aspect of our system. We have these guiding principles. Defend Detect and Recover. What that simply means is we have a plan we have a plan A plan B all the way to Z.

Lee Neubecker: So its more than just putting your head under the covers.

Clerk Karen Yarbrough: Oh, no, no, no. I noticed when we were in the Recorder Deeds office our systems were attacked on a daily basis. People scraping our sites and in all of these kinds of things. So I am aware of this business of you know people trying to steal data and and what-have-you. But the elections are absolutely positively important. People need to understand that their vote does count and it will count. All the noise we’re hearing from Washington DC really makes people nervous.

Lee Neubecker: What kind of hings have happened to help make sure that wasn’t going to happen. Let’s say if the computers all get zapped to make sure that votes that are casted get counted.

Clerk Karen Yarbrough: Well first of all I have a team of experts. On staff. We’re sharing a gentleman with the city of Chicago who is at the top of the food chain when it comes to people who know about this kind of thing. Having those people on board working with the city of Chicago, we also have a two-factor login authentication of course the firewalls VPN and dedicated private data networks. Then we’re going to be able to lock down our systems both on the hardware and software lock them down before and after elections. So those are the kinds of things that we’re doing. And I think we’re going to be ready coming 2020.

Lee Neubecker: I understand that you’re currently doing some projects to seek outside computer forensic experts. What is your office looking for assistance with right now?

Clerk Karen Yarbrough: I think we’re putting something right now, I might want to defer to John Mirkovic who’s with me here today, on how that’s going. John’s been with me since I was actually in Springfield as a legislator and he has been working on the Blockchain Initiative and certainly this, and so, if you would, could you defer to him, so he can talk about what we’re doing there because John keeps up with this more than I do.

Lee Neubecker: Sure absolutely. What, in the event that a data breach were to happen, what kind of things are in place to make sure that you can recover and get back?

Clerk Karen Yarbrough: Sure. Okay having those plans certainly are important. But you know the Cook County just spent 32 million dollars on new voting equipment. That voting equipment that we have it’s almost like going back to the future,you know all the talk about, you know,voting on the internet and all these kinds of things,up come at some time, at some point in the future. But today we need to know that those votes are safe. So with the system that we have now. I don’t know if you remember,but you would have a system where you have on the side this kind of ticker tape thing that would show you how you voted.

Lee Neubecker: Paper audit trail.

Clerk Karen Yarbrough: Okay yeah well nobody noticed it. I mean I shouldn’t say nobody. But many people didn’t notice that with the new equipment, and we piloted it actually in your suburb and a couple of others. So we ran it through, and people loved it. It was so simple. So you know, you vote, you can either vote, the same way you vote now. So you could use your stylus or what have you. You place your vote, but then it’s going to shoot your ballot out to you. You’ll be able to hold that in your hand. You’ll be able to see if everything you voted for is there. And then you, not somebody else, but you will be able to post and cast your ballot.

Lee Neubecker: So the key thing is, well while the votes are being stored electronically there’s also be printed, they’re also being verified in a print out, that people can see. And then they can take it over and feed it and then scan it so you have another level of detection done, you’ve got the paper vote locked up in a box.

Clerk Karen Yarbrough: Exactly. And let’s say you mentioned something about the whole system blowing up. Okay so if the whole system blows up we still have that paper ballot locked away so that if we have to go back and let’s say everything blew up and people are running all around, with what have you. We can go and retrieve those documents and by hand we can actually,you know, count those those votes, so people should feel confident.

Lee Neubecker: It’s a great Improvement.

Clerk Karen Yarbrough: It is.

Lee Neubecker: I was brought in to consider bidding on the suburban voter audit project for the forensic project. At the time, what I was concerned about, is there wasn’t a simultaneous printout. And at certain points in time, the votes only existed electronically in storage media. They would be transferred to a consolidator that would transmit it. There was a potential at the time, that someone could have a USB device preloaded with 118 votes but in a different distribution. They could swap that device out and put it in the consolidator. But that doesn’t doesn’t exist now with the new equipment.

Clerk Karen Yarbrough: Not at all. So we’re happy about that. Let me tell you, we’re happy about that. The voters who voted in the last election, both the voters and our folks who run the elections, the judges, and what have you, just absolutely love the new system. They liked the fact that they were going to have that ballot in their hand. We shared with them, what happens now? I said well your votes are going to be counted. I said well what if? That’s the same questions that you ask. Well what if? Well we’ve taken all those precautions. But, Lee, I know, like you know, while you have a better mousetrap today, you always have to stay on your P’s and Q’s. The young man I was talking about Raoul, is his name, we share with city Chicago, everyday he’s checking our system, right now, we’re just about we’re ready to go. I think if we had to have an election today, we could have that election and have the confidence that we need to know that we’re going to have a good election, it’s going to be safe, people are going to feel good about how they’re gonna be able to cast their ballot. I’m just excited about the whole thing.

