Forensic Imaging Tools Used By Computer Forensic Experts
Leading computer cyber forensics Expert Lee Neubeckers discusses FTK Imager (forensics imaging tool) and Write Block Technology with Alex Gessen renowned forensics expert.
The transcript of the video follows
Lee Neubecker: So, I hear you recently uncovered a problem with forensic write block technology can you tell me about that?
Alex Gessen: Oh, yes. Not only with write block technology, but even more importantly with… Forensic imaging tool, which is used by basically everybody in the industry, called FTK Imager. And what I discovered, I also used that tool for years, and didn’t realize the fault, but what I discovered. Basically, two weeks ago, and I did some tests and analysis and I asked Kevin to help me, that FTK Imager produces a wrong serial number when USB storage devices are imaged and that serial number basically is useless for the purpose of verification if specific device was plugged into a specific computer, which, with USB devices, is almost always. When you analyze these devices, 90% of times, it’s of critical importance, and–
Lee Neubecker: So, how is that information used when you are doing a trade secret misappropriation investigation to assist you?
Alex Gessen: I… Quite often, I have to image a computer. Usually work computer, where the person works, or worked, and then, first of all, I find out, analyzing the computer, that certain devices were plugged in, in this specific instance. There are other ways to steal intellectual property or trade secrets. You can upload them to the Cloud, you can email important attachments to yourself. But, quite often, because it’s the most time effective, is to copy data to external devices. So, first, you find out which devices were plugged into the computer, and then you have to get these devices and analyze them. And when you have these devices, you have to be sure that this is device which was plugged into the computer in question and for that you need serial number, and FTK Imager didn’t provide serial number. And people, whole industry, was using that for years and years.
An electronic medical record (EMR) audit trail is a log file required by HIPAA of all electronic medical record software systems. The EMR audit trail documents all points of access of a patient electronic medical record system including any actions to modify, view, print or amend the record by replacing or adding new data.
Electronic Medical Record (EMR) Audit Trails are key to effective electronic discovery during medical malpractice litigation. Renowned EMR Computer Forensics Expert, Lee Neubecker interviews Insurance Defense Attorney Bill McVisk who usually helps defend hospitals embroiled in medical malpractice litigation. McVisk discusses common areas of confusion during discovery of patient medical records. Neubecker relays some of his past experiences helping plaintiffs uncover important medical records that are often hidden from plaintiffs during discovery. Enigma Forensics has assisted counsel with conducting depositions relating to Electronic Health Records (EHR) and EMR. The two discuss how electronic medical record systems have often made the process of discovery more difficult and confusing to attorneys and litigants.
The transcript of the interview follows:
The transcript of the interview follows:
Lee Neubecker: Hi. I’m here today with Bill McVisk. He’s a patient medical records expert, a litigator. He works with hospitals that are dealing with EMR-related patient medical records and whatnot. I had him on my show today because I want to talk a little bit about electronic medical records. Bill, they said that electronic medical records were going to revolutionize everything and make everything so much better. What’s the reality of what’s happened since we’ve brought about medical records?
Bill McVisk: A lot of EMR has been great. I mean, there’s an ability of doctors to provide records to other people that they couldn’t have done before. There’s the ability, for instance, of a radiologist to look at a film that was taken, and he can be in San Diego, and the patient can be in New York, and it still works. The problems, though, there are some problems. I mean, the biggest problem I see is that anyone who’s ever gone to a doctor’s… the doctors are focused on their computers instead of focusing on the patient. What they’re doing is hitting all sorts of drop-down menus and stuff, and I think we’re losing something from the standpoint of presenting physicians and nurses in malpractice cases. It creates a situation where you don’t really get a sense of exactly what that nurse or doctor is thinking, and so the records just aren’t quite as helpful in medical malpractice cases as they used to be. On the upside, we can read them now, whereas in the past we had to worry about doctors’ handwriting.
Lee Neubecker: Yeah. I know from experience working as a EMR, a patient medical record expert, that discovery can often become challenging. When an attorney is preparing a witness for deposition related to patient medical records, what are some of the things that you look for and care about in that process?
Bill McVisk: Well, the first thing, quite frankly, is to make sure I have the entire record. I can’t tell you how often I’m getting records where I get part of the record, and for some reason, I don’t know if it’s stored on a different server or what, I’m not getting all of the record. I may get all the physician’s part of the record but not the nurse’s part of the record, and obviously, that’s essential. Other problems, like when I’m preparing a witness for a deposition, the big problem is that they’re not used to seeing these records printed out. I mean, in the past, they would look at the chart, it would be exactly the same as the chart they were looking at in the hospital. Now, they are looking at the chart on a computer screen when they’re in the hospital, but when you’re preparing them for a deposition, you’ve got a paper chart, and the paper chart prints out terribly. Every time there’s a slight change of any kind in the record from one minute to the next, the chart prints out the page again and again and again, so there’s all this stuff, and it’s just getting the nurses and the doctors to know where in the chart their entry is going to be makes it a little bit harder.
Lee Neubecker: Yeah. I have experience working with that, and I know that HIPAA requires that every instance of that medical record, pre-editing and post-editing, that that data be preserved and discoverable, but in reality, a lot of the software packages, they only have reports that run the last version, so to get into the true audit trail, you often have to get into the database backend to get access to that information.
Bill McVisk: Well, and I think audit trails are the other aspect of things that makes it a little bit harder in this situation. In the past, we basically, I could give the original medical record to the plaintiff’s attorney to inspect. If somebody had erased something or done something like that, it’d be pretty obvious. I would hopefully know about it before the plaintiff’s attorney would know about it. Then I’d deal with that. But, it may not be obvious now because people can go in, change records, and now, if an audit trail is suddenly showing me, “Oh, my god, somebody was in and did something “to the record,” and it’s two or three weeks after the treatment was over, or, say, two or three hours after a terrible incident occurred, that’s going to make it look concerning. So I think from our standpoint, it’s a matter of making sure healthcare providers are aware of how to do it in a way that isn’t going to look like you’re trying to fake or lie.
Lee Neubecker: And there’s a big difference between accessing a medical record, and editing it.
Bill McVisk: Right.
Lee Neubecker: That’s where sometimes attorneys on both sides become confused about the significance of what’s happening with the patient record.
Bill McVisk: Right. I mean, records get accessed all the time. Maybe it’s to prepare for a deposition. You have to access the record to look at it. Maybe it’s because there’s followup treatment and you need to access the record. That happens all the time, but sometimes, on these audit trails, it’s not always easy. Is this just an access, or is somebody going in and changing something?
Lee Neubecker: And there’s a whole other layer, too. I know from my experience working with many of the packages that the hospitals often use systems that have something known as sticky notes, where they can put comments about a patient. There’s a wide perception that those notes aren’t discoverable. Just because the software doesn’t have a report that will run it, doesn’t mean that if someone like me is coming in, and I get access to the backend database, those comments about the patient and whatnot become apparent. But unfortunately, it’s difficult to get at that data if you don’t know what you’re looking for.
Bill McVisk: And that creates a real problem if you’re defending the hospital, because if I don’t know about these sticky notes in the beginning, first of all, I’m not going to be thinking, “Oh, my goodness.” Then, if you come and discover them, it obviously is going to be, “Oh. I was trying to hide those notes,” or, “The hospital was trying to hide those notes,” which is always the worst thing you can do as a defendant in litigation. And they’re clearly, if there’s something about a patient in those notes, it’s almost never privileged, it is discoverable, and it should be provided immediately.
Lee Neubecker: Also, you know, there’s a tendency I see for the hospitals to try to cover things up. Do you think that there’s some value in bringing in, when you’re defending a hospital, your own forensic expert to dig around and find out what’s really happening?
Bill McVisk: See, I don’t think the hospitals are intentionally trying to cover stuff up. I really don’t think that’s, I’ve almost never seen that happen. There may be, you know, one or two, but in most of these cases, I think the hospitals are trying to find out what the truth is. That being said, the hospital may not be aware that some of these things, because the risk management for the hospital might not be fully aware of all of the situations that are involved in electronic medical records, and yes, at that point, it may be a good idea for me just to have somebody like you go through those records, let me know. Before I produce them to the plaintiff, I would like to know what’s out there.
Lee Neubecker: It would probably be a lot more useful for you to get just a listing of the changes on the record so you’re not looking at the whole document, but maybe here’s a first instance, and then change one, change two, change three, so you can see before text, after text.
Bill McVisk: Sure.
Lee Neubecker: That’s the type of thing that, unfortunately, there’s not canned reports that are in the software that do that. I think that could be by design of the software makers because they don’t want to make it worse for their clients, the hospitals, but it’s certainly possible that it’s just something that was never asked for.
Bill McVisk: That’s quite possible, and I don’t know any of these software makers, but to me, it would be really helpful to know what those are. Of course, that does make it more discoverable, easily discovered by the plaintiff’s attorneys, but on the other hand, I as a defense attorney need to know about it, and if there’s a change that’s improper, I need to know about it right away.
Lee Neubecker: Yeah. What kind of problems can occur when different providers have different EMR systems?
Bill McVisk: Well, that can create problems of a number of ways. Sometimes, the software of one hospital doesn’t communicate with the software of another. There have been situations, for instance, where a physician enters an order for something to happen, and then because of the software problems, it doesn’t get to the provider who’s supposed to do it, and they don’t know that they’re supposed to do it. That creates serious problems for patient care. And similarly, it’s like, if a hospital is discharging a patient to a nursing home, and they want the nursing home to have a certain specific type of care regimen afterward, that can create problems if they don’t communicate well.
Lee Neubecker: Well, thanks a bunch, Bill, for being on the show. I appreciate it.
This is Part 2 in the Cook County Election Security Interview
Last week, I sat down with Cook County Clerk Karen Yarbrough and her Deputy, John Mirkovic to discuss the many cyber security changes. Clerk Yarbrough gave an excellent interview discussing changes she has helped bring about during her tenure to protect the ballot box. As a followup to that interview, I sat down with her Deputy who provided more technical details regarding the current state of cyber security readiness and efforts to adopt leading technologies to streamline and secure government from cyber attacks. To view, Part 1 Please watch this followup to the previous interview with Clerk Yarbrough by clicking the image below.
The transcript of the interview follows:
Election Cyber Security Safeguards
Lee Neubecker: Hi, I’m here today with Karen Yarbrough, the Cook County Clerk and Recorder, her deputy, John Mirkovic is her data wizard. He’s come on my show to talk a little bit about Election Cyber Security and some other interesting topics. John, thanks for coming on today.
John Mirkovic: Thanks for having us, Lee.
Lee Neubecker: So, the Clerk and I were talking a little bit about Microsoft’s open ElectionGuard and I wanted to get your take on what’s happening with that. If you could tell everyone what the platform’s about and what brought this about in terms of Microsoft’s involvement.
