Cell Phone Forensics

Personal Cell Phone Forensics inlcudes social media, business and personal messages, photos, emails and GPS.

Leading computer forensics Expert Lee Neubecker, discusses the complexities of cell phone forensics with Debbie Reynolds from Debbie Reynolds Consulting. We both agree the litigation involving cell phones becomes personal and proves difficult to gain possession. Personal and business text messages, social media posts, photos, GPS records, emails, are all weaved together and become part of the discovery equation. eDiscovery in today’s era is incomplete without including data from smart phone including text messages, Skype, WhatsApp, Slack, Signal and other messaging platforms. Learn more about eDiscovery as it relates to personal cell phone messaging systems by watching Reynolds and Neubecker discuss the topic in today’s blog video interview.

The video interview transcript follows:

Lee Neubecker: Hi, I’m here today again with Debbie Reynolds, and we’re going to talk about something interesting, which every piece of litigation now is getting into. We’re talking about cell phone forensics. What’s been your experience with litigation involving cell phones and discovery?

Debbie Reynolds: Well, whenever they’re cell phones involved eye-rolling begins because people take their cell phones very personally. As opposed to someone’s laptop, which maybe they don’t want to give up, they will fight tooth and nail not to give up their cell phones. And obviously people, they mix work with pleasure and they’re doing different things. They may not want you to see, even if it’s nothing criminal going on, people just feel very tied to their cell phone. The hardest thing is actually getting possession of it and letting them know that you’re not going to look through their juicy texts or their photographs, especially if it’s not an issue in the case.

Lee Neubecker: I know that whenever you need to get into text messages, it becomes a sensitive topic for people. But there are effective ways to get effective discovery without totally trampling over someone’s privacy in many issues involving contract disputes or other civil litigation, what’s important is to identify the relevant custodians. Let’s say we have your cell phone in the conversation with mine, we can then take that, we can create a single PDF document showing each conversation thread and then you could quickly go through it, if it’s your phone in which your attorney identify relevant, not relevant, and then only take the ones that are between the relevant parties and load that up into the review platform.

Debbie Reynolds: Right. And to one thing, one very effective thing that people are doing now, and that’s something that you do, Lee, is where someone, they don’t want the other side to see their whole cell phone so they’ll have a forensic company collect the phone and say, only give them X. That’s actually a very secure way. It gives people peace of mind knowing that they’re not giving everything over, that the forensic folks can actually do some of this pre-work before people actually start looking at things.

Lee Neubecker: Yeah. And like what I’ve done is, they’re not going to pay me to spend time looking at their photos, nor do I want to look at that stuff.

Debbie Reynolds: No. No one cares. I think that’s what people don’t understand. We’ve been working on cases for over 20 years and I really don’t care what’s on the phone or what you said or what videos on there. It really makes a little difference to us.

Lee Neubecker: What I try to do is I try to quickly create almost a summary index of okay, these are the conversation threads. Tell me which phone numbers are relevant, aren’t relevant, who are the relevant parties, and then we can just pull those specific threads out, put them up into the review platform.

Debbie Reynolds: Exactly.

Lee Neubecker: Now, sometimes there’s issues where photos are relevant specifically, if it’s important that you know the whereabouts or someone on a given date and time. Photos often can establish whether or not someone was really at home sick or out on vacation somewhere. There’s embedded GPS data that is recorded into most photos that are taken with smartphones.

Debbie Reynolds: Unless someone decides to strip it out. I think if you don’t do anything to it, it will collect that data. But there are ways to strip that information out. And also, people can turn off GPS tracking on their phone.

Lee Neubecker: Yeah. Well, thanks for being on the show again today.

Debbie Reynolds: Well, thank you for having me.

When to Select A Computer Forensic Expert

Selecting A Forensic Expert

Data Diva Debbie Reynolds and Enigma Forensics’ CEO Lee Neubecker discuss what to look for in selecting a computer forensics expert to assist with preservation, litigation and eDiscovery.

The transcript of the video follows

Lee Neubecker: Debbie, thanks for being on the show again today. I’m here with Debbie Reynolds, she is Eimer Stahl’s data protection officer and she also is the director of their eDiscovery subsidiary. Thank you for coming in and being on the show.

Debbie Reynolds: Thank you, it’s always a pleasure, Lee.

Lee Neubecker: So, today we’re going to talk a little bit about the differences between eDiscovery and computer forensics and when it’s necessary to bring in an expert to actually be the testifying expert or to handle more sensitive issues, and what you look for when you’re pulling in a computer forensic expert to assist one of your projects?

Debbie Reynolds: Well, it’s never not a good idea to bring in a forensic person, so I try to get someone who’s a professional in forensics on every case that we have, so, just depends. Some big corporations, they actually have people, ’cause they do so much litigation, they have people who are captive to their organization that do it. More times than not, they either farm out that work, to a company like Lee’s company, or they come to me, they ask me for recommendations. Just depends on where they are, what their ability, who’s available. For me, it’s really important that I work with people that I trust, smart people like Lee, who knows what they’re doing. Me, I tell people, I don’t chase company names, I chase the talent, so, I’ve had situations where I’ve had an investigator or forensic person go from one company to the next, and as a stipulation of us working with them, that case went with them ’cause they had the knowledge, so for me, the thing that I look for is a company, again, people that I know and trust, people that I know are smart that know what they’re doing, people who can really present themselves, ’cause a lot of times you’re going into a situation, you’ve not met these people, you’re going in there, touching their data, people are very sensitive about it, IT people can be very territorial, so having someone who can really put people at ease and be very professional in a situation where it’s semi-hostile, where you know that the IT guy takes pride in what he’s doing, thinks he’s the expert, so you have to kind of disarm that person.

Lee Neubecker: How often are IT people hostile?

Debbie Reynolds: Oh, 1000% of the time. They’re always hostile in some way, some are more passive aggressive than others, but you know, this is their baby, you have to work with them to get access to the data, and a lot of times they feel like, well why can I do this?

Lee Neubecker: And part of the problem, when I’ve worked with the IT people, usually they’re defensive because they’re having extra work to do.

Debbie Reynolds: Oh, absolutely.

Lee Neubecker: And they’re involved in litigation, so what I try to do is I try to sit down with them and say, “hey look, “this is my role, I need to understand enough of your stuff “so that you don’t have to talk to the attorneys, “and then I can buffer you from that so that you can “do your daily work,” and when they hear that, it helps them to understand, okay, you’re here to save me from a deposition.

Debbie Reynolds: Oh, absolutely.

Lee Neubecker: Then they’re more relieved, more willing to work with you.

Debbie Reynolds: Absolutely. I think the challenge is to get, when you start a litigation, companies, in order to try to save money, that’s where they want to save money. They don’t want to spend money on a forensic person, but if I compare cases against one another, two cases are very similar, one they had a forensic person, one who doesn’t, the one that has a forensic person, down the line, their case is more smooth, ’cause we don’t have a lot of questions about who did what, what is where, we don’t have a question about who needs to sign affidavits, who needs to go to court, all that stuff, so all that headache down the line is eliminated when we bring in someone. And I’ve had people on our cases tell me, who’ve decided that they didn’t want to bring in someone, they said no, but bad decision, we should have really brought in someone.

Lee Neubecker: In my opinion, I think it’s important to know who the person to be responsible for that data, if they’d never testified in court before, that’s a potential problem, and a lot of times people don’t ask those questions. Other things like, do they have some type of certification that shows that they mastered the field of computer forensics? And did they have to take a exam that was proctored by some independent party to assess that so that you know that your person truly has the knowledge, they didn’t just attend a class and got a certificate, because that’s a little bit of a difference, and there are many people, though, that I’ve encountered, that haven’t had the formal certifications, and they’re very bright, but when you’re putting the people up, they’ve got to survive a challenge against their admissibilities expert, if they don’t have cases of record, if none of the judges know who the person is, those things are definitely problems.

Oftentimes, I’ve seen new experts get up and make basic beginner mistakes where they let the attorney override what their report is, they let the attorney write the affidavit for them, and then it gets stretched too far, and then there might have been many good things that they had to say, but all of it goes out the window because they didn’t know how to manage the hard, nose-driven litigator that wants that report to be aggressive, so you have to listen and understand those driven litigators, but you also have to protect them from killing the case, and they assume that whatever expert you put there has those skills and a lot of them don’t know when they’re getting into trouble, and they need to be able to stand up for themselves, and do it professionally, and objectively.

Debbie Reynolds: Absolutely, absolutely. A lot of times, they don’t know what they don’t know. We had a person that actually went out and got a cell phone for a case, and we were like, we don’t want anyone to touch it, we want the forensic people to look at it, or whatever, he thought, oh well you know, I’m smart, I know how to do this stuff. Not that he wasn’t smart, but this was not his area of expertise, and he turned this phone on, and basically, the person who had the data on the phone, had sent a command to the phone to be erased, so when they turned it on, it wiped out all the stuff.

Lee Neubecker: So they didn’t put it in a Faraday bag?

Debbie Reynolds: No, they didn’t put it in a Faraday bag, they didn’t put it in airplane mode, they went to Walgreens, got cords, stuck the cord in the thing and turned it on, and that was it.

Lee Neubecker: So then that becomes some spoliation claim against–

Debbie Reynolds: It was spoliation, yeah. Everyone thinks, oh I have a cell phone, so I can do this, and it’s like no. I think people need to understand that what you guys do is very different than what we do in eDiscovery and what a normal person who’s doing IT can do, ’cause you have a different aim in my mind, and you understand spoliation of evidence, and how to get data in the right formats, where another person would not know that ’cause that’s not their background, that’s not their training and that’s not the purpose of what they’re handling data for.

Lee Neubecker: Well I really thank you for being on the show, again, to talk about this, it’s great. I look forward to seeing you again soon.

Debbie Reynolds: Fantastic, thank you!

Lee Neubecker: Thank you.

Do You Suspect Your Company Has Been Hacked?

Electronic Discovery Wins Litigation

Cell Phone Forensics for Use in Litigation

Computer “bots” Used by Insurance Companies

Are Computer “Bots” Making Your Healthcare Decisions?

Are Computer “Bots” Making Your Healthcare Decisions?

Enigma Forensics CEO Lee Neubecker and David Bryant from Bryant Legal Group discuss computer “bots” used by insurance companies as a way to underwrite policies and making insurance claims decisions. Bots are now determining how a given claim should be scored. See how ediscovery plays a role in getting success for your client.

The transcript of the video follows

Lee Neubecker: I’m here today with David Bryant from the Bryant Legal Group and we’re going to talk a little bit about health insurance claims in his work, helping people get the coverage they deserve.

David Bryant: Nice to be here, Lee, thanks for taking the time to stop by. We’re seeing a very significant shift in the insurance industry with respect to claims adjudication and claims determinations. One way of looking at how this change is happening is to look at the dollar volume that’s being invested into underwriting insurance policies and making claims decisions. The first metric I’d like to share with you is there is a company out of Europe that did some research on money flowing into what’s now called Insurance Tech, and approximately two billion dollars went into the Insurance Tech arena in 2016. This money is being deployed into not only underwriting, but how claims are made and I think everyone out there is familiar with Watson and the new term artificial intelligence. And how that’s playing out in the insurance industry is that a lot of claims decision-making is being taken out of the hands of individuals and being given to what we’ll call “bots”, robots, or termed a “bot” in tech speak. So these algorithms which will be designed by very bright people, such as yourself, to determine what a given claim should be scored. And if there’s a certain score, then a claims individual will be required to deny that claim. This is problematic for some of the insurance companies because if it’s discovered, through the discovery process, it can wind up hurting them in litigation for bad faith denial of a claim.

Lee Neubecker: So, David, can you tell me a little bit about what you do at the onset of one of your case matters to help make sure that you could argue your case in court?

David Bryant: So there’s really two phases to insurance claims. There’s the appeal process and then there is court. If your claim is denied I can always sue an insurance company in court. Typically that’s in Federal Court. I primarily practice in Federal Court but I do State Court as well. So once I wind up in a court setting I will send a litigation hold letter to the general counsel of the insurance company and that letter secures that all of the data in its electronic format is preserved. So if I want the emails on a particular claim individuals hard drive, that information should be present when I request that information by way of that litigation hold letter. When I do discovery in Federal Court we’re looking for electronically stored information. I’m not looking for paper any longer because we’re looking to get the metadata that’s embedded in that electronic information so we can find out who looked at it, when it was looked at, when it was altered. So, Enigma Forensics having the skill set to be able to determine who touches electronic files, who views electronic files, we will bring in your firm in those circumstances when we want that type of information in litigation. Lee Neubecker: So can you give me an example of when you’ve had to rely upon our computer forensic services for us to help you out with a matter and how that played a role in getting success for your client?

David Bryant: So we handle primarily health insurance and disability insurance claims on behalf of individuals and physician groups. So one of the matters that you handled for us dealt with a disability insurance claim and we were looking for certain key words and key word phrases that were on the server or hard drives of the particular individuals at the insurance company. Being able to cull through all this data is a Herculean task and would be extremely expensive for the defendants. So the defendants will typically go to the Court and say, “Judge, this is going to cost us way too much “money and interrupt our normal course of business. “We don’t want, Mr. Bryant, to have access “to this information or put us through the trouble “and cost of doing it.” I brought in your firm and your services and you were able to explain to the judge that you could do a search of all of the information held by the insurance company and find these key words and submit them to the Court in-camera, so there was no privacy concerns, and report to the judge what your findings were. The case soon settled thereafter.

Lee Neubecker: They usually do. Well thank you for being on the show today. If you need to reach David, his info is on the screen. Thank you.

Artificial Technology

Artificial Technology and Medical Data

Enigma Forensics, Lee Neubecker reviews with Eric Fish, the Federation of State Medical Boards, Senior VP of Legal Services, about the positive impact of artificial technology and machine learning on medical standards and regulations. Find answers how this technology will improve the patient experience in the future.

The transcript of the video follows

Lee Neubecker: Hello, I’m here today with Eric Fish, Senior Vice President of legal services. He’s with the Federation of State Medical Boards and he’s going to be talking to us a little bit today about his organization and how they’re using technology to change how things work.

Eric Fish: Thank you, well the Federation State Medical Boards is the organization that represents the 70 state medical and osteopathic boards who are charged by state law to regulate the practice of medicine within the various states, in that we help build standards for regulation, best practices. We also work with states on our data and other things that are exchanged that really help improve the regulation of medicine for the patient, the end user of medicine.

Lee Neubecker: Eric can you tell us a little bit about how artificial intelligence and machine learning are impacting your organization and membership?

Eric Fish: Well, Lee, we’re actually at a, what I believe to be, a crossroads of cultural, social, and technological change that are really going to change the way that we have to look at regulation for the public benefit. There’s going to be a lot more data on patient/provider interactions. There is also going to be much more data consumed by state regulators to see which of these interactions comply with the standards. One of the things that I see developing out of this A.I. and machine learning is that we’re going to be creating much more data that can be mined as a regulator to see what interactions are good and which interactions are bad.

Lee Neubecker: Eric can you tell us a little bit about how A.I. and machine learning are being implemented to improve transparency?

Eric Fish: Well, one of the things that’s going to occur, I believe, is that as patients and providers start turning to algorithms to help with that continuation of care. Really the people who implement these systems have to prove up to the regulators how these comply, how these algorithms, how other things are going to comply with the standards that are there. Artificial intelligence has been in medicine for a long time. Machine learning is a little bit new, where we’re taking some of the discussions and building a knowledge base that’s then going to be applied to the patient experience and regulation isn’t standing in the way of these things. The regulations are there so that they are done the right way and in comply with the standards and being transparent on that beginning end is a really great step toward complying with regulations and making the regulatory process better.

Lee Neubecker: Great, and so, you told me that your organization runs some services that consumers might want to be aware of. What are those and what are they used for?

Eric Fish: Well, one of the things that we do on behalf of our members is collate all the disciplinary and regulatory actions that are taken against a provider, and we have a service called Doc Info, where a member of the public can go look to see if an action has ever been taken against their physician. We have access to all 900,000 plus licensees and their information, and it’s really a great service and use of data that we’ve collated and given out to the public.

Lee Neubecker: Great. Well thanks for coming on today. I know you’ve brought your colleague, Mike Dugan. Who’s going to talk for a little bit. Thanks again for coming to the show.

Eric Fish: Thanks, thank you.

Lee Neubecker: I have Eric’s colleague, Mike Dugan, he’s the CIO of the organization, and Mike can you tell me a little bit more about some of the things that you’re doing to improve the quality of the data and integrity of the information?

Mike Dugan: Sure, surely, thank you. We, in many ways, we are a data aggregator and this involves a credentialing process for physicians so we pull data from national data sources, we pull data from institutions to verify physicians’ identity as well as their credentials, so the training and process that they have done. Historically, these have been very manual processes, but we’ve implemented technology to add additional data sources and also give us flexibility in how we consume data. Historically, it’s been a very structured we need a file in this format and our technology is still evolving, but we’re working it to give us the flexibility to work with any data source available.

Lee Neubecker: What are the concerns that your members have regarding data breaches and the potential complications resulting from them?

Mike Dugan: Well, I think they worry about that quite a bit and if anyone in technology who deals with identity and has information, if you’re not worried about data breaches then you’re missing the point and perhaps should be in another line of work. So, we are given the trust of the physicians and our member boards that when they give us their data that it will be protected and that it will be safeguarded, and we work very hard to do that, proactively. So I think that in this environment and this day and age, that is an activity and a task that we will do, it will never go away. It will be ongoing and we will have to adapt if there is new ways that are found to hack information, we always will have to improve our data security.

Lee Neubecker: Well thanks a bunch for being on the show. I appreciate you taking time.

Mike Dugan: Okay, thank you, thanks for having us.

Read More About Government Privacy Controls on Artificial Technolgy

NIST 800-53: Security & Privacy Controls

NIST National Institute Standards and Technology

Video Discussion on: National Institute Security and Technology

Enigma Forensics CEO & President, Lee Neubecker and Cyber Security Expert Gary Rimar sit down to discuss NIST 800-53 and it is a security controlled catalog. NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. Lee and Gary disect how this agency works to keep your company’s technolgy systems safe.

Find out the top 3 parts of this framework.

The transcript of the NIST 800-53 Framework video follows:

Lee Neubecker: Hello, I’m here today with Gary Rimar he’s here to talk a little bit about one of the NIST frameworks that can be very helpful in helping you to keep your organization safe. Gary, Gary’s a CISSP, it’s great to have you on the show. Can you tell me a little bit about the framework your going to talk to us about today?

Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53 and it is a security controlled catalog. So if there is a security control for whatever you’re going to need in an organization it’s going to be in there. In something, it’s where your government actually did earn there keep because this is your tax dollars hard at work and it’s available publicly. Most people, and this is one of the things that always bothers me Lee, is that most people go for these real exotic threats and they’re real, they’re real, but there’s so many people out there that don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security, they tell them that their IT guy, “Oh, you can do security, it’s okay, “you don’t have to worry about it, “you’ll get it good, I’ll except the risk “of you doing security.” when the IT guy barely knows how to do computers. And so what ends up happening is they don’t know anything about security which is very deep and important and technical. And so when it comes to things like how do you do access control? What can you do to do access control? Today at work one of the people, and I work with a security guy, we have something where for what ever reason they can’t do two-factor authentication. Two-factor authentication is definitely a better way to go, but they can’t. So they said, “What mitigating factors “are there that you can use to help us “be able to do a one-factor authentication “and be less in danger?” And so I looked through the catalog IA5 and there’s a bunch of different things you can do just to make it simple and safer. You know they’ve done all the imagination for us.

Lee Neubecker: What would you say are the more important, if you had to pick the top three parts of this? What would you advise companies to focus on first if they’re starting down the road of trying to implement this framework?

Gary Rimar: Well first is planning, because, and that’s the PL family, if you don’t do planning nothing works right because you have to have a basis for security. If the CEO and senior management aren’t on board then when security says, “You need to do X” and operations says, “We don’t feel like doing that. If the CEO doesn’t say, “No, I need “to be secure, you need to do X.” then your hosed. So that would be the planning family. Second would probably be access control, which is actually 20% of all of it. You know, you’ve got several hundred controls and access controls 20% of them.

Lee Neubecker: Do you feel sometimes that companies don’t really care about security and just want to ignore it and pretend it’s going to take care of itself.

Gary Rimar: Well I don’t know that that’s necess… that could be. I think it could be willful ignorance, what I don’t know won’t hurt me, but it’s not true. For example, the Sony hack. The Sony hack they said “You know, I’m not “going to spend $10 million fixing a $1 million problem.” and that in its self makes sense. Cause you don’t want step on a dollar to pick up a dime. However, it was a lot more than a million dollar threat that they were compromised on and had they done it correctly and had they taken security seriously things would have been a lot better for them.

Lee Neubecker: So Gary are there any portions that deal with some of the current vulnerabilities involving hardware and firmware that this could apply to?

Gary Rimar: You know, yeah. Cause hardware and firmware are definitely part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head without looking I think it would probably be SI7, because that, if it’s the control I think it is it deals with hardware it deals with software it deals with firmware because if your firmware’s corrupted your done, your owned. If your hardware’s corrupted your done, your owned. In fact supply-chain management is even a factor in NIST 800-53. I don’t have it remembered exactly which control that one is. But it’s important, you have to have all of your system protected from the beginning to the end and monitored and audited in the middle.

Lee Neubecker: Yeah, but there was a notice last month from the NSA about Cisco routers being compromised in that there aren’t fixes yet out. So if that still accurate it’s a concern and one of the ways using this framework IT professionals might try to assess this would be to open up the routers, get inside and dump the firmware off the microchips and compare that against the manufactured supplied hash values, but the challenge I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router I’d be challenged to see how many home consumer routers have the manufacturers listing the firmware version with hash and really letting you get there to apply the software, because the ISPs are controlling that for the most part.

Gary Rimar: Yeah, but you also have to recognize that your definitely going down a very valid, but also very deep rabbit hole, just as an example, one time I was talking with this guy it was like 1999, I lived in the Detroit metropolitan area and I was at a coffee house and this guy, who looked like Boss Hog, but tall said, “Everybody’s stupid, they’re “buying windows, they should build “their own operating system, they can use Linux.” And I looked at him and I said, “Your an idiot.” He said, “Well, why would you think that?” I said, “We have people who can hardly “find the on/off switch. Your going to tell them they’re supposed to compile their own OS.” and so when your talking about no, I don’t know. The thing is when your talking about the level of inspection you probably need to have somebody do some appropriate, professional vetting. That’s over the skill level of a significant number of professionals that your going to meet in the market. Your right. Your totally right. But you probably need to get some people who eat and drink and breath this stuff and real experts to do this. I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it. Inside a USB chip, I’m thinking you know this, but not everybody knows this, is that there’s this own little operating system inside the USB. So if you have an 8 gig USB, you know a small one these days, that used to be huge, it’s small now, that there’s actually more chip behind it that’s its own operating system and if that operating system is compromised its firmware and if that firmware’s compromised then whatever you plug that in is potentially owned.

Lee Neubecker: There’s no cryptic graphic process that checks and validates that software’s authentic on many devices. So it’s easy for nation-state malware to get into the chips and you know when WannaCry wreaked havoc on many hospitals. I saw there was one out east that they said that they replaced all the hard drives and all their systems and it’s like well that’s great.

Gary Rimar: Did they replace them with ones that went through appropriate supply-chain risk management?

Lee Neubecker: But even if they did replace all the hard drives if malware injected into the chips of the mouse, the CD-ROM, the printer then that was a waste of time because those computers are going to quickly become compromised.

Gary Rimar: You’re right about that, but again, this goes back to supply-chain risk management. If you don’t know where you’re getting your stuff you don’t know what you’re getting and what I did read is that China has actually started making their own chips for themselves. They don’t market them out of their country. Now one can determine is that their motivation that they don’t want to be infiltrated by another country or do they want to infiltrate their country because of their politics. I don’t know. I can’t know. However, it might be a good thing for countries, at least as big as us, with such a big target on our backs, to start creating our own chips and our own designs in our own country. Where we can control the entire process from picking up the sand off the beach to handing you a laptop.

Lee Neubecker: Yeah.

Gary Rimar: And your right, it’s not just the laptops or the hard drives it’s all the peripherals,

Lee Neubecker: Yeah, you know that’s the struggle because we want cheap, affordable products, but your…

Gary Rimar: Mm-hmm, well you can…

Lee Neubecker: Quality, cheap, fast.

Gary Rimar: You have good, fast, cheap pick which two. Yeah, I understand.

Lee Neubecker: Actually it was interesting to see that they brought Broadcom is coming back into the US and we’re seeing some of these moves of the President trying to get key industries back in to protect from some of these compromises and you know Apple some chips are going to be made outside of China now and other things happening there, but it’s a real concern and it’s one that the frame work identified here can hopefully help companies just have an outline to go through to evaluate where are we? What have we worked on? What do we need to do more work on?

Gary Rimar: Yeah, you know. And back to our original topic of NIST 800-53 it’s in there, that’s it’s in there supply-chain risk management, you know. If you know, when I was first starting in IT in like 2000 I knew enough about security to know I didn’t know enough about security. That I hired it out. And had I been availed of this book I would have probably been able to do a much better job and I would have probably gotten into this career sooner cause this stuff is cool.

Lee Neubecker: Okay.

Gary Rimar: But I didn’t know it then. Know I know it.

Lee Neubecker: That’s interesting stuff.

Gary Rimar: Yeah.

Lee Neubecker: So do you have any other advise you’d like to give to our viewers as it relates to helping to keep themselves secure?

Gary Rimar: Well, I used to joke about always practicing safe hacks, but really, the one thing that I think that people aren’t doing, and this is totally off topic, is even though all the concerns we talked about there are still people who are getting owned because they’re surfing in places that are unsafe. And there are a couple companies out there I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser. Like browsers a service, so you log into their site and then they fire up an ubuntu instance and then put a Firefox browser behind it and the only thing that touches your computer is pixels.

Lee Neubecker: So your not having any risk of Java Script

Gary Rimar: Not having any risk of anything.

Lee Neubecker: Well I think that kind of sandboxing makes a lot of sense and I could almost see a point where the end user desktop is basically just a sandbox that you wipe clean and start fresh every time booting.

Gary Rimar: Yeah, I have a former computer client who does legitimate research, he’s a psychologist, and he does legitimate research into pornography.

Lee Neubecker: Mm-hm.

Gary Rimar: I mean believe it or not, there is such a thing and his computer at home is, is his one computer, he’s computer stupid and so he had his HIPPA data on there and he’s surfing these kinds of websites and it scared the heck out of me. So I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and I set it up so nothing could ever touch anything and the only thing he could swap is pixels and when I found out about one of these services I called him. You know he hasn’t been my client for years now cause I moved, but I called them up and says, “Hey Marty, you should use this.”

Lee Neubecker: Yeah.

Gary Rimar: And so now he can continue to do his research and not put his client records at risk.

Lee Neubecker: Well thanks for being on the show today. It’s been a great interview, I appreciate you being on Gary.

Gary Rimar: Thank you very much. I’m happy to have been here.

Cook County Clerk on Election Security

Enigma Forensics’ CEO Interviews Cook County Illinois Clerk Karen Yarbrough on election security. The two discuss progress made in securing the vote against cyber attacks over the last several years.

Clerk Yarbrough has been working to streamline and improve the efficiency of the Clerk’s office while ensuring that the next 202o election is protected against rogue nation states that may want to compromise our next election cycle.

Transcript of the interview is as follows:

Lee Neubecker: I am here today with Karen Yarbrough she is our Recorder of Deeds and Clerk in Cook County here in Chicago.