Lee Neubecker: I appreciate everything you’re doing to help secure the vote in Cook County and all your effort to streamline the government.
Clerk Karen Yarbrough: Well thank you so much for the invitation to come on. I’m just thrilled and I know that you’re a real geek and you know all of this stuff. But thank you so very much for having me on.

Lee Neubecker: Thank you Karen Yarbrough!

Watch the second part in this two part series on Cook County Election Security here.

Office 365 Chameleon Spearfish Malware Attacking Microsoft Users

Enigma Forensics cyber security and computer forensics expert, Lee Neubecker discovered a morphing piece of malware code named Chameleon Spearfish, that targets Microsoft Office 365 users. This notice is an effort to help Microsoft exchange administrators running Microsoft Office 365 identify the malware and protect their users from compromise. Microsoft issued an advisory last week alleging that Iranian hackers have been targeting Office 365 accounts.

Characteristics of the malware

The malware is spread when an Office 365 end user clicks on an emailed pdf attachment. Users who do not open the attachment but reply to the compromised sender may receive an auto reply directing them to a sharepoint.com subdomain website. The page appears to be the compromised organization’s download site and displays a protected by Norton logo.

Be Aware of Spearfish Malware

We have observed both the original inbound attachment and the outbound attachment that gets sent onward to the compromised user’s address book. Thus far, only users of Office 365 appear to be targeted. It appears that the malware checks the compromised user’s contacts and performs an mx record query to determine which contacts in the compromised user’s contact address book are hosting their email with Microsoft.

The inbound pdf conforms to an identifiable schema.

  1. The message uses the compromised user’s signature at the bottom of the email.
  2. The file attachment has a name similar to the following:
    “Proposal Invitation 10-7-2019.pdf”, “Proposal Note 10-8-2019.pdf”
  3. The hash values of the file attachment are unique and not reported as problematic at the time the malware is morphed.
  4. The body content of the message varies, but is designed to induce the user to click on the pdf suggesting it is a proposal for business.
  5. Users clicking the pdf are directed to the following website where the user is asked to provide their Office 365 Exchange Credentials.
  6.  One of the samples directed the user to a specific url on the following domain, https://adswbellc-my.sharepoint.com (Pinging this address resolves to 40.108.203.33, an Akamai IP address which may vary depending on the source computer performing the ping).
  7. Another of the samples when clicked directed the user to a link on the following subdomain https://netorgft2768825-my.sharepoint.com (Pinging this address resolves to 13.107.136.9 a microsoft.com IP address).
  8. Future instances of this may be uploading further documents to other compromised Office 365 SharePoint websites.

Once the pdf attachment is clicked on, the malware appears to morph itself making it undetectable by any of the common antivirus solutions and begins further distribution and propagation.

Analysis of email headers on inbound and outbound messages containing the compromised pdf indicates the MAPI protocol is used to relay the message onwards to the compromised user’s contacts. Only Outlook.com and Office 365 users appear to be targeted by Chameleon Spearfish. Analysis of the malware code is in progress, but it appears that the emails are distributed from software running on the compromised end user’s machine using the MAPI protocol to connect to Office 365.

Items in the compromised user’s sent folder are purged by the malware, making it difficult to understand who received the morphed copy of the malware. Organizations using Office 365 Compliance functions should be able to determine any outbound messages sent by a compromised account by searching their enterprise.

Protective Recommended Measures

  1. Make a local DNS entry or local machine HOSTS file entry to sandbox adswbellc-my.sharepoint.com to 0.0.0.0.
  2. Consider blocking all sharepoint.com traffic outbound with an exception for your internal sharepoint.com subdomain if applicable.
  3. Search your mailbox and Outlook 365 compliance for “Proposal*10-*-2019.pdf”
  4. Search firewall traffic logs for users visiting any sharepoint.com website, but especially adswbellc-my.sharepoint.com.

What to do if you are compromised?

  • Rotate end user passwords for any user that clicked on the pdf and do this from a machine that is secure.
  • Back up data from compromised computer and deploy fresh image of the operating system and programs.
  • Notify any downstream impacted users about the compromise by sending them a link to this article if you or anyone in your organization was compromised.
  • Consider hiring our firm to assist you if you have a severe outbreak.

Frederick Lane on Youth Cybertraps

Author, privacy expert and computer forensics expert Frederick Lane sat down with me recently to discuss his book, “Cyber Traps for the Young”. Lane has published three Cybertrap books thus far. Lane shares the risks associated with youth having tools given to them by their parents that may put their children at risk of committing crimes. Lane shares his insights from the book and expresses concerns that applications and games on phones are being used to harvest information about kids. Lane provides recommendations to parents on trying to delay the use of electronic communications devices as long as possible. Society presses kids to get online, but that may not be the best for children.

The transcript of the video interview follows: