USA indicts the Chinese hacker who breached Anthem’s website

  by Paul Rubell, Esq.

A 36you have been hacked-year old Chinese national from Shanghai has been indicted by a federal court in California for transmitting malicious software tools to companies located in the United States.


Yu Pingan was arrested on August 27, 2017 when he arrived in the United States to attend a conference.  Pingan used the online pseudonym GoldSun to install malware and viruses on company computers.  In addition, the United States government has alleged that GoldSun delivered zero-day exploits and caused denial of service (DOS) attacks on major corporate and government computer networks.  GoldSun’s computer code makes networks and websites vulnerable to being controlled and taken over remotely and susceptible to being hacked. The government charged GoldSun with one count of violating the Computer Fraud and Abuse Act and conspiracy to defraud the United States.  The United States government claims that Pingan has caused far-reaching damage to the nation’s security infrastructure and economy.

anthem    Among GoldSun’s technical “accomplishments” was the successful data breach of Anthem’s healthcare network and release of personal health information (PHI) about 80 million of its customers in 2015. The released data included  home addresses, dates of birth, Social Security numbers, email addresses and  income data belonging to both current and former customers and employees, including Anthem’s chief executive.

In addition to the Anthem attack, in 2015 GoldSun broke into United States government computer systems in the Office of Personnel Management (OPM) and improperly obtained sensitive personal information including background checks and  financial information involving about 4 million government workers dating back for 30 years.

In support of the government’s request to arrest and indict GoldSun, FBI Special Agent Adam James told the federal court judge that:

“Based on the evidence described above showing that [Pingan] provided malware … to maliciously target a discrete group of U.S. companies’ computer networks, including the novel and rarely-used Sakula malware, I submit there is probable cause to arrest YU for conspiring to commit fraud in connection with computers, in violation of 18 U.S.C. §§ 371 and 1030(a)(5)(A).”

Is the People’s Republic of China the driving force behind GoldSun’s attacks on the American economy and government, or did GoldSun act purely for his own economic gain? In either case, American citizens have been harmed by these and other assaults on our way of life. It is essential for all of us to deploy best practices to secure our personal and corporate information.  Cyber liability insurance and good legal and IT advice are good ways to begin.

access granted






Are violent selfies protected by the Constitution?

by Paul Rubell, Esq.

We all cringe from the recent spate of hateful videos made by criminals while committing heinous felonies. As if their ugly crimes aren’t enough, we have to watch the gruesome spectacle unfold before our eyes on Facebook, Twitter and the nightly news.  The crime victims suffer embarrassment and worse.

Here in New York, a state senator has introduced legislation that would make it a crime to film a video of a violent crime in action. The intent of the proposed law is a good one.  Facebook, Twitter and LinkedIn need to stop felons from using social media to promote their violent crimes online. We do not want to give these hoodlums 15 seconds of fame.

Question:  Are crime-scene selfie videos protected under the Constitution?  News12 asked me to remark. You can watch here:


Senator Philip Boyle’s proposed law probably violates people’s First Amendment rights to speak freely and publish freely. These fundamental freedoms are at the foundation of American law.  Our Constitution guarantees you the right to express yourself.  In fact, the Constitution states that you own the copyright to your own creations including songs, paintings, poems, photos, multimedia, computer code and apps.

Taking videos is a form of expression that is guaranteed by the Bill of Rights.  However, even free speech has constitutional limits. For instance, if you  shout “fire” in a crowded theater, you can be arrested and the 1st Amendment will not protect you. In 1942, the US Supreme Court ruled in Chaplinsky vs. New Hampshire that “fighting words” are not protected speech.

Are crime scene videos the kind of “fighting words” that are unprotected by the Constitution?  I think Senator Boyle’s proposed anti-video law could rupture the 1st Amendment. What do you think?

Not best practices: Apple’s iCloud is neither private nor secure

by Paul Rubell, Esq.

Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and other information is at peril if it is stored off-site on a remote web server such as Office365 or iCloud. The details are fascinating but the song remains the same as it has always been: caveat emptor when it comes to the world of processing information online.turk

A hacking group that calls itself the Turkish Crime Family alleges that it has gained remote access to more than 627 million iCloud accounts maintained on Apple’s servers. The group has threatened to delete all of the data maintained on those accounts, as well as data contained on the Apple desktop and mobile devices to which the accounts are connected. Turkish Crime Family has claimed on Twitter that the data will be deleted unless Apple pays a random by April 7, 2017. The amount of the random is either $75,000 US in Bitcoin or Ethereum blockchain currency or $100,000 US in iTunes gift cards.

turk2Apple users whose email addresses contain the domains ‘’ and ‘’ are apparently at risk. The rogue hackers had posted a video on YouTube (ironically a Google company) that purportedly showed communications between the group and Apple. That video has been deleted, presumably at Apple’s insistence.

Notably, even iCloud accounts that utilize enhanced two-factor authentication are vulnerable. This casts a shadow over the entire concept of securing one’s data because most users do not utilize robust 2-F authentication. (This author strongly urges you to enable 2-F on all of your financial and sensitive accounts.

Apple has not made any public comment about this ransomware threat, presumably because Apple’s often-stated corporate policy is not to pay hostage fees. As a result, 624 million iCloud accounts could be deleted and worse, the computers and devices to which those paypalaccounts belong could be wiped clean on April 7th.

Best practice to keep your trade secrets private: avoid Password Managers

by Paul Rubell, Esq.

Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically.

Passwords are the key to enter the digital vault. Strong passwords are designed to thwart hacking attacks but their drawback is that they can be difficult to remember. A weak password such as “123456” can be memorized, but a more clever password like “A1@b2*C3(d)Zx4#” can be readily forgotten. And when numerous passwords are deployed to protect data further, the problem is exacerbated. There are many ways to keep track of passwords. Although no single method is fool-proof, some techniques are more iron-clad than others.

In order to achieve data privacy, software developers urge their customers to purchase password manager applications. Some apps store passwords in the cloud on a remote web server; others host the electronic keys locally on a mobile or desktop device. In addition, some apps generate complex passwords using mathematical algorithms and store them in a data capsule. No matter how an app’s technology functions, the unifying theme is to secure all points of entry to electronic information in a single place. Experts urge us to use password manager applications for this reason. By the way, it does not matter whether an app is free of charge or not. What really matters is the app’s functionality and security.

As a result, many people download password managers for their Android phones such asgold LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. Each of these popular apps has been download from the Google Play store between 100,000 and 50 million times. What a relief to know that one’s data currency is secured and encrypted.

Unfortunately their security is just vaporware. On February 28, 2017, a group of German security experts issued a report showing that all nine of these apps contain vulnerabilities that make them susceptible to compromise by hackers. In some cases the master key that locks the cryptic safe is stored in plain text, visible to the naked eye let alone to a computer. In other cases features that have been designed to make the apps user-friendly, such as auto-fill, are themselves insecure. To make this point crystal clear — the software developers built their apps with vulnerabilities built in.



Relying on an app in the cloud to keep a company’s trade secrets private is irresponsible.  If you need a financial incentive to protect your company’s golden eggs, you should be aware that some cyberliability insurance policies exclude data breaches from insurance coverage, if the breach might be related to the company’s use of insecure software applications such as password managers. It is incumbent upon each of us to design protocols and corporate policies that maintain the integrity as well as the privacy of the gate-keepers to our most important and vulnerable trade secrets.

Caveat emptor.  Let the buyer beware.  Best practices demands more from each of us than downloading apps from that iCandy Store in the Cloud.” The Google Play store is insecure, as are the password manager apps that are available for download there. After decades of building your business, it is reckless for you to rely blindly on public software to protect your golden goose. Your company does not want to litigate and you do not want to lose a shareholder derivative lawsuit claiming that you breached your fiduciary duty by failing to secure information.

Take due care and exercise due caution.  Get expert advice.  Purchase cyberliability insurance.  Develop best practices.  Build a digital Fort Knox to keep safe your business’ trade secrets.

best practices sign





Twitter says hello to hacking; Users say goodbye to privacy

By Paul Rubell, Esq.

The President has illustrated the power of social media by his use of Twitter. Like Facebook and LinkedIn, Twitter is a “platform” that enables users to interact “socially” with each other online. However as Twitter has gained popularity with hundreds of millions of users, it has also come under attack by hackers and bad actors worldwide. These global social platforms have enormous armies of employees guarding their crown jewels to avert hacking. But as with any system, it is the weakest link that can cause the stronger links to fail. Witness the Target hack that was caused by an HVAC contractor’s connection to Target’s intranet.

On March 14, 2017, thousands of global Twitter accounts were compromised, apparently by racists and/or a rogue government. The EU Parliament, Forbes, Amnesty International, UNICEF, Nike Spain and other social sites were defaced. These accounts were flooded with swastikas and hashtags including “#NaziHollanda”. Profile pictures of users were changed to pictures of the Turkish flag. A link to a Youtube site was inserted into many of these Twitter accounts with text containing the cruel words “Nazi Germany, Nazi Netherlands! Do not force the patience of the Turk. We got out of this way by wearing our kefen.

