Don't be a Cyber-victim 切勿成為網絡受害者
Easy steps to mitigate the risk of Cyber-attack 一些減少網絡襲擊風險的方法
Dominic Wai, Partner, ONC Lawyers 31 October 2016 The Hong Kong Electronic Industries Association This presentation is not an exhaustive treatment of the area of law discussed and cannot be relied upon as legal advice. No responsibility for any loss occasioned to any person acting or refrain from acting as a result of the materials and contents of this presentation is accepted by ONC Lawyers.
2 Sept 2016 © ONC Lawyers 2016. All right reserved
Case Study
3
Globenet Droid Ltd v Hong Kong Hang Lung Electronic Co (a firm)
Sept 2016 © ONC Lawyers 2016. All right reserved
• Early 2013: • Plaintiff looked for supply of
batteries
• They came to know a company named CP and they had been contacting it via a person purported to be “Nelson Zeng”
4
Facts – Plaintiff (1)
Sept 2016 © ONC Lawyers 2016. All right reserved
• In emails, the email address itself will be shown in “< >” after the sender’s name:- • E.g. “X <abcde.abcde.com>” • “X” can be whatever the sender likes to enter
• In the email correspondence with P, the person(s) purported to be
“Nelson Zeng” was shown in the emails as:- • “[email protected] <[email protected]>” • “Nelson Zeng <[email protected]>” • “[email protected] <[email protected]>”
5
Facts – Plaintiff (2)
Sept 2016 © ONC Lawyers 2016. All right reserved
• “Nelson Zeng” told P in an email that any payments to be made to CP should be made to a bank account of its affiliate company
• After comparing prices, P decided to place orders with CP and it contacted CP by phone; the communications were then made with the true Nelson Zeng and the true CP
6
Facts – Plaintiff (3)
Sept 2016 © ONC Lawyers 2016. All right reserved
• June 2013: • P received from “Nelson Zeng” a Proforma Invoice:-
• Under letter head of the D’s name in English but CP in Chinese • Bore a company chop with D’s name in English but CP in
Chinese • Recipient bank account was D’s HSBC bank account
• P subsequently received another Proforma Invoice from the
true Nelson Zeng (the true CP) • Under letter head of CP both in English and Chinese • Bore the company chop of CP both in English and Chinese • Recipient bank account was an account maintained with CCB
in HK
7
Facts – Plaintiff (4)
Sept 2016 © ONC Lawyers 2016. All right reserved
• On 4 July 2013: • P made an online transfer of US$104,260 from P’s HSBC
bank account to D’s HSBC bank account (pursuant to 2nd invoice)
• Reasons:
• “Nelson Zeng” had told P that it had to make payment to CP’s affiliate account
• P thought D was CP’s affiliate • Transfer from P’s HSBC account to another HSBC
account would save some bank charges
8
Facts – Plaintiff (5)
Sept 2016 © ONC Lawyers 2016. All right reserved
• April 2013 • D received an email from a person named Robert Ford,
inquiring about its products and seeking quotations for his customers
• Robert Ford claimed his customers and financiers wanted to transfer up to US$30,000 to US$50,000 into D’s account, because they had other engagements in China and thus wanted to use this opportunity to send the total money they need to D’s account
9
Facts – Defendant (1)
Sept 2016 © ONC Lawyers 2016. All right reserved
• July 2013 • D agreed with Robert Ford that the purchase price of the
goods of D should be US$16,500
• D received US$104,246 (actually transferred by P)
• D asked Robert Ford by email:- • Why are you doing this way? • You paid 104,246, but now the total amount of products is
US$16,500, you still have US$87,746 in our bank account, what are you going to do?
• Robert Ford replied that he would need the money to purchase goods himself
10
Facts – Defendant (2)
Sept 2016 © ONC Lawyers 2016. All right reserved
• July 2013 • The RMB equivalent of US$87,746 was transferred from the
bank account of one Mr. Lau of D maintained with ICBC in PRC to a bank account maintained with BOC in PRC designated by Robert Ford
• A representative of Robert Ford took delivery of the goods which purchase price was agreed to be US$16,500
11
Facts – Defendant (3)
Sept 2016 © ONC Lawyers 2016. All right reserved
• D has failed to establish the defence of bona fide change of position or any part thereof, it must follow that P should be able to recover US$104,246.00
• D do pay P costs of this action
12
Outcome
Sept 2016 © ONC Lawyers 2016. All right reserved
• For payer and payee: whenever there is doubt or unusual circumstances, do make INQUIRIES
13
Conclusion
Sept 2016 © ONC Lawyers 2016. All right reserved
Recent Fraud Trend Surveillance
of target company
Identify key
individuals
Fraudulent email
requesting transfer
Pressure emails
Transfer to fraudster’s
account
Further requests
• Public Information
• Inside Information (hacked)
• Phishing Emails
• CEO • CFO • Financial Controller
• Appears legitimate
• From similar address
• From hacked account
• Timing
• Further email exchanges with imposter
• Overseas account
• Money moved again (hard to trace)
• Often successful
• Not worried about being caught
14
“John, our longtime supplier BestCo is having tax re-structuring issues and wants us to make this month’s
payment to a different account. Can you please arrange urgently. I’m attaching the remittance instructions.”
From: Linkedin Security®[email protected] To: Subject: Linkedin Security Validation
16
Hi Account User, Due to a recent upgrade in our database, you are required to validate your account information with us to ensure that you are on our database system. Failure to do this might lead to a brief suspension of your Online access, pending verification. Please CLICK HERE <http://www.totaldisplayfixture.com/Direct/login.html> to start your account verification process. LinkedIn 2016 Support Team
Phishing Email
• Emails (or other medium) pretending to be from a genuine source or someone you know to gain your trust and convince you to do something that benefits the fraudster.
• Spotting phishing: • Be suspicious • Does the communication make sense? • Ask you for confidential and private information like
logins or passwords. • Ask you to open attachments or click on a hyperlink or
visit some websites. • Check Message Headers – Email meta-data that
includes message routing information. • Don’t “Reply”, “Forward” the email when replying if the
email is suspicious. • Contact the person – call the person to verify.
17 Sept 2016 © ONC Lawyers 2016. All right reserved
Types of Major Cyber Risks facing HK companies in 2016
• Ransomware • Business Email Scams/C Suite Fraud • Destroying Critical Systems • Theft of Personal Data and
communications (e.g. emails) – misuse and disclosure
• Attack on networking devices
Source: FireEye Cyber Defense Live Hong Kong 2016
18 Sept 2016 © ONC Lawyers 2016. All right reserved
Types of Cyber Risks facing companies
Targets • Financial Services • Media & Education • Telecommunications • Law firms
19 Sept 2016 © ONC Lawyers 2016. All right reserved
Risks and Loss
• Financial Loss • Loss of Intellectual Property
(confidential information and trade secrets)
• Money Theft • Business disruption – loss of trust;
loss of business opportunity • Damage to reputation (repeated
citation?)
20 Sept 2016 © ONC Lawyers 2016. All right reserved
Risks and Loss
• Exploitation of devices – who is liable? • Time and costs incurred on dealing with investigations
• LEAs • Regulators – e.g. privacy commission – duty to
notify or report the breach? • Regulatory sanction • Claims
• By victims and 3rd parties • Liability to counterparty (persisting payment duty;
contractual obligations) • Multiplicity – incidents, areas, jurisdictions
21 Sept 2016 © ONC Lawyers 2016. All right reserved
Risks and Loss
• Outside (Technology) • Hackers • 3rd party and outsourcing • Cloud • Security weak websites
• Inside (People & Process) • Inadvertence/System Glitch/Human Error –
unaware and unrecognized vulnerabilities • Rogue/disgruntled employees and insider
• Outside/Inside • BYOD – where is your endpoint? • Free Wi-Fi
22 Sept 2016 © ONC Lawyers 2016. All right reserved
Cyber Risk Prevention and Protection • Tech is pervasive and it’s only a matter of time that you will be
hacked or disrupted in a bad way. • It’s not just an IT issue – it’s people, process and tech. • Everyone has a part to play and humans are the weakest link. • Difficult to catch the culprits – they are anonymous, out of the
jurisdiction and data and money moves at lightning speed.
• What can you do? • Raise awareness and training • Situational awareness – digital footprint - the Dark Web • Where are your jewels? • What are your weak points?
• Risk assessment • Legacy systems – updates and upgrades
23 Sept 2016 © ONC Lawyers 2016. All right reserved
Cyber Risk Prevention and Protection
• Consider buying cyber insurance (but do not ignore IT security) • Risks generally covered by cyber
insurance policy: • Personal Data Liability • Corporate Data Liability • Data Security Liability • Defense Costs
24
Cyber Risk Prevention and Protection
• Have a plan • Crisis management • Resilience
• Test and monitor – does the plan work and are people following policies.
• Vet – staff, service providers, cloud. • Beware of Free Wi-Fi. • Record/paper trail – responses,
remedies and mitigation.
25 Sept 2016 © ONC Lawyers 2016. All right reserved
Response, Resilience, Recourse and Remedies
• Initial Response to Cyber Attack
• Engage experts if you have not already done so at the prevention stage:
• Legal - legal advice and legal professional privilege
• Forensic • Public relations
26 Sept 2016 © ONC Lawyers 2016. All right reserved
Response, Resilience, Recourse and Remedies
• Initial Response to Cyber Attack • Questions that the board should be
asking: • Was data stolen? • How does it impact our business? • Who did that? • How did they get in? • How much access did they have? • How do we remove it? • How do we prevent it from happening
again?
27 Sept 2016 © ONC Lawyers 2016. All right reserved
Response, Resilience, Recourse and Remedies
• Investigation
• The investigation after initial response serves the following purposes:
• Gain a fuller understanding of the computer
intrusion.
• Increase its chances of identifying the attacker.
• Detect previously-unknown security vulnerabilities.�
• Identify required improvements to computer systems.
28 Sept 2016 © ONC Lawyers 2016. All right reserved
Response, Resilience, Recourse and Remedies
• Law Enforcement • Companies should maintain a close connection with various law
enforcement representatives to discuss before an incident occurs: �
• When should the company report the incident to them.
• How the reporting should be performed. • What evidence is needed. • How evidence should be collected.
29 Sept 2016 © ONC Lawyers 2016. All right reserved
Passwords
• Strong Passwords: • Use a combination of lowercase, uppercase,
numbers, and special characters of 8 characters long or more like s9%w^8@t$i.
• Use short passphrases with special characters separating to make it difficult for crackers and could be easily remembered like cry%like@me (cry like me).
• Avoid using the same combination of passwords for different websites.
• If it is difficult for you to remember different passwords for different