Clerk Karen Yarbrough: Well not quite Recorder of Deeds anymore Lee, I am now the Cook County Clerk and will be taking over the Recorder of Deeds office in about a year. We actually went to the voters and the voters decided that they were going to do a consolidation of the two offices and so I will pick up the Recorders job in about a year.

Lee Neubecker: So you must have a lot of integration going on with technical resources.

Clerk Karen Yarbrough: You can imagine, and yes we do. I have a very capable staff and we’re trying to get our arms around you know in the clerk’s office there are a number of duties and responsibilities we have elections of course, we have vital records and then we also are involved with taxes, and so I’ve been in this job since December. And what I’m trying to do now is get ready for 2020 and the big election for sure. But also we are absorbing the duties of the recorder of deeds. Big undertaking.

Lee Neubecker: So with all the talk of election hacking and whatnot by different nation states and foreign entities. What kind of things are you involved with, with Cook County with helping to defend against the voting system being attacked the next election cycle?

Clerk Karen Yarbrough: Well for starters Lee, our approach is a multi-leveled risk management approach. We know that there’s no system is foolproof. I mean you know it’s not a perfect system. No system is. Knowing that, we tend to look at every aspect of our system. We have these guiding principles. Defend Detect and Recover. What that simply means is we have a plan we have a plan A plan B all the way to Z.

Lee Neubecker: So its more than just putting your head under the covers.

Clerk Karen Yarbrough: Oh, no, no, no. I noticed when we were in the Recorder Deeds office our systems were attacked on a daily basis. People scraping our sites and in all of these kinds of things. So I am aware of this business of you know people trying to steal data and and what-have-you. But the elections are absolutely positively important. People need to understand that their vote does count and it will count. All the noise we’re hearing from Washington DC really makes people nervous.

Lee Neubecker: What kind of hings have happened to help make sure that wasn’t going to happen. Let’s say if the computers all get zapped to make sure that votes that are casted get counted.

Clerk Karen Yarbrough: Well first of all I have a team of experts. On staff. We’re sharing a gentleman with the city of Chicago who is at the top of the food chain when it comes to people who know about this kind of thing. Having those people on board working with the city of Chicago, we also have a two-factor login authentication of course the firewalls VPN and dedicated private data networks. Then we’re going to be able to lock down our systems both on the hardware and software lock them down before and after elections. So those are the kinds of things that we’re doing. And I think we’re going to be ready coming 2020.

Lee Neubecker: I understand that you’re currently doing some projects to seek outside computer forensic experts. What is your office looking for assistance with right now?

Clerk Karen Yarbrough: I think we’re putting something right now, I might want to defer to John Mirkovic who’s with me here today, on how that’s going. John’s been with me since I was actually in Springfield as a legislator and he has been working on the Blockchain Initiative and certainly this, and so, if you would, could you defer to him, so he can talk about what we’re doing there because John keeps up with this more than I do.

Lee Neubecker: Sure absolutely. What, in the event that a data breach were to happen, what kind of things are in place to make sure that you can recover and get back?

Clerk Karen Yarbrough: Sure. Okay having those plans certainly are important. But you know the Cook County just spent 32 million dollars on new voting equipment. That voting equipment that we have it’s almost like going back to the future,you know all the talk about, you know,voting on the internet and all these kinds of things,up come at some time, at some point in the future. But today we need to know that those votes are safe. So with the system that we have now. I don’t know if you remember,but you would have a system where you have on the side this kind of ticker tape thing that would show you how you voted.

Lee Neubecker: Paper audit trail.

Clerk Karen Yarbrough: Okay yeah well nobody noticed it. I mean I shouldn’t say nobody. But many people didn’t notice that with the new equipment, and we piloted it actually in your suburb and a couple of others. So we ran it through, and people loved it. It was so simple. So you know, you vote, you can either vote, the same way you vote now. So you could use your stylus or what have you. You place your vote, but then it’s going to shoot your ballot out to you. You’ll be able to hold that in your hand. You’ll be able to see if everything you voted for is there. And then you, not somebody else, but you will be able to post and cast your ballot.

Lee Neubecker: So the key thing is, well while the votes are being stored electronically there’s also be printed, they’re also being verified in a print out, that people can see. And then they can take it over and feed it and then scan it so you have another level of detection done, you’ve got the paper vote locked up in a box.

Clerk Karen Yarbrough: Exactly. And let’s say you mentioned something about the whole system blowing up. Okay so if the whole system blows up we still have that paper ballot locked away so that if we have to go back and let’s say everything blew up and people are running all around, with what have you. We can go and retrieve those documents and by hand we can actually,you know, count those those votes, so people should feel confident.

Lee Neubecker: It’s a great Improvement.

Clerk Karen Yarbrough: It is.

Lee Neubecker: I was brought in to consider bidding on the suburban voter audit project for the forensic project. At the time, what I was concerned about, is there wasn’t a simultaneous printout. And at certain points in time, the votes only existed electronically in storage media. They would be transferred to a consolidator that would transmit it. There was a potential at the time, that someone could have a USB device preloaded with 118 votes but in a different distribution. They could swap that device out and put it in the consolidator. But that doesn’t doesn’t exist now with the new equipment.

Clerk Karen Yarbrough: Not at all. So we’re happy about that. Let me tell you, we’re happy about that. The voters who voted in the last election, both the voters and our folks who run the elections, the judges, and what have you, just absolutely love the new system. They liked the fact that they were going to have that ballot in their hand. We shared with them, what happens now? I said well your votes are going to be counted. I said well what if? That’s the same questions that you ask. Well what if? Well we’ve taken all those precautions. But, Lee, I know, like you know, while you have a better mousetrap today, you always have to stay on your P’s and Q’s. The young man I was talking about Raoul, is his name, we share with city Chicago, everyday he’s checking our system, right now, we’re just about we’re ready to go. I think if we had to have an election today, we could have that election and have the confidence that we need to know that we’re going to have a good election, it’s going to be safe, people are going to feel good about how they’re gonna be able to cast their ballot. I’m just excited about the whole thing.

Lee Neubecker: I appreciate everything you’re doing to help secure the vote in Cook County and all your effort to streamline the government.
Clerk Karen Yarbrough: Well thank you so much for the invitation to come on. I’m just thrilled and I know that you’re a real geek and you know all of this stuff. But thank you so very much for having me on.

Lee Neubecker: Thank you Karen Yarbrough!

Watch the second part in this two part series on Cook County Election Security here.

Robocall Legislative Update

Are robocalls driving you nuts?

Cyber Security & Computer Forensics Expert Lee Neubecker and Data Privacy Expert Debbie Reynolds discuss recent efforts to pass legislation in the House and Senate that would hold telecommunication providers responsible for addressing the ever growing tide of robocalls disrupting consumers and businesses. Existing laws such as the Telephone Consumer Protection Act (TCPA) have proven effective in blocking off shore robocalls. VOIP technology allows for robocall centers to systematically dial U.S. consumers and businesses from beyond the legal reach of our court system. Popular spoofing techniques such as Neighborhood Calling often impersonate the first 6 digits of the call receiver’s phone number in the hope of enticing that call receiver to answer a call. Neubecker and Reynolds both share their frustrations with the current situation and are hopeful the U.S. Senate and the President will take immediate action to pass updated privacy legislation protecting us all from spam robocalls.

The transcript of the video follows:

Lee Neubecker: I’m here today with Debbie Reynolds. We’re going to be talking a little bit about robocall and some new legislation coming our way. Those annoying phone calls we all get on our cellphones.

Debbie Reynolds: That’s right.

Lee Neubecker: Have you gotten any calls where it’s the first six digits of your phone number?

Debbie Reynolds: Yes!

Lee Neubecker: That’s called “neighborhood calling”. And basically, what the bad guys are doing is that they’re using VOIP technology to spoof, and they’re plugging in any number. So they can actually impersonate people you know. But they do this because they think that it increases the likelihood that you’ll answer the phone. In fact, for me, when I see those first six digits, I’m not even going to answer it.

Debbie Reynolds: Oh, absolutely. Absolutely. It’s wrong or what now?

Lee Neubecker: One of the big problems we have is no one’s taking accountability for this. I heard AT&T is trying to force some authentication mechanisms, but there needs to be some more teeth on this so that people can’t just impersonate phone numbers, or we’ll never get through this.

Debbie Reynolds: Absolutely, absolutely. Actually, so, thankfully this law passed, right?

Lee Neubecker: Well, it’s going through. It passed under the House, overwhelmingly

Debbie Reynolds: Overwhelming, yeah.

Lee Neubecker: They’re hoping that… It said it could happen by 2020, perhaps?

Debbie Reynolds: Okay, that’d be good.

Lee Neubecker: But it’s got to… I think they have to reconcile the two bills, the House and senate, and then the President has to sign it. But by the show of votes, I think everyone’s in favor of let’s tackle all these annoying robocalls.

Debbie Reynolds: Absolutely. So the FCC, they really made a lot of headway many years ago on the Do Not Call Registry, so this will be sort of another layer to that, that the FCC is sort of looking at. I don’t know about you, but I’m very annoyed when I get robocalls, so I’m not happy about this. Maybe it will happen after the election, because the election, people like to be robocalled.

Lee Neubecker: I get tons of calls from people wanting to lend me money, They will ring my phone once and then it will hit my voicemail. This woman keeps calling, saying, I want to speak to you. It’s like, and it’s not even a real person, It’s all automated. It’s annoying.

Debbie Reynolds: Oh, my goodness. Well, one interesting thing about the law, or the one that they’re anticipating, or trying to pass, that I haven’t seen in other laws like this, they’re trying to force companies to create technology, to be able to tell a robocall.

Lee Neubecker: The carriers need to enforce it. The carriers have to stop allowing unsecured VOIP to impersonate calls.

Debbie Reynolds: Right. The House does not allow it, but they specifically said they have to create, if it does exist, they have to create some technology to make sure they can tell a robocall from a normal call?

Lee Neubecker: It’s basically like, we’re going to block any call that isn’t using a means of identity verification. Right now, it’s about a bust.

Debbie Reynolds: And they can’t charge for it, so it’s not like an extra fee. I’m sure what’ll happen is they’ll do you another fee and then call it something else, but it’ll be probably just robocalls.

Lee Neubecker: The act also increased the penalty. Current legislation, the TCPA, the Telephone Consumer Protection Act, dealt with spam faxes, calls, and what-not, but the robocall act is going to produce penalties I think to ten thousand dollars each.

Debbie Reynolds: Per incident.

Lee Neubecker: Per incident.

Debbie Reynolds: So that’s a lot.

Lee Neubecker: So that’s going to drive my TCPA consulting business, because that’s work.

Debbie Reynolds: Yeah, absolutely. Well, if it actually makes it, I’m sure the thing about the $10,000 per incident and also, forcing companies to create technology to be able to tell what’s a robocall, corporations or the carriers are probably going to fight that. So, we’ll see.

Lee Neubecker: Yeah. So Debbie, what are the likely impacts on the litigation environment, as you see it? If this legislation goes through?

Debbie Reynolds: Well, first of all, there will be companies that will, uh, I’m sure there will be consumer groups that want to bundle together consumer complaints and probably go after these carriers to try to get these big fines or whatever. So, this could be tying up the legislation for a while. Once the lawyers get their fees, You’ll probably want to get the $10,000 per incident.

Lee Neubecker: It’s going to make it a lot more, in my opinion, they will make it much easier to actually identify who’s behind it, because right now people are using proxy phone numbers to call and many of them are just total scams run out of the country. You can’t– A Nigerian spam call center, we can’t really go after, but if our carriers say they’re going to block these rogue, foreign VOIP connections, then it will make it more secure. Ultimately, you’ll probably have people who opt in to the insecure network, and people who want a secure-only platform where it’s no use calling them.

Debbie Reynolds: I agree.

Lee Neubecker: Thank you for being on the show today. It was great to have you on again. I love your scarf.

Debbie Reynolds: Thank you.

Lee Neubecker: You always have interesting scarves.

Debbie Reynolds: Thank you. A pleasure.

Lee Neubecker: We’ll see you soon.

Debbie Reynolds: Okay, bye bye.

Debbie Reynolds Contact Info

datadiva at debbiereynoldsconsulting dot com
312-513-3665
https://www.linkedin.com/in/debbieareynolds/
https://debbiereynoldsconsulting.com/

Computer Fraud & Abuse Act Charges Filed

Capital One Data Breach

Capital One Data Breach – Interview of Data Privacy & eDiscovery expert on the fallout

Cyber Security &  Computer Forensics Expert Lee Neubecker interviews Data Privacy Expert Debbie Reynolds on the fallout from the recently disclosed Capital One Data Breach that occurred following alleged hacking of the company’s data stored in the cloud.  Issues discussed include an assessment of how the CEO of Capital One managed the crisis, pending charges filed against Paige Thompson and the Computer Fraud and Abuse Act in the government’s complaint filed earlier this week.

Transcript of video follows

Lee Neubecker: Hi, I’m here today with Debbie Reynolds from Debbie Reynolds Consulting and we’re going to be talking today about the recent news involving the Capital One Data Breach Thank you for being on the show Debbie.

Debbie Reynolds: Thank you for inviting me. It’s such a thrill, you’re such a joy to be around to talk to so it’s great to do this

Lee Neubecker: Well it’s great to have you here. So, trial’s expected this Thursday in the case. Can you tell everyone a little bit about what happened this week?

Debbie Reynolds: So this week is in the news that Capital One had a data breach. There was a woman who used to be, I believe she’s worked Amazon if I’m not mistaken, who had found a vulnerability in Capital One’s cloud system, and was able to obtain private or digital information on over a hundred billion customers or potential customers for Capital One so as far as I can tell they say that she may have gathered social security numbers and other private information about individuals who had even applied, who may not even be customers of Capital One, who have even applied for a Capital One credit card back as far as 2005.

Lee Neubecker: Yep.

Debbie Reynolds: So the vulnerability that was discovered and part of the reason why it was discovered was because she had apparently bragged about it on Twitter and she used her real name and so they were able to pull this stuff together. And I think the SWAT team went to her house?

