Encryption , Mobility , Technology

Who helped the FBI crack an iPhone 5c? The answer so far: Who knows?

See Also: Unlocking Software Innovation with Secure Data as a Service

Here's what we do know: The FBI says that it successfully unlocked an iPhone 5c used by one of the shooters involved in the Dec. 2 attack in San Bernardino, Calif., allowing it to conduct a digital forensic analysis of the device (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).

To access the phone's contents, the FBI paid "professional hackers" a one-time, flat fee to purchase a zero-day flaw they'd found that was then used to create a piece of hardware that enabled the bureau "to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data," The Washington Post reports, citing anonymous sources.

The optional security feature in question is built into recent generations of iOS, which can be set to delete the contents of the device after 10 failed PIN entries. According to court documents, the FBI says that it doesn't know if the feature was enabled on the targeted device, which was issued to San Bernardino shooter Syed Rizwan Farook. Hence the bureau wanted to play it safe by assuming the feature was activated.

Many Questions, Few Answers

But the Washington Post report leaves many questions unanswered: Which security researcher - or researchers - discovered the zero-day flaw? How much did the FBI pay both the zero-day flaw seller and whoever built the hardware that cracked the PIN code? Who provided the newspaper with the account? And what was their motivation? None of that has yet been revealed, with the Post's report citing only "people familiar with the matter." These same people reportedly also clarified that the FBI "did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested."

The FBI declined to comment on the Post report in particular, although pointed to recent "going dark" warnings sounded by bureau officials in speeches and congressional testimony. But one red flag with the report is that Cellebrite does sell a standalone phone-to-phone memory transfer and backup machine that matches the description of the hardware that was reportedly used by the FBI to access the iPhone.

Conflicting Reports

The scant - if not conflicting - details and sourcing attached to the Post's report has some information security experts voicing skepticism. "I'm not believing a word of this until I see proof," says Dan Guido, CEO of security research and incident response firm Trail of Bits, via Twitter. "Unidentified anonymous sources contradicting all prior evidence?"

Furthermore, who stands to gain from this news report? As Robert Graham, who heads the research firm Errata Security, notes via Twitter, all anonymous sources typically have one of three agendas: "a) personal politics b) government propaganda c) whistleblowing."

When it comes to cybersecurity reporting, propaganda often looms large. Indeed, it's a certainty that some "sources with knowledge of the investigation, speaking on condition of anonymity" will always blame Russia for any large bank breach or blame China for an APT attack, despite those assertions often later being proved wrong (see Report: Spammers Tied To JPMorgan Chase Hack).

FBI Director James Comey says he hasn't decided yet if the FBI, having used taxpayers' money to crack the iPhone 5c, will disclose the flaw to Apple so it can protect customers, given the upsides the new capability gives to investigators. But federal officials are reportedly set to consider the disclosure question in the coming weeks. Apple, meanwhile, has said it won't sue the Department of Justice in an attempt to obtain the vulnerability details.

The FBI/Apple Battle

The controversy began back in February when the FBI obtained a court order compelling Apple to help the bureau unlock the iPhone. Apple CEO Tim Cook fought the order in court, calling it "dangerous" and saying it would compel Apple to create a weak version of iOS - some dubbed it "FBiOS" - for the government, which would be impossible to control (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

What, if anything, have FBI and Justice Department leaders learned from this experience? Do they think that attempting to legally compel Apple to create an "FBiOS" has helped or hurt the bureau's chances of working with other software and hardware developers? Does Comey think that playing hardball with the world's biggest technology company was worth it, given that CBS News reports that Farook's iPhone yielded no new insights?

Law enforcement source tells @CBSNews so far nothing of real significance has been found on San Bernardino terrorist iPhone unlocked by FBI.

Gear Heads, Rejoice

The FBI's moves have an obvious moral for anyone concerned with privacy and safeguarding their data: Buy a more recent-generation mobile device that includes strong crypto. Because in the wake of the FBI's moves against Apple, more manufacturers are creating communications systems with end-to-end encryption that they theoretically cannot crack (see Report: Apple Building iPhone It Can't Hack).

With that in mind, here's one final question: Will the FBI be able to buy its way out of future crypto conundrums?

The answer so far: Don't bet on it.

Data Breach , Fraud , Litigation

Does a federal appellate court's decision allowing a breach-related class-action lawsuit against restaurant chain P.F Chang's to move forward - and a similar, earlier decision in a case against Neiman Marcus - signal a change in tide for post-breach lawsuits? Legal experts offer widely varying opinions.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

Last week, the Seventh Circuit Court of Appeals overturned a lower court's ruling that rejected the case against P.F. Chang's. The higher court ruled the case could proceed because the risk of "future injuries" suffered by consumers impacted by the breach are "sufficiently imminent."

Back in July 2015, the Seventh Circuit also reversed a lower court's decision to dismiss the Neiman Marcus case, which seeks damages for consumers who had card data exposed as a result of the luxury retailer's 2013 data breach (see Is Neiman Marcus Case a Game-Changer?).

In that ruling, the court found that Neiman Marcus' decision to provide potentially affected customers with a year of free credit monitoring and identity theft protection amounted to acknowledgement of significant risk. The panel also found that consumers impacted by the breach "should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing."

Contrasting Viewpoints

The rulings in these two cases could signal a substantial change in how federal courts view harm in the wake of a retail breach, says cybersecurity attorney Chris Pierson, who also serves as CISO of invoicing and payments provider Viewpost.

But John Buzzard, the former head of FICO's Card Alert Service, who now works as director of product management for security firm Rippleshot Fraud Analytics, argues that the appellate court rulings won't have a lasting impact.

Commenting on the two cases, Pierson notes: "In the [P.F. Chang's] case, the Seventh Circuit has found that sufficiently imminent allegations of possible future injury are present, such as the increased risk of identity theft and increased risk of fraudulent charges. It is difficult to reconcile the fact that federal laws already provide for mitigation of nearly all the risk of fraudulent charges with this decision. Simply put, customers are not liable for charges under federal law if they report them in a timely manner, with some caveats, which are usually waived by banks."

Nevertheless, the court's determination in the P.F. Chang's case that future injuries related to the breach were "imminent" could support the filing of more consumer class-action suits after card breaches, Pierson adds.

"The tides appear to be changing for data breach cases as it relates to being able to achieve standing under Article III [of the Constitution]," he says. "This shift is akin to environmental law cases involving the release of toxic chemicals into ground water, where a future, but likely, impending harm will occur. So, too, is this notion of an objective reasonable likelihood of injury occurring that is noted in the P.F. Chang's and Neiman Marcus cases."

Buzzard offers a far different assessment.

"I don't expect there to be a precedent-setting judgment here, but I know that many people equate the movement through the judicial system as positive proof that the responsible and negligent parties will be sanctioned in some way," he says. "Instead, anticipate blustering and posturing but not a major judgment that will have resoundingly negative effects for years to come."

The Issue of 'Harm'

Many previous consumer class-action lawsuits claiming harm in the wake of a payments breach have been dismissed or settled outside the courtroom. Because issuing banks ensure consumers are not liable for fraud that results from stolen card data, proving harm has been difficult (see No Injury: Michaels POS Malware Lawsuit Dismissed).

"Since the application of law is based on fact, a future application of 'harm' seems a bit far-fetched," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "For the good of our legal system, it is best to stick to the proven facts of any case. And the proven fact is that very few victims of data breaches become identity theft victims, which is not a good argument for the litigants. Financial institutions monitor breached cards carefully or replace them, so fraudulent transactions are minimized as well after the breach is detected."

Inscoe argues that if the P.F. Chang's case goes to trial, "it will be extremely difficult to prove any damage done to consumers that would enable them to win. "As demonstrated in prior cases, consumers are made whole financially by their financial institutions because they are protected under Regulation E [Electronic Funds Transfer Act]. It is so easy to file these claims, and banks are typically so quick to restore the funds to the account, that true grounds for a class-action lawsuit seem far-fetched."

Similarly, Avivah Litan, an analyst with consultancy Gartner, says in the wake of a breach of payment-related information, "the only harm that consumers can incur, in my opinion, is negligible, e.g. time spent disputing the fraudulent charge and the costs of the services consumed, such as the meal at P.F. Chang's, that resulted in payment card fraud because of the data breach."

If the courts, indeed, redefine "harm" to include such costs, Litan says, "then get ready for an onslaught of lawsuits against breached retailers and other entities taken on by overzealous lawyers. This would be very bad news, in my opinion, should this happen."

P.F. Chang's Suit

On April 14, the Seventh Circuit overturned a lower court's 2015 ruling to dismiss the 2014 class-action suit filed against P.F. Chang's. The suit stemmed from P.F. Chang's 2013 data breach, which affected 33 locations between October 2013 and June 2014.

"We concluded that several of those plaintiffs' injuries were concrete and particularized enough to support Article III [of the U.S. Constitution] standing," the Seventh Circuit's ruling reads. "First, we identified two future injuries that were sufficiently imminent: the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft. These, we found, were not mere 'allegations of possible future injury,' but instead were the type of 'certainly impending' future harm that the Supreme Court requires to establish standing."

In the Neiman Marcus case, an appellate court panel ruled that consumers were at risk because of the breach.

In September, the court denied Neiman Marcus' petition to have its case reheard before the entire Seventh Circuit of judges, rather than just a panel. Neiman Marcus appealed to the Supreme Court in December and was granted in January an extension to file a motion to have its case heard.

Neither P.F. Chang's nor Neiman Marcus responded to Information Security Media Group's request for comment.

What's Next?

So what will happen next in the P.F. Chang's case?

Here's how Pierson sizes it up: "Given the changing nature of data breach cases not being dismissed for lack of standing, this case is likely to either settle or face one more hurdle prior to discovery taking place. P.F. Chang's may seek to file for a motion for summary judgment ahead of discovery. Given the time that has lapsed since the breach, the priority of management time focused on the electronic discovery aspects of this case, and the potential settlement risk, taking into account insurance, P.F. Chang's may seek to resolve this matter before the end of the year."

Fraud , HIPAA/HITECH

A former pharmaceutical district manager faces sentencing in July after pleading guilty to criminal HIPAA violations for his part in a complex fraud scheme involving drug maker Warner Chilcott.

See Also: Proactive Malware Hunting

A U.S. District Court in Boston on April 15 ordered Warner Chilcott to pay $125 million to resolve criminal and civil liability arising from the illegal promotion of various drugs, according to the U.S. Department of Justice.

The fraud scheme involved illegal marketing of pharmaceuticals and the payment of kickbacks to physicians to prescribe the company's products, prosecutors say. The drug maker submitted "false, inaccurate, or misleading prior authorization requests to federal healthcare programs for the osteoporosis medications Atelvia and Actonel," according to the DoJ.

The case also involved several individual prosecutions of former Warner Chilcott employees. Among those prosecuted was former district manager, Landon Eckles, who earlier pleaded guilty to wrongful disclosure of individual identifiable health information, a criminal violation of HIPAA.

Legal experts say the case against Eckles is one of only a handful of criminal HIPAA violation cases that have been prosecuted. "They are relatively rare, but a few cases pop up every few years," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

HIPAA Violation Details

In a statement about Eckles' guilty plea in the case, prosecutors noted that from 2007 to 2012, he worked for Warner Chilcott and served as a district manager in the company's osteoporosis division in a mid-Atlantic district.

The drug Atelvia "had poor insurance coverage in Eckles's district when it was launched in 2011, and many insurance companies required a prior authorization before covering Atelvia," the DoJ says. "A prior authorization contains protected health information, including biographical data and information concerning a patient's medical condition. Certain insurance companies require prior authorizations signed by a patient's doctor in order to overcome restrictions that favor less expensive prescription drugs."

Eckles told certain sales representatives that if physicians refused to fill out Atelvia prior authorizations, they should should fill them out themselves, the DoJ alleged.

Several sales representatives, along with Eckles himself, filled out Atelvia prior authorizations, "and by doing so, accessed patients' protected health information in violation of the HIPAA law and regulations that safeguard the privacy of confidential health records," according to the DoJ.

Prosecutors say Eckles and a sales representative also accessed a number of patients' medical charts and placed Atelvia brochures in the charts so that physicians would be reminded to prescribe it. "Eckles bragged about this tactic to his sales representatives, stating, 'I guarantee you that this is going to drive business,' and encouraged his sales representatives to follow suit. In part, as a result of his scheme, Eckles received a bonus of approximately $60,000 in 2011," DoJ says.

HIPAA Sentencing

Eckles' sentencing date has been moved at least twice, and he is now scheduled to be sentenced on July 26, according to court documents. He faces a sentence of no greater than 10 years in prison, three years of supervised release, a fine of $250,000 and exclusion from the Medicare program.

An attorney representing Eckles declined to comment on the case.

Warner Chilcott is now part of Dublin, Ireland-based pharmaceutical company Allergan. An Allergan spokesman also declined to comment on the case.

Egregious Violations

While criminal HIPAA violation cases are rare, prosecutors pursue these cases when they involve particularly egregious behavior, legal experts say.

"There have been a variety of HIPAA criminal penalties in situations where individuals have done things that clearly have been wrong," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "We've seen individuals go into records and use them to commit identity theft. We've seen hospital workers sell records to others who use them to commit fraud. We've seen a variety of 'celebrity' cases where individuals access celebrity medical records and then sell information to the media."

Nahra stresses that the HIPAA criminal cases all have involved "egregious wrongdoing, not misinterpretations of the rules or minor slips."

What sets the Eckles case apart from most other criminal HIPAA violation cases, Nahra says, is that it's part of a "much bigger overall fraud case."

Attorney Greene says he expects the prosecution of criminal HIPAA cases will continue to be relatively infrequent.

"We will continue to see a few criminal convictions every once in a while, often surrounding fraudulent conduct such as identity theft schemes or larger criminal schemes," he says. "It is rarer to see a criminal case that solely surrounds HIPAA, such as a snooping case or a more straightforward impermissible disclosure case. Federal prosecutors have limited resources, and bringing HIPAA prosecutions for straightforward privacy violations is likely an activity that they cannot focus on."

Other Cases

Another recent case involving prosecution for criminal HIPAA violations involved a former East Texas hospital worker who pleaded guilty in a case involving illegally obtaining protected health information with the intent to use it for personal gain. Joshua Hippler was sentenced in February 2015 to 18 months in prison after pleading guilty in August 2014 to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).

Back in October 2013, Denetria Barnes, a former nursing assistant at an unidentified Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information. And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).

Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.

For example, in November 2014, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal email account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing in S.C. Medicaid Breach Case).

And in a 2010 case, former UCLA Healthcare System surgeon Huping Zhou, M.D. was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California (see HIPAA Violation Leads to Prison Term).

Anti-Malware , Breach Notification , Data Breach

A series of targeted attacks have been exploiting JBoss application servers as part of a campaign that often then distributes SamSam ransomware, security researchers from Cisco's Talos security group warn. Users of exploited JBoss servers include schools, government agencies and aviation firms, among other organizations, they say.

See Also: Proactive Malware Hunting

To date, the researchers' scans of internet-connected systems have identified 2,100 exploited servers that run JBoss - an open source application server program and related services that are maintained by Red Hat - and 3.2 million at-risk endpoints. All are at risk from self-propagating ransomware called SamSam, a.k.a. Samas, MSIL and Kazy, although it's not clear how many might yet have been infected.

As with many other types of ransomware, after locking down networks, servers or systems, SamSam directs victims to pay a ransom, in bitcoins, to receive a decryption key. But Cisco Talos warns that it discovered the JBoss flaws after unraveling a SamSam campaign that's been targeting not just individual endpoints, but entire enterprises, so attackers can demand proportionally larger ransom payments (see Ransomware: Is It Ever OK to Pay?).

Cisco Talos says all of the infected servers were exploited using JexBoss - the "Jboss verify and EXploitation Tool" - "to target unpatched deployments" of JBoss, although it has not specified exactly which JBoss flaws were exploited. JexBoss is freely available from code-sharing site GitHub, after which attackers installed a web shell, which is a script that can be run on a server to enable remote administration of a system and allow attackers to distribute malicious code throughout a network.

"We've learned that there is normally more than one web shell on compromised JBoss servers," Cisco Talos says, which "implies that many of these systems have been compromised several times by different actors," since a group only needs a single web shell to control a system.

Cisco began alerting affected organizations April 11, before publicly releasing details of the flaw, as well as indicators of compromise, on April 15.

Follett Patches Destiny

At least "several" of the exploited JBoss servers were running school library management software called Destiny, which is developed by software vendor Follett, Cisco Talos says. Follett didn't immediately respond to a request for comment about how its software had been exploited. But according to the company's website, it's already issued a patch to eradicate existing exploits and block new ones for the 60,000 K-12 schools globally that use the software.

"Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers," according to a statement released by Follett. "Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve."

Follett takes data security seriously. Learn about JBoss & Destiny https://t.co/DbGkP9uCWjQuestions? Call Follett 888.511.5114, Opt 3.

Cisco has urged all Destiny users to immediately install the patch, and also lauded Follett's rapid response. It adds that automatic patch updates have been pushed to all users of Destiny version 9.0 to 13.5, that the update "also captured any non-Destiny files that were present on the system to help remove any existing backdoors on the system," and notes that Follett's technical support team has been contacting customers whose systems appear to have been infected, urging them to immediately update.

Web Shell Alert

Cisco Talos notes that all exploited JBoss servers can be identified in part via the presence of unauthorized web shells, which give attackers remote access to the server and thus - at least in theory - every other system it touches.

For any organizations that discover unauthorized web shells running on a JBoss server, Cisco recommends that whenever possible, they immediately disable external access to the server. "This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software." Failing that, Cisco recommends at least restoring a pre-exploit backup and then upgrading the server "to a non-vulnerable version before returning it to production."

Attackers are increasingly using web shells as part of their exploits. In November 2015, the U.S. Department of Homeland Security's computer emergency response team issued a web shell security alert, warning that it had seen a spate of attacks involving web shells - including such tools as China Chopper, WSO, C99 and B374K - and offering a number of related detection and mitigation recommendations.

"Consistent use of web shells by advanced persistent threat (APT) and criminal groups has led to significant cyber incidents," according to the US-CERT alert, which was issued in conjunction with computer emergency response teams in Australia, Canada, New Zealand and the United Kingdom. "Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. ... Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely."

The alert warns that such access can enable attackers to do everything from gain access to other network systems and use the network for botnet command-and-control purposes to exfiltrate data and install malware, including ransomware.

Samas Ransomware Encrypts Via Network

When it comes to ransomware infections, use of Samas has been growing, according to a Feb. 18 FBI flash alert and March 31 alert from US-CERT (see Ransomware Epidemic Prompts FBI Guidance). "Many of the executables and tools used in this intrusion are available for free through Windows or open source projects," the FBI warns. "The malware encrypts most file types with [the strong encryption algorithm] RSA-2048."

Security experts further warn that Samas - like Locky ransomware - can infect files not just stored on removable drives, but also reachable via mapped and unmapped network shares.

The JBoss attack campaign isn't the first time that SamSam has been used to target enterprises. Many security experts also suspect that the ransomware recently disrupted systems at U.S.-based MedStar Health, although the organization has yet to confirm or deny those reports or detail precisely how its systems were hacked.