Secure your business with CyberHoot Today!!!
There is a concerning and highly effective strategy that criminal hackers are now using to harvest sensitive customer data from Internet Service Providers (ISPs), phone companies, and social media firms. This strategy involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized “Emergency Data Requests” for subscriber data where the information requested can’t wait for a court order because it relates to matters of life and death.
Emergency Data Requests
In the United States, when federal, state, or local law enforcement agencies want to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena. Virtually all major technology companies and Internet Service Providers (ISPs) have departments that routinely review and process such requests. Such requests are only granted once proper documentation is provided and the requestor’s identity is verified out-of-band (not from the email requesting the data) as belonging to the actual police department or law enforcement agency.
However, like most phishing attacks that create a critical sense of urgency hoping that’s the catalyst for action on the victim’s part, hackers are making data requests of these organizations claiming imminent harm or death will result from inaction. Many times, legitimate investigating officers make what’s known as an “Emergency Data Request” (EDR), which essentially bypasses any official review and does not require the requestor to supply any court-approved documents. If tech companies do not validate the requestor in such circumstances, the hacker wins and gets critical data required to carry out their attacks.
The Hacker’s Strategy
Hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using unauthorized access to police email systems or individual accounts, hackers will send a fake EDR request along with a note stating ‘the potential for innocent people suffer or die exists here unless this data request is processed immediately’.
In this scenario, the receiving company finds itself caught between two outcomes: failing to immediately comply with an EDR and potentially having someone’s blood on their hands, or possibly leaking a customer record to the wrong person.
To make matters more complicated, there are tens of thousands of police jurisdictions around the world. With more than 18,000 in the United States alone all it takes for hackers to succeed is to access a single police email account. In other cases, they breach the entire email server and have access to all the email traffic going on in a particular precinct.
What Can Be Done?
Lawmakers in Washington, DC, have introduced a Bill To Combat Counterfeit Court Orders that would improve the current system in place for sending EDRs. It would require all federal, state, and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures, and the removal of online content. Digital signatures use encryption technology to prove the authenticity of documents and other data, which are widely used by the private sector, executive, and legislative branches. The bill provides funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.
Until something like that is in place and implemented, there are actions your company can take to verify the legitimacy of these data requests:
- Phone-Based Verification: Your organization’s Data Protection Officer (DPO), or someone who works in a similar role must research the Law Enforcement agency making the request, and place a phone call to the Requestor’s Supervisor or department to verify the identity of the requestor and the validity of the request itself. Care must be taken to research the correct entity phone number and not use a number found on the request form or email as both could be spoofed by a fraudster.
- In-Person Verification of Government Issued Documentary: A requestor can provide a government-issued ID in person to the DPO to validate their identity. This brick-and-mortar method requires the review of a government-issued identification card or document, however, it is always wise to also call the Law Enforcement Agents’ office to validate the request. This method is only necessary if the Law Enforcement Agent needs immediate information where time is of the essence.
- Notary: A requestor can provide a notarized document to the company or DPO to validate their identity. This method requires the Notary to inspect a government-issued identification card or document and attest to that visual inspection in writing. Ideally, this method would be combined with #1 above – phone-based verification to provide two-factor-based identity validation. However, it is not required based on current protocols within GDPR or CCPA (though it should be AND is what CyberHoot vCISO practitioners do).
Once this has been done, additional steps can be taken to verify the authenticity of the request, they include inspecting the following items:
- Is the sending email address for this request accurate and appropriate (95% of these requests come from a .gov email address)?
- Is the Government Seal correct? If it is the first time you are seeing a Seal, please Google that agency’s Seal for reference and validation.
- Review the date of the request to ensure it is still a valid in-force SUBPOENA and/or FISA request as these requests do expire.
Once the request has been confirmed as legitimate and authentic, your organization can take action and complete the request as needed.
Additional Cybersecurity Recommendations
Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.
- Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.
All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.