Lee Neubecker: Yeah, so she was using the IP, iPredator, which is supposed to anonymize and protect you. When she was using that she created her online GitHub accounts and other accounts and it had that IP, the iPredator IP address range in her profile linked to her name. So she wasn’t really being smart about it.

Debbie Reynolds: No. So yeah, I think that she was bragging about what she had, I guess she was proud of what she had done and apparently someone who had seen something she had post on some forum contacted Capital One. This wasn’t a breach in which Capital One found out about; someone from the outside said, “Hey, this girl says that she has your data” and now it’s a really big thing.

Lee Neubecker: Yeah so now she’s charged with a computer fraud and abuse act which I think she’ll probably end up …

Debbie Reynolds: Yeah.

Lee Neubecker: Do you think she’ll get a plea?

Debbie Reynolds: She’s probably going to go to the slammer. It seems like especially when the SWAT team showed up at her house, they’re definitely going to make an example out of her with this. It’s pretty bad because I think right now the reports and what’s coming out from Capital One are different than what she said or what other people said they have. Because at one point they were saying that Capital One in their statement said that certain people’s social security numbers weren’t breached but then we know that they did get people’s social security numbers.

Lee Neubecker: It was mostly Canadian social security numbers, around a million–

Debbie Reynolds: Right.

Lee Neubecker: And then I think it was somewhere around 100,000 or so U.S. citizens.

Debbie Reynolds: Right, exactly.

Lee Neubecker: So it doesn’t necessarily impact the entirety of U.S. customers, but it still is–

Debbie Reynolds: It doesn’t, it doesn’t make you feel good. Yeah so basically over a hundred million people were touched in some way, shape or form. Even though not everyone’s personal data was taken to the same extent as everyone else, but I think this incident illustrates for us a couple of different things. First of all, they were saying that they had credit card information or information on people who had applied for credit cards going back as far as 2005. I’m not sure if they can make a justification for why they even had some of that stuff.

Debbie Reynolds: It’s first place. Especially if and I wonder what rights someone would have if they weren’t actually didn’t translate to being a customer of Capital One. The law’s kind of murky about how they should do that. I guess that’s the same issue with Equifax where not everyone who was touched by Equifax are customers of Equifax, they just happened to have their data.

Lee Neubecker: What would, how would you have advised Capital One had you gotten in there before the data breach?

Lee Neubecker: You think you might have been able to–

Debbie Reynolds: Well, you know–

Lee Neubecker: Get them in a better situation?

Debbie Reynolds: I think a lot of corporations, my view is that a lot of corporations have this mindset or business has this mindset of does it work? Does the computer work? Can I do the thing I need to do on a computer? The question that they’re not asking is is it secure? So a lot of them have a blind spot in terms of securing things because as long as it doesn’t impact their ability to work, they don’t really care how it works. So now companies have to ask how does it work? Is it secure? A lot of companies have these issues where they’re moving from internal infrastructure to the cloud and we know that the cloud infrastructure would typically be more secure quote unquote than someone’s on premise infrastructure but that all depends on how it was configured. The vulnerability that this woman was able to exploit in Capital One had to do with how the permissions and things were configured on a cloud infrastructure.

Lee Neubecker: And she had worked in that environment.

Debbie Reynolds: Right. So she had a little bit of extra insight–

Debbie Reynolds: Exactly.

Lee Neubecker: In this process.

Debbie Reynolds: Exactly. But I don’t know if you probably run into the same thing where you’re having clients that have cloud issues and they may feel more secure in themselves. Okay, we think our native is more safe than the cloud, not to say that the cloud is not safe, but if we have someone who doesn’t know how to fill those gaps and stop those vulnerabilities, it could be a huge problem.

Lee Neubecker: What do you think of the CEO’s response from Capital One?

Debbie Reynolds: I saw CEO’s response. I don’t know, someone needs to do a series about this where you compare all the response letters from these data breaches or whatever.

Lee Neubecker: That’s a great idea.

Debbie Reynolds: Not a bad response at all. I think the danger though is there may be an issue with consumer confidence obviously because no one wants their data breached, but if the things that are being said by the CEO or other leadership it becomes evident that it’s different than what actually happened, that’s going to be a problem.

Lee Neubecker: Yeah, cool.

Debbie Reynolds: I think rushing, the desire is to rush. To put out as much information as you possibly can but already the news reports are contradicting what the company is saying about what was actually breached.

Lee Neubecker: Well the complaint is available, I’ll post that on my website as well. I read the complaint and there’s a lot of detail in there and you’re right, in the news story they’re talking about Amazon cloud, they talk about a company that presumably is a subsidiary of Amazon inside the complaint.

Debbie Reynolds: Right.

Lee Neubecker: But they didn’t specifically mention Amazon in the complaint.

Debbie Reynolds: No, no so it’s going to be customers when they feel like they’ve had a data breach they definitely want, you know there’s attention that has to happen where the company wants to be as forthright and forthcoming as possible about what’s happened, but the facts may still be rolling out.

Lee Neubecker: Yeah.

Debbie Reynolds: The drip, drip, drip of it all may be tough I think.

Lee Neubecker: But I thought at least it was good that they public acknowledged it. It didn’t take forever to acknowledge it.

Debbie Reynolds: Oh, right exactly.

Lee Neubecker: And apologize, I mean–

Debbie Reynolds: Oh, absolutely. It does goes a long way–

Lee Neubecker: They just did that so I applaud them for not–

Debbie Reynolds: Absolutely.

Lee Neubecker: Sitting on it like Equifax.

Debbie Reynolds: Right. They didn’t say, “Well I’m sorry that you were hurt or you felt hurt,” or something where it’s like oh yeah, you know there is harm there so you might as well acknowledge it and try to at least be forthright about what you know and we know it.

Lee Neubecker: And from what I read too, not all of the data, some of the data was tokenized but there were birth dates, there were some socials. Debbie Reynolds: Right.

Lee Neubecker: And some other information that certainly if that were you or me, well we’re kind of becoming used to this all the time. It’s sad, but.

Debbie Reynolds: Right, well I mean and what we’re seeing, what I’m seeing, what companies are trying to argue in the U.S. having to do with data privacy is if you put, let’s say you’re on Facebook and you say, “Hey, today’s my birthday!” You know so if Lee puts his birthday on Facebook, is Lee’s birthday private? So let’s say you’re a Capital One customer, they could argue you know your birthday is not private because you put it on Facebook. That’s going to be an interesting theme.

Lee Neubecker: Well thanks so much for being on the show today.

Debbie Reynolds: It was fantastic, thank you.

Debbie Reynolds Contact Info

datadiva at debbiereynoldsconsulting dot com
312-513-3665
https://www.linkedin.com/in/debbieareynolds/
https://debbiereynoldsconsulting.com/

Crypto Currency Lending

Crypto currency lending and cyber security issues

Cyber Security Forensics Expert, Lee Neubecker and Draw Bridge Lending CEO Jason Urban describe crypto currency and the security issues as it relates to Bitcoin and

The transcript of the interview follows:

Lee Neubecker: Hi, I have Jason Urban on the show today. He’s the President and CEO of DrawBridge Lending. Thanks for being on the show Jason.