Politics aside, the real legal issue and technological quandary is that the Twitter accounts were illegally accessed via a weak link in the flow of social information. In this instance, a 3rd party application called was hacked, and in turn Twitter Counter unwittingly and robotically instructed Twitter to modify the contents of its users’ accounts.

ae2ee69273c6ea6a3f65019852f23f2fTwitter Counter is an analytic tool that connects to Twitter and enables its users to determine information about their accounts’ metrics. Twitter Counter is one of thousands of so-called 3rd party apps that are used to access or interact with major social media platforms. What is a 3rd party app? As examples, Apple does not produce all of the mobile apps that are available from its App Store, and Google does not develop all of the apps on Google Play. These apps have been developed by outside companies who have been granted permission to interface with the main social platforms. They are called third-party applications, or 3rd party apps for short.

In the world of social media, many people use TweetDeck and HootSuite to monitor and post their tweets, Facebook posts and LinkedIn seamlessly, with scheduling and other useful features that are not readily available on Twitter or Facebook’s own HootSuite_Social_Media_Management_Systemplatforms. These are 3rd party apps. So is Twitter Counter. But not all 3rd party apps are as safe and secure as you’d like. And none of them have the manpower (sorry for the sexist word) and financial strength of the Big 3 (Twitter, Facebook, LinkedIn) to ensure cyber protection. Thus you have to use 3rd party apps with caution.

Where is the legal part to this story? Privacy of information is the gold standard to which one must strive. A company’s website needs to have its own privacy policy. If a company’s web user clicks its site’s Facebook or Twitter button, the user will suddenly find herself on Facebook instead of the company’s proprietary site. She is traveling on Facebook’s webpages. As a result, entirely different privacy practice will affect them. As a dramatic example, Mark Zuckerberg renamed his Privacy Policy as a Data Policy because there is no such thing as privacy on Facebook. Without politicizing the matter, it is important for websites to inform their users that once they travel through cyberspace to a social media site, their privacy will be regulated by the social site’s privacy rules, not their own.

And what of 3rd party apps? When you access a social media site (such as a company’s Facebook page) via HootSuite, for example, your usage is governed by the privacy policies of the 3rd party app as well as the Facebook platform. Remember the weak link in Target. Not all 3rd party apps are safe to use. Some are soft because of financial insecurity. Others are unsafe because they may have unsavory owners or employees who can access customer data. In any case, 3rd party apps create a backdoor to the major social platforms. If the backdoor to your home is not locked securely, a thief can enter and steal your property. Similarly, if a 3rd party app is insecure (by design or error or just bad computer coding), a hacker or bad actor or disgruntled employee can steal your identity and private information.

Companies’ privacy policies need to inform their users about all of these risks. Most CEO’s don’t realize that they may be unwittingly putting their customers in harm’s waylinkedin by linking to LinkedIn with a button – and they’d be shocked to find this out the hard way, after a data breach has occurred. From a lawyer’s vantage, disclosure can cleanse many problems. Telling your users about the potential pitfalls to their privacy can be a good defense to a lawsuit or criminal investigation following a breach. The “I told you” defense is my own mantra when I prepare Internet policies for clients.

So travel the Internet safely and protect your business with technology and with solid legal safeguards in place. 




Awaiting the President’s Cybersecurity Executive Order

by Paul Rubell, Esq.

Witness today’s risks of cyber crime.  Hackers, bad actors and foreign governments have long had the ability to assault our Nation. Current events have opened citizens’ eyes to the reality of the cyber threat. It is remarkable how the public has either forgotten or turned a blind eye to well-known security breaches such as those at Target and Yahoo. It has taken a national election for the public to recognize that the specter of data breaches is not theoretical and that its ramifications extend far beyond credit card data.

In February 2016, President Obama signed anNorth_Façade_White_House Executive Order that established a nonpartisan Presidential Commission on Enhancing National Security. Four countervailing premises spurred the Executive Order. First, the advent of advanced and interconnected technologies benefit the country and its economy. Second, these benefits pose significant security challenges and threats. Third, individual privacy rights need to be protected. Fourth, despite the risks, we need to encourage breakthroughs in new technologies to solve many of the problems that the world faces. The executive order stated that its foundation was laid:

“in order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security…”

With those grand goals in mind, the Commission issued its report in December 2016, after the election and prior to Inauguration Day. Its “Report on Securing and Growing the Digital Economyaddressed ten sweeping topics: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, and state and local government cybersecurity, insurance, and international issues. The Commission recommended to the incoming President that the White House needs to be the locus for government and private-sector security initiatives.


Shortly after the President took office in January 2017, he stated that:

“I will hold my Cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations which we probably don’t have as much, certainly not as much as we need”

With that in mind, an Executive Order entitled “Strengthening U.S. Cyber Security and Capabilities” was drafted but never signed. A few weeks later, in February 2017, a revcropped-data-privacy11.jpgised Executive Order was proposed, called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure“. As before, this proposed order has neither been signed nor released publicly. Unlike prior efforts to combat cyber risk, this latest draft order focuses on the federal government’s internal cyberspace efforts to deter malicious attacks and protection the country from them. The draft Order was designed to call upon all federal agencies to modernize their internal IT (information technology) systems and coordinate and cooperate with each other. In addition, the head of each agency was to be responsible for his/her agency’s cybersecurity initiatives. The buck is not to be passed down the ladder to the agency’s CIO.  I have stated for many years that the corner office in private industry as well as the public sector is the place where cyber responsibility must reside. The CEO is the only person who should direct his/her company’s Twitter feed, oversee its Facebook page or ensure the security of personal customer data. The new President appears to share that view by placing the onus of cyber responsibility on agency chiefs, not subordinates.Capture

However this latest draft Executive Orde
r was met with criticism from industries that are considered central to national infrastructure, including telecommunications, banks, energy, water and public transportation. These industries would have been subjected to additional government requirements beyond those imposed upon other private sector businesses. As a result of this push back, the President has withheld signing the Executive Order.

With this backdrop in place, a noted Cyber Policy Task Force issued its own cyber reportrecommendations to the new Administration. Its report “From Awareness to Action: A Cybersecurity Agenda for the 45th President” states that many of America’s current cyber policies are antiquated. The recommendations call for the development of an international cybersecurity strategy, increasing transparency so that the public becomes aware of data breaches, evaluates the pros and cons of encryption, and addresses IoT (Internet of Things) risks to global cyberstability.

At the V4 Cybersecurity Conference held at Google Headquarters in Washington, DC on March 7, 2017, Rudolph Giuliani recommended that companies should subject themselves to attacks on their IT infrastructure by “red teams” of outside firms that specialize in penetrating security vulnerabilities. So-called “white knight” hacking can be a good way for companies to test and strengthen their internal cyber defenses.

The Internet has become part of our nation’s infrastructure, just like roads, bridges and the power grid. We await the President’s cybersecurity Executive Order with eagerness because it has never been more important to ensure the safety of our country’s infrastructure.


Net Neutrality is No More

By Paul Rubell, Esq.

Internet users have been suddenly stripped of an important source of privacy protection.  On March 1, 2017, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) abruptly suspended the net neutrality rules that had been scheduled to go into effect on March 2ndnetneutrality-contentblocked1

Internet users in the United States have long been protected by privacy frameworks such as the Consumer Privacy Bill of Rights and by government agencies such as the FTC. These privacy protections were vastly enhanced on October 27, 2016 when the FCC adopted rules that empowered users to decide how their personal data is used and shared by broadband Internet providers (ISP’s) such as Verizon and ATT. These rules, commonly known as “net neutrality”, require ISP’s to obtain the express consent from customers before sharing or using their personal information. Before net neutrality, ISP’s were immune from consumer privacy laws because they are regulated as public utilities like the electric company rather than providers of consumer services.

In adopting net neutrality, the FCC stated that “privacy rights are fundamental because they protect important personal interests—freedom from identity theft, financial loss, or other economic harms, as well as concerns that intimate, personal details could become the grist for the mills of public embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination.”

ispISPs serve as a consumer’s “on-ramp” to the Internet. Providers have the ability to see a tremendous amount of their customers’ personal information that passes over that Internet connection, including their browsing habits, beliefs, preferences and likely future activities. The FCC determined that consumers deserve the right to decide how that information is used and shared — and to protect their privacy and their children’s privacy online.”

ISP’s have access to all sorts of personal information, including your geolocation, your children’s information, health information,  financial data, Social Security number, your Internet browsing history, app usage history, financial status, familial status, race, religion, political leanings, age,  location and most significantly, the content of your communications. Under the October 2016 net neutrality rules, ISPs became required to obtain affirmative ‘opt-in’ consent from consumers before using or sharing sensitive information. The FCC required ISP’s to provide transparency to their customers with “clear, conspicuous and persistent notice” about the information they are collecting, how and when they share the information, and the types of advertisers and others with which the ISP shares these kinds of information. In addition, ISP’s became subject to the same government privacy requirements that the FTC imposes on search engines such as Google, social media such as Facebook, and other edge providers.

Needless to say, neither the ISP’s nor their advertisers were happy with the new regulatory scheme. On March 1, 2017, the new Administration’s FCC Chair delayed the implementation of the regulations.  In announcing the decision, the FCC stated that “After all, Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it.” It may be worth noting that the FCC Chair was formerly Associate General Counsel at Verizon Communications Inc.

In the absence of protection, ISP’s can once again sell your personal information for advertising purposes without asking for your permission or letting you know about it.4408358-net-neutrality