John Mirkovic: Yeah, we’re pretty excited about this and one reason, our vendor is participating. So, generally, this is an idea to build really the best voting machine out there or kind of establish the software and hardware standards that the government would like jurisdictions across the country to adopt to really open-source standards. So, what this is about is, as you know open-source, it’s about doing all the work on the front end, publishing your code and your set-ups and inviting the world to attack it and try and penetrate it. So, our vendor is working with this system. We are monitoring the progress. It’s moving a little slow but we’re excited that there are finally people talking about open-source in government because it’s really the most important.
Lee Neubecker: Oh yeah, and it’s good too because essentially you’re putting the spotlight on the system. So, if there’s a bug, everyone’s talking about it online and it gets fixed, it’s transparent and what I like the best about this is it creates a potential for all these Clerks and other parties responsible for voting to be able to capture and preserve those votes and introduce technology to allow people to verify that their vote was cast as intended.
John Mirkovic: Yeah, exactly, and a lot of offices across the country don’t have enough resources to get the equipment they want. There are a lot of states that vote only on electronic machines which is frightening, really, and it’s kind of the worst system to have, so, any kind of sharing of resources is vital for the government to be able to quickly get the entire country up to the same standard.
Lee Neubecker: So, John has the federal government been helping get Cook County ready for the next election cycle? And if so, what has the federal government’s role been with assisting you?
John Mirkovic: Yeah, they’ve been a great partner both Department of Homeland Security and the FBI. It is a true partnership because we have adequate resources here, so we’re able to implement a lot of the cutting edge stuff that they would like to see across the country.
John Mirkovic: So, we are almost like a pilot or a laboratory really. They’re in our office on Election Day, monitoring the systems, checking how all the CyberSecurity systems work, and real-time threat sharing. So, yeah, we in Cook County are considered to be amongst the top 1% of performers in the country and we’re happy to help spread that information to other jurisdictions.
Lee Neubecker: Last time when you and I had lunch, you were telling me a little bit about some of your work in the blockchain space and some of your ideas for how you thought blockchain might be able to help Recorder officers everywhere with using blockchain technology to record deeds. Can you tell a little bit about what the premise is behind that and explain to people how that can revolutionize the recording of deeds?
John Mirkovic: Yeah, yeah, it sort of ties into elections too. You know the most famous blockchain out there is Bitcoin. And Bitcoin works so well because it’s only designed to do one thing which is transfer numbers from one ledger to another. So, really being inspired, you know, not only by the technological ability to protect that using hashing algorithms and digital signatures, just the general idea on architecture software in the same manner.
John Mirkovic: And, you know, Clerk Yarbrough said before, “It’s like …Back to the Future.”
John Mirkovic: Technology doesn’t always have to be about adding more features. And generally, when you build products in committees or groups, no one’s happy and the compromise is never what anyone wants. So, in election security there can be no compromises, we have to have the best.
John Mirkovic: So, blockchain, you know, is a way to digitally guarantee certain outcomes. So, you know, it’s not quite ready for elections yet though there have been some experiments with it. It’s a great technology for Land records and preferably only if it is applied on a large scale to protect the entire transaction. So, blockchain is a way to wrap an expensive, important transaction in CyberSecurity and ensure that it works out.
Lee Neubecker: So, right now, I know it’s common if people are trying to research property records. They’ll come down to the Recorder’s office, go into the basement, sometimes look through microfiche or something. Is there a likelihood that if this technology gets adopted, universally.. that all those old records will be retroactively kind of put back out onto the blockchain so that they exist in cyberspace?
John Mirkovic: Yeah, that’s a great question, one that we get a lot. It some smaller counties you would probably be able to do that. Cook County, unfortunately, has way too many records in various states of microfilm. And, to get those on, they would actually require the same types of effort that creates bad data in the first place which is re-keying data entry. So, really the best approach, if we were to switch to such a system would be… like the County used to insure title for certain transactions. So, in those cases we could, look at the transaction, insure over any risks from the 1950s and 60s. We know what else is out there, you know, the 50s in kind of electronic format. So, it’s too tough to get it all into the same system but when you think about how these systems work, you know, if you have a legacy database and a distributed database, it’s all feeding to one website, right. So, the public, you know, when they go and do their research, they’re not really going to see the background whether it’s a distributed database or a centralized database. So, it’s all about how you deliver the information to the people.
Lee Neubecker: Well, thanks a bunch for being on the show. I really appreciate it. Thank you.
Enigma Forensics’ CEO Interviews Cook County Illinois Clerk Karen Yarbrough on election security. The two discuss progress made in securing the vote against cyber attacks over the last several years.
Clerk Yarbrough has been working to streamline and improve the efficiency of the Clerk’s office while ensuring that the next 202o election is protected against rogue nation states that may want to compromise our next election cycle.
Transcript of the interview is as follows:
Lee Neubecker: I am here today with Karen Yarbrough she is our Recorder of Deeds and Clerk in Cook County here in Chicago.
Clerk Karen Yarbrough: Well not quite Recorder of Deeds anymore Lee, I am now the Cook County Clerk and will be taking over the Recorder of Deeds office in about a year. We actually went to the voters and the voters decided that they were going to do a consolidation of the two offices and so I will pick up the Recorders job in about a year.
Lee Neubecker: So you must have a lot of integration going on with technical resources.
Clerk Karen Yarbrough: You can imagine, and yes we do. I have a very capable staff and we’re trying to get our arms around you know in the clerk’s office there are a number of duties and responsibilities we have elections of course, we have vital records and then we also are involved with taxes, and so I’ve been in this job since December. And what I’m trying to do now is get ready for 2020 and the big election for sure. But also we are absorbing the duties of the recorder of deeds. Big undertaking.
Lee Neubecker: So with all the talk of election hacking and whatnot by different nation states and foreign entities. What kind of things are you involved with, with Cook County with helping to defend against the voting system being attacked the next election cycle?
Clerk Karen Yarbrough: Well for starters Lee, our approach is a multi-leveled risk management approach. We know that there’s no system is foolproof. I mean you know it’s not a perfect system. No system is. Knowing that, we tend to look at every aspect of our system. We have these guiding principles. Defend Detect and Recover. What that simply means is we have a plan we have a plan A plan B all the way to Z.
Lee Neubecker: So its more than just putting your head under the covers.
Clerk Karen Yarbrough: Oh, no, no, no. I noticed when we were in the Recorder Deeds office our systems were attacked on a daily basis. People scraping our sites and in all of these kinds of things. So I am aware of this business of you know people trying to steal data and and what-have-you. But the elections are absolutely positively important. People need to understand that their vote does count and it will count. All the noise we’re hearing from Washington DC really makes people nervous.
Lee Neubecker: What kind of hings have happened to help make sure that wasn’t going to happen. Let’s say if the computers all get zapped to make sure that votes that are casted get counted.
Clerk Karen Yarbrough: Well first of all I have a team of experts. On staff. We’re sharing a gentleman with the city of Chicago who is at the top of the food chain when it comes to people who know about this kind of thing. Having those people on board working with the city of Chicago, we also have a two-factor login authentication of course the firewalls VPN and dedicated private data networks. Then we’re going to be able to lock down our systems both on the hardware and software lock them down before and after elections. So those are the kinds of things that we’re doing. And I think we’re going to be ready coming 2020.
Lee Neubecker: I understand that you’re currently doing some projects to seek outside computer forensic experts. What is your office looking for assistance with right now?
Clerk Karen Yarbrough: I think we’re putting something right now, I might want to defer to John Mirkovic who’s with me here today, on how that’s going. John’s been with me since I was actually in Springfield as a legislator and he has been working on the Blockchain Initiative and certainly this, and so, if you would, could you defer to him, so he can talk about what we’re doing there because John keeps up with this more than I do.
Lee Neubecker: Sure absolutely. What, in the event that a data breach were to happen, what kind of things are in place to make sure that you can recover and get back?
Clerk Karen Yarbrough: Sure. Okay having those plans certainly are important. But you know the Cook County just spent 32 million dollars on new voting equipment. That voting equipment that we have it’s almost like going back to the future,you know all the talk about, you know,voting on the internet and all these kinds of things,up come at some time, at some point in the future. But today we need to know that those votes are safe. So with the system that we have now. I don’t know if you remember,but you would have a system where you have on the side this kind of ticker tape thing that would show you how you voted.
Lee Neubecker: Paper audit trail.
Clerk Karen Yarbrough: Okay yeah well nobody noticed it. I mean I shouldn’t say nobody. But many people didn’t notice that with the new equipment, and we piloted it actually in your suburb and a couple of others. So we ran it through, and people loved it. It was so simple. So you know, you vote, you can either vote, the same way you vote now. So you could use your stylus or what have you. You place your vote, but then it’s going to shoot your ballot out to you. You’ll be able to hold that in your hand. You’ll be able to see if everything you voted for is there. And then you, not somebody else, but you will be able to post and cast your ballot.
Lee Neubecker: So the key thing is, well while the votes are being stored electronically there’s also be printed, they’re also being verified in a print out, that people can see. And then they can take it over and feed it and then scan it so you have another level of detection done, you’ve got the paper vote locked up in a box.
Clerk Karen Yarbrough: Exactly. And let’s say you mentioned something about the whole system blowing up. Okay so if the whole system blows up we still have that paper ballot locked away so that if we have to go back and let’s say everything blew up and people are running all around, with what have you. We can go and retrieve those documents and by hand we can actually,you know, count those those votes, so people should feel confident.
Lee Neubecker: It’s a great Improvement.
Clerk Karen Yarbrough: It is.
Lee Neubecker: I was brought in to consider bidding on the suburban voter audit project for the forensic project. At the time, what I was concerned about, is there wasn’t a simultaneous printout. And at certain points in time, the votes only existed electronically in storage media. They would be transferred to a consolidator that would transmit it. There was a potential at the time, that someone could have a USB device preloaded with 118 votes but in a different distribution. They could swap that device out and put it in the consolidator. But that doesn’t doesn’t exist now with the new equipment.
Clerk Karen Yarbrough: Not at all. So we’re happy about that. Let me tell you, we’re happy about that. The voters who voted in the last election, both the voters and our folks who run the elections, the judges, and what have you, just absolutely love the new system. They liked the fact that they were going to have that ballot in their hand. We shared with them, what happens now? I said well your votes are going to be counted. I said well what if? That’s the same questions that you ask. Well what if? Well we’ve taken all those precautions. But, Lee, I know, like you know, while you have a better mousetrap today, you always have to stay on your P’s and Q’s. The young man I was talking about Raoul, is his name, we share with city Chicago, everyday he’s checking our system, right now, we’re just about we’re ready to go. I think if we had to have an election today, we could have that election and have the confidence that we need to know that we’re going to have a good election, it’s going to be safe, people are going to feel good about how they’re gonna be able to cast their ballot. I’m just excited about the whole thing.
Lee Neubecker: I appreciate everything you’re doing to help secure the vote in Cook County and all your effort to streamline the government. Clerk Karen Yarbrough: Well thank you so much for the invitation to come on. I’m just thrilled and I know that you’re a real geek and you know all of this stuff. But thank you so very much for having me on.
Lee Neubecker: Thank you Karen Yarbrough!
Watch the second part in this two part series on Cook County Election Security here.
Enigma Forensics cyber security and computer forensics expert, Lee Neubecker discovered a morphing piece of malware code named Chameleon Spearfish, that targets Microsoft Office 365 users. This notice is an effort to help Microsoft exchange administrators running Microsoft Office 365 identify the malware and protect their users from compromise. Microsoft issued an advisory last week alleging that Iranian hackers have been targeting Office 365 accounts.
Characteristics of the malware
The malware is spread when an Office 365 end user clicks on an emailed pdf attachment. Users who do not open the attachment but reply to the compromised sender may receive an auto reply directing them to a sharepoint.com subdomain website. The page appears to be the compromised organization’s download site and displays a protected by Norton logo.
Be Aware of Spearfish Malware
We have observed both the original inbound attachment and the outbound attachment that gets sent onward to the compromised user’s address book. Thus far, only users of Office 365 appear to be targeted. It appears that the malware checks the compromised user’s contacts and performs an mx record query to determine which contacts in the compromised user’s contact address book are hosting their email with Microsoft.
The inbound pdf conforms to an identifiable schema.
The message uses the compromised user’s signature at the bottom of the email.
The file attachment has a name similar to the following: “Proposal Invitation 10-7-2019.pdf”, “Proposal Note 10-8-2019.pdf”
The hash values of the file attachment are unique and not reported as problematic at the time the malware is morphed.
The body content of the message varies, but is designed to induce the user to click on the pdf suggesting it is a proposal for business.
Users clicking the pdf are directed to the following website where the user is asked to provide their Office 365 Exchange Credentials.
One of the samples directed the user to a specific url on the following domain, https://adswbellc-my.sharepoint.com (Pinging this address resolves to 40.108.203.33, an Akamai IP address which may vary depending on the source computer performing the ping).
Another of the samples when clicked directed the user to a link on the following subdomain https://netorgft2768825-my.sharepoint.com (Pinging this address resolves to 13.107.136.9 a microsoft.com IP address).
Future instances of this may be uploading further documents to other compromised Office 365 SharePoint websites.
Once the pdf attachment is clicked on, the malware appears to morph itself making it undetectable by any of the common antivirus solutions and begins further distribution and propagation.
Analysis of email headers on inbound and outbound messages containing the compromised pdf indicates the MAPI protocol is used to relay the message onwards to the compromised user’s contacts. Only Outlook.com and Office 365 users appear to be targeted by Chameleon Spearfish. Analysis of the malware code is in progress, but it appears that the emails are distributed from software running on the compromised end user’s machine using the MAPI protocol to connect to Office 365.
Items in the compromised user’s sent folder are purged by the malware, making it difficult to understand who received the morphed copy of the malware. Organizations using Office 365 Compliance functions should be able to determine any outbound messages sent by a compromised account by searching their enterprise.
Protective Recommended Measures
Make a local DNS entry or local machine HOSTS file entry to sandbox adswbellc-my.sharepoint.com to 0.0.0.0.
Consider blocking all sharepoint.com traffic outbound with an exception for your internal sharepoint.com subdomain if applicable.
Search your mailbox and Outlook 365 compliance for “Proposal*10-*-2019.pdf”
Search firewall traffic logs for users visiting any sharepoint.com website, but especially adswbellc-my.sharepoint.com.
What to do if you are compromised?
Rotate end user passwords for any user that clicked on the pdf and do this from a machine that is secure.
Back up data from compromised computer and deploy fresh image of the operating system and programs.
Notify any downstream impacted users about the compromise by sending them a link to this article if you or anyone in your organization was compromised.
Consider hiring our firm to assist you if you have a severe outbreak.
Author, privacy expert and computer forensics expert Frederick Lane sat down with me recently to discuss his book, “Cyber Traps for the Young”. Lane has published three Cybertrap books thus far. Lane shares the risks associated with youth having tools given to them by their parents that may put their children at risk of committing crimes. Lane shares his insights from the book and expresses concerns that applications and games on phones are being used to harvest information about kids. Lane provides recommendations to parents on trying to delay the use of electronic communications devices as long as possible. Society presses kids to get online, but that may not be the best for children.
Cyber Security & Computer Forensics Expert Lee Neubecker and Data Privacy Expert Debbie Reynolds discuss recent efforts to pass legislation in the House and Senate that would hold telecommunication providers responsible for addressing the ever growing tide of robocalls disrupting consumers and businesses. Existing laws such as the Telephone Consumer Protection Act (TCPA) have proven effective in blocking off shore robocalls. VOIP technology allows for robocall centers to systematically dial U.S. consumers and businesses from beyond the legal reach of our court system. Popular spoofing techniques such as Neighborhood Calling often impersonate the first 6 digits of the call receiver’s phone number in the hope of enticing that call receiver to answer a call. Neubecker and Reynolds both share their frustrations with the current situation and are hopeful the U.S. Senate and the President will take immediate action to pass updated privacy legislation protecting us all from spam robocalls.
The transcript of the video follows:
Lee Neubecker: I’m here today with Debbie Reynolds. We’re going to be talking a little bit about robocall and some new legislation coming our way. Those annoying phone calls we all get on our cellphones.
Debbie Reynolds: That’s right.
Lee Neubecker: Have you gotten any calls where it’s the first six digits of your phone number?
Debbie Reynolds: Yes!
Lee Neubecker: That’s called “neighborhood calling”. And basically, what the bad guys are doing is that they’re using VOIP technology to spoof, and they’re plugging in any number. So they can actually impersonate people you know. But they do this because they think that it increases the likelihood that you’ll answer the phone. In fact, for me, when I see those first six digits, I’m not even going to answer it.
Debbie Reynolds: Oh, absolutely. Absolutely. It’s wrong or what now?
Lee Neubecker: One of the big problems we have is no one’s taking accountability for this. I heard AT&T is trying to force some authentication mechanisms, but there needs to be some more teeth on this so that people can’t just impersonate phone numbers, or we’ll never get through this.
Debbie Reynolds: Absolutely, absolutely. Actually, so, thankfully this law passed, right?
Lee Neubecker: Well, it’s going through. It passed under the House, overwhelmingly
Debbie Reynolds: Overwhelming, yeah.
Lee Neubecker: They’re hoping that… It said it could happen by 2020, perhaps?
Debbie Reynolds: Okay, that’d be good.
Lee Neubecker: But it’s got to… I think they have to reconcile the two bills, the House and senate, and then the President has to sign it. But by the show of votes, I think everyone’s in favor of let’s tackle all these annoying robocalls.
Debbie Reynolds: Absolutely. So the FCC, they really made a lot of headway many years ago on the Do Not Call Registry, so this will be sort of another layer to that, that the FCC is sort of looking at. I don’t know about you, but I’m very annoyed when I get robocalls, so I’m not happy about this. Maybe it will happen after the election, because the election, people like to be robocalled.
Lee Neubecker: I get tons of calls from people wanting to lend me money, They will ring my phone once and then it will hit my voicemail. This woman keeps calling, saying, I want to speak to you. It’s like, and it’s not even a real person, It’s all automated. It’s annoying.
Debbie Reynolds: Oh, my goodness. Well, one interesting thing about the law, or the one that they’re anticipating, or trying to pass, that I haven’t seen in other laws like this, they’re trying to force companies to create technology, to be able to tell a robocall.
Lee Neubecker: The carriers need to enforce it. The carriers have to stop allowing unsecured VOIP to impersonate calls.
Debbie Reynolds: Right. The House does not allow it, but they specifically said they have to create, if it does exist, they have to create some technology to make sure they can tell a robocall from a normal call?
Lee Neubecker: It’s basically like, we’re going to block any call that isn’t using a means of identity verification. Right now, it’s about a bust.
Debbie Reynolds: And they can’t charge for it, so it’s not like an extra fee. I’m sure what’ll happen is they’ll do you another fee and then call it something else, but it’ll be probably just robocalls.
Lee Neubecker: The act also increased the penalty. Current legislation, the TCPA, the Telephone Consumer Protection Act, dealt with spam faxes, calls, and what-not, but the robocall act is going to produce penalties I think to ten thousand dollars each.
Debbie Reynolds: Per incident.
Lee Neubecker: Per incident.
Debbie Reynolds: So that’s a lot.
Lee Neubecker: So that’s going to drive my TCPA consulting business, because that’s work.
Debbie Reynolds: Yeah, absolutely. Well, if it actually makes it, I’m sure the thing about the $10,000 per incident and also, forcing companies to create technology to be able to tell what’s a robocall, corporations or the carriers are probably going to fight that. So, we’ll see.
Lee Neubecker: Yeah. So Debbie, what are the likely impacts on the litigation environment, as you see it? If this legislation goes through?
Debbie Reynolds: Well, first of all, there will be companies that will, uh, I’m sure there will be consumer groups that want to bundle together consumer complaints and probably go after these carriers to try to get these big fines or whatever. So, this could be tying up the legislation for a while. Once the lawyers get their fees, You’ll probably want to get the $10,000 per incident.
Lee Neubecker: It’s going to make it a lot more, in my opinion, they will make it much easier to actually identify who’s behind it, because right now people are using proxy phone numbers to call and many of them are just total scams run out of the country. You can’t– A Nigerian spam call center, we can’t really go after, but if our carriers say they’re going to block these rogue, foreign VOIP connections, then it will make it more secure. Ultimately, you’ll probably have people who opt in to the insecure network, and people who want a secure-only platform where it’s no use calling them.
Debbie Reynolds: I agree.
Lee Neubecker: Thank you for being on the show today. It was great to have you on again. I love your scarf.
Debbie Reynolds: Thank you.
Lee Neubecker: You always have interesting scarves.
Importance of Computer Forensics in Medical Malpractice Litigation by revealing patient electronic medical records.
Computer Forensics Wins Litigation
Enigma Forensics CEO & President Lee Neubecker interviews James Meyer a personal injury attorney from Ialongo and Meyer. Computer Forensics uncovers answers to important questions such as; what orders may or may not have been entered as a result of that medical test. In this video, Lee and Jim share some of the changes that have ocurred that impact medical malpractice litigation. Tune in to find out how using computer forensics can make or break a case.
The transcript of the video interview follows:
Lee Neubecker: Hi this is Lee Neubecker, I’m here with Jim Meyer from Ialongo and Meyer, and we’re here today talking about patient medical records, specifically electronic medical records. Some of the changes that have happened that impact medical malpractice litigation. So Jim, can you tell me a little bit about EMR and how computer forensics plays a role in cases that you’re litigating, where you’re trying to get a result for your client?
Jim Meyer: Well EMR has changed everything, in regards to medical records. HIPAA is required that the electronic medical records, both be secure and private, that requirement provides that a lot of metadata is collected with every electronic medical record. That metadata itself is very important in… Capturing information about where, when, how and whom, made the medical record, can be crucial in any medical investigation.
Lee Neubecker: Look, can you tell me an example of what type of metadata you might be asking for, and why it would be relevant to the outcome of litigation?
Jim Meyer: Well… The metadata that is most interesting in most cases is, when certain events occurred in a medical record. When a test was ordered, when it was performed, when the results were placed in the patient’s medical record, when the physician saw those results, what orders may or may not have been entered as a result of that medical test. When medication is prescribed, when it’s administered, who administered the medication. Many of these details are now electronically captured, as opposed to being physically noted, as they were in old written medical records. It can make a… Big difference in trying to determine when events occurred in a case.
Lee Neubecker: I know one of the cases I was involved in, I discovered that many of the different default reports that are provided with these medical software packages, don’t necessarily show all available metadata. In fact, what we had to do on one of the cases, we had to work through discovery to try to get the scheme of the database. And then we discovered in once instance that there was something known as a sticky note, that the nurses and physicians could type little comments in, but there was a presumption that would never get printed because it’s not in any of the default reports. So what we actually had to do is find the table that had these notes, and then work to get the data dumped. And as soon as we found that, the case quickly settled, because obviously, the hospitals don’t want everyone knowing what’s going on.
Jim Meyer: That’s a disadvantage that a plaintiff in a case may have. Hospitals often times have entire departments in medical informatics, departments in which they have experts that know the in’s and out’s of the EMR, the metadata collected, often times plaintiffs do not, but they should be aware of the fact that that metadata exists. Extracting it from the record is often times… It is a need for an expert at computer forensics, expert, an IT expert. But it’s important that plaintiffs, and all attorneys, defense attorneys and plaintiffs attorneys realize that that information exists as metadata in these records, it can be obtained. We take great deal of effort to obtain it, but it’s there.
Lee Neubecker: And Jim and I co-authored a paper along with another attorney that appeared in the Illinois State Bar Association on EMR patient medical records, the audit trail and other things impacting HIPPAA and medical malpractice regulations. We’ll put that up here too so that you check that out. Anything else you’d like to add about your practice, Jim?
Jim Meyer: No, we’re happy practicing attorneys in Chicago, Illinois. I would recommend any attorney who is involved in any issue similar to this, to take a look at the article that Lee was kind enough to co-author with me and John Tomes, it really is a lot of information. Detailed information that attorney’s should know.
Lee Neubecker: Great, thank you.
Jim Meyer: You’re welcome.
To Learn More about Computer Forensics and Patient Electronic Medial Records
Capital One Data Breach – Interview of Data Privacy & eDiscovery expert on the fallout
Cyber Security & Computer Forensics Expert Lee Neubecker interviews Data Privacy Expert Debbie Reynolds on the fallout from the recently disclosed Capital One Data Breach that occurred following alleged hacking of the company’s data stored in the cloud. Issues discussed include an assessment of how the CEO of Capital One managed the crisis, pending charges filed against Paige Thompson and the Computer Fraud and Abuse Act in the government’s complaint filed earlier this week.
Transcript of video follows
Lee Neubecker: Hi, I’m here today with Debbie Reynolds from Debbie Reynolds Consulting and we’re going to be talking today about the recent news involving the Capital One Data Breach Thank you for being on the show Debbie.
Debbie Reynolds: Thank you for inviting me. It’s such a thrill, you’re such a joy to be around to talk to so it’s great to do this
Lee Neubecker: Well it’s great to have you here. So, trial’s expected this Thursday in the case. Can you tell everyone a little bit about what happened this week?
Debbie Reynolds: So this week is in the news that Capital One had a data breach. There was a woman who used to be, I believe she’s worked Amazon if I’m not mistaken, who had found a vulnerability in Capital One’s cloud system, and was able to obtain private or digital information on over a hundred billion customers or potential customers for Capital One so as far as I can tell they say that she may have gathered social security numbers and other private information about individuals who had even applied, who may not even be customers of Capital One, who have even applied for a Capital One credit card back as far as 2005.
Lee Neubecker: Yep.
Debbie Reynolds: So the vulnerability that was discovered and part of the reason why it was discovered was because she had apparently bragged about it on Twitter and she used her real name and so they were able to pull this stuff together. And I think the SWAT team went to her house?
Lee Neubecker: Yeah, so she was using the IP, iPredator, which is supposed to anonymize and protect you. When she was using that she created her online GitHub accounts and other accounts and it had that IP, the iPredator IP address range in her profile linked to her name. So she wasn’t really being smart about it.
Debbie Reynolds: No. So yeah, I think that she was bragging about what she had, I guess she was proud of what she had done and apparently someone who had seen something she had post on some forum contacted Capital One. This wasn’t a breach in which Capital One found out about; someone from the outside said, “Hey, this girl says that she has your data” and now it’s a really big thing.
Lee Neubecker: Yeah so now she’s charged with a computer fraud and abuse act which I think she’ll probably end up …
Debbie Reynolds: Yeah.
Lee Neubecker: Do you think she’ll get a plea?
Debbie Reynolds: She’s probably going to go to the slammer. It seems like especially when the SWAT team showed up at her house, they’re definitely going to make an example out of her with this. It’s pretty bad because I think right now the reports and what’s coming out from Capital One are different than what she said or what other people said they have. Because at one point they were saying that Capital One in their statement said that certain people’s social security numbers weren’t breached but then we know that they did get people’s social security numbers.
Lee Neubecker: It was mostly Canadian social security numbers, around a million–
Debbie Reynolds: Right.
Lee Neubecker: And then I think it was somewhere around 100,000 or so U.S. citizens.
Debbie Reynolds: Right, exactly.
Lee Neubecker: So it doesn’t necessarily impact the entirety of U.S. customers, but it still is–
Debbie Reynolds: It doesn’t, it doesn’t make you feel good. Yeah so basically over a hundred million people were touched in some way, shape or form. Even though not everyone’s personal data was taken to the same extent as everyone else, but I think this incident illustrates for us a couple of different things. First of all, they were saying that they had credit card information or information on people who had applied for credit cards going back as far as 2005. I’m not sure if they can make a justification for why they even had some of that stuff.
Debbie Reynolds: It’s first place. Especially if and I wonder what rights someone would have if they weren’t actually didn’t translate to being a customer of Capital One. The law’s kind of murky about how they should do that. I guess that’s the same issue with Equifax where not everyone who was touched by Equifax are customers of Equifax, they just happened to have their data.
Lee Neubecker: What would, how would you have advised Capital One had you gotten in there before the data breach?
Lee Neubecker: You think you might have been able to–
Debbie Reynolds: Well, you know–
Lee Neubecker: Get them in a better situation?
Debbie Reynolds: I think a lot of corporations, my view is that a lot of corporations have this mindset or business has this mindset of does it work? Does the computer work? Can I do the thing I need to do on a computer? The question that they’re not asking is is it secure? So a lot of them have a blind spot in terms of securing things because as long as it doesn’t impact their ability to work, they don’t really care how it works. So now companies have to ask how does it work? Is it secure? A lot of companies have these issues where they’re moving from internal infrastructure to the cloud and we know that the cloud infrastructure would typically be more secure quote unquote than someone’s on premise infrastructure but that all depends on how it was configured. The vulnerability that this woman was able to exploit in Capital One had to do with how the permissions and things were configured on a cloud infrastructure.
Lee Neubecker: And she had worked in that environment.
Debbie Reynolds: Right. So she had a little bit of extra insight–
Debbie Reynolds: Exactly.
Lee Neubecker: In this process.
Debbie Reynolds: Exactly. But I don’t know if you probably run into the same thing where you’re having clients that have cloud issues and they may feel more secure in themselves. Okay, we think our native is more safe than the cloud, not to say that the cloud is not safe, but if we have someone who doesn’t know how to fill those gaps and stop those vulnerabilities, it could be a huge problem.
Lee Neubecker: What do you think of the CEO’s response from Capital One?
Debbie Reynolds: I saw CEO’s response. I don’t know, someone needs to do a series about this where you compare all the response letters from these data breaches or whatever.
Lee Neubecker: That’s a great idea.
Debbie Reynolds: Not a bad response at all. I think the danger though is there may be an issue with consumer confidence obviously because no one wants their data breached, but if the things that are being said by the CEO or other leadership it becomes evident that it’s different than what actually happened, that’s going to be a problem.
Lee Neubecker: Yeah, cool.
Debbie Reynolds: I think rushing, the desire is to rush. To put out as much information as you possibly can but already the news reports are contradicting what the company is saying about what was actually breached.
Lee Neubecker: Well the complaint is available, I’ll post that on my website as well.I read the complaint and there’s a lot of detail in there and you’re right, in the news story they’re talking about Amazon cloud, they talk about a company that presumably is a subsidiary of Amazon inside the complaint.
Debbie Reynolds: Right.
Lee Neubecker: But they didn’t specifically mention Amazon in the complaint.
Debbie Reynolds: No, no so it’s going to be customers when they feel like they’ve had a data breach they definitely want, you know there’s attention that has to happen where the company wants to be as forthright and forthcoming as possible about what’s happened, but the facts may still be rolling out.
Lee Neubecker: Yeah.
Debbie Reynolds: The drip, drip, drip of it all may be tough I think.
Lee Neubecker: But I thought at least it was good that they public acknowledged it. It didn’t take forever to acknowledge it.
Debbie Reynolds: Oh, right exactly.
Lee Neubecker: And apologize, I mean–
Debbie Reynolds: Oh, absolutely. It does goes a long way–
Lee Neubecker: They just did that so I applaud them for not–
Debbie Reynolds: Absolutely.
Lee Neubecker: Sitting on it like Equifax.
Debbie Reynolds: Right. They didn’t say, “Well I’m sorry that you were hurt or you felt hurt,” or something where it’s like oh yeah, you know there is harm there so you might as well acknowledge it and try to at least be forthright about what you know and we know it.
Lee Neubecker: And from what I read too, not all of the data, some of the data was tokenized but there were birth dates, there were some socials. Debbie Reynolds: Right.
Lee Neubecker: And some other information that certainly if that were you or me, well we’re kind of becoming used to this all the time. It’s sad, but.
Debbie Reynolds: Right, well I mean and what we’re seeing, what I’m seeing, what companies are trying to argue in the U.S. having to do with data privacy is if you put, let’s say you’re on Facebook and you say, “Hey, today’s my birthday!” You know so if Lee puts his birthday on Facebook, is Lee’s birthday private? So let’s say you’re a Capital One customer, they could argue you know your birthday is not private because you put it on Facebook. That’s going to be an interesting theme.
Lee Neubecker: Well thanks so much for being on the show today.
We have observed both the original inbound attachment and the outbound attachment that gets sent onward to the compromised user’s address book. Thus far, only users of Office 365 appear to be targeted. It appears that the malware checks the compromised user’s contacts and performs an mx record query to determine which contacts in the compromised user’s contact address book are hosting their email with Microsoft. 