Jason Urban: Thanks for having me, Lee. This is great, glad to be here today.

Lee Neubecker: Jason, I’ve known you for awhile. You’ve been doing some innovative things in the lending industry as it relates to bitcoin and block chain. Tell us a little bit about that. Jason Urban : Sure, so what we do is we’re a lender against secured digital asset holdings and what we are providing is the draw bridge, or the bridge, from these traditional lending sources, or pools of liquidity, into this new ecosystem where everybody is trying to figure out how that landscape works.

Lee Neubecker: What type of people would have a need for your service? Jason Urban: I think they’re are a wide variety of people. People who have these digital assets and because of the way they’re categorized here in the States from the IRS perspective, when you spend them, when you use them, you encounter a taxable situation, but to the extent that you might need to pay your power bill or to go on a vacation or buy that boat you always wanted, you need fiat, you need US dollars, and what we provide is a mechanism or platform for people to borrow against the digital asset holders.

Lee Neubecker: So, if someone’s sitting on say 100 bitcoin, which is quite a bit of money, you’d allow them to take out a loan against that bit coin and use that for short term cash expense or whatever?

Jason Urban: Yes

Lee Neubecker: What is the duration of your loans typically?

Jason Urban: We typically focus one to six months. It’s a very volatile asset, and our backgrounds are managing that volatility, but there’s only so much you can do when something moves as rapidly as that does, which is an advantage to the asset, but it’s also difficult from a lending capacity. So our loans are one to six months in duration, and we offer renewal options, so you can re-up and renew. Just the strike price of that loan to value, think about your home moving 50% in a six month period, you might want to refi or you might need to put more money up. We try to mitigate a lot of those risks by offering the durations we do.

Lee Neubecker: So, your clients actually give you their cryptocurrency and you escrow it for them?

Jason Urban: Yes, so what we do is we don’t like to take possession of their currency. What we like to do is use a qualified third party custodian so that their digital assets are resting there, so they know they’re there, and I can’t take them unless they default on a loan or something unfortunate happens. All we want to do is provide a mechanism or a platform for someone to monetize their holdings. We don’t want to take possession of them. We don’t want their private keys. We’ll only take those in the event that they default or want us to satisfy their loan.

Lee Neubecker: So in this business, what measures do you take to help ensure that these digital assets are safe from a cyber attack perspective?

Jason Urban: Well, part of it, the key for us, is cold storage. And cold storage is basically storing these things on a server or computer where it’s not connected to the internet. It can’t be taken, so we require that all our custodians deploy a cold storage method as opposed to a warm storage or a hot storage. That way we know that the gold is in the vault so to speak but that it’s not going to be readily accessible to anybody out there.

Lee Neubecker: Have you had a situation where a customer gets angry because a price fluctuates and they feel that they were cheated out of there value?

Jason Urban: Interestingly we don’t have that problem because of the mechanisms that we deploy on the back end. So all our loans are no margin call and non-recourse unlike a lot of people in the business that will have you retop. Think about it this way, if I issue you a loan on an asset that’s worth $10,000, and I give you 50% of that asset in cash, if the value of that asset goes from 10,000 to 5,000, I now need to create that cushion again, so you need to pay me more money or reup or figure out. What we’ve developed, and our methodology, is a way to never have to worry about that, and we use the financial markets. We’re markets experts, and we’re risk managers, so we have mechanisms by which we can ensure that you don’t have to worry about topping off your loan.

Lee Neubecker: Are there any restrictions on the type of customers you can have based on what the SEC imposes on you?

Jason Urban: We are very compliant, so we are registered by the CFDC, and we follow all the rules and regs imposed on us by them. We have to do AMLKYC, anti-money laundering know your customer. We’re registered as a non-bank lender in all 50, or in 31 states. We operate in all 50 states so that we’re following not only consumer lending laws but also securities laws and commodities laws.

Lee Neubecker: Are there any requirements you have on customers before you can take them as a client? Well one, we have to do the AMLKYC on them. Right now, our products are geared towards accredited investors. Because of the way we do the hedging on the back end we need to make sure that those customers are sophisticated enough to understand what we’re doing. And so in order to do that, we need to put that accredited investor cap on things. It’s a little different under the CFDC umbrella. They call them qualified exchange participants, or ECPs, so there’s a couple of different buckets you wear, but it’s a little different than the SEC’s accredited investor, but effectively it’s the same thing.

Lee Neubecker: Is there a minimum net worth that your customer’s have to have?

Jason Urban: And that’s part of it, a minimum net worth of a million dollars, or an entity that’s a million dollars that’s what we require.

Lee Neubecker: What sectors do you see that this type of lending is getting the most interest in terms of where your clients are coming from?

Jason Urban: A wide variety, if you really think about it, bitcoin, or digital assets as a whole, can be held by anyone. It isn’t a single group that says, “Hey, I’m really into this.” So we see funds, minors, people who were early adopters of the technology, they’ve all kind of stepped forward. Additionally, we’ve got a product that’s geared towards people who would like to buy bitcoin and want to employ some of the same methodologies that we’re employing right now.

Lee Neubecker: Do you have any closing thoughts you’d like to share?

Jason Urban: I think that people often confuse block chain and decentralized ledgers with bit coin. I think the block chain technology is interesting on so many levels. I think that as the world becomes more tokenized, and I think you’re going to see more and more of that, everything from the artwork that you see on the walls to buildings to physical assets like gold, silver, oil. The world is moving towards that technology and that methodology, and I think that being an early adopter and understanding it is so important. If you want to make the same parallels, this is the internet in 1990 or 1995. The difference is the world moves much faster today than it did back then.

Lee Neubecker: So are you taking investors?

Jason Urban: We’re always willing to have strategic investors come into the space, and we’re not opposed to that. We’re very well capitalized, but we do recognize the value in being partners with people. And part of being partners is financial as well.

Lee Neubecker: Well thanks again for being on the show.

Jason Urban: Thank you very much.

WGN Cyber Security Chicago Conference 2018

WGN on Cyber Security Conference

WGN Cyber Security Chicago Conference 2018 Video Interview 

WGN News is running a midday news segment promoting the Cyber Security Chicago Conference happening this Wednesday and Thursday (September 26th & 27th, 2018) at the McCormick Convention Center.  Neubecker will be sharing a preview of the featured presentation he is giving this Wednesday at the Conference on IoT security.

Tune in tomorrow for the 11AM – 12PM live broadcast.

More details on the conference available at https://leeneubecker.com/chicago-cyber-conference-2018/

Read More about Cyber Security Expert Lee Neubecker

Neubecker also is the founder of IT Security Blog leeneubecker.com. Before starting Great Lakes Forensics, Neubecker had served as CISO for HaystackID and following the acquisition of Envision Discovery and Inspired Review by HaystackID, Neubecker was promoted to serve as CIO over the combined entities. Neubecker was named one of the top Global Computer Forensics and Cyber security experts by Who’s who Legal in 2019 and many years prior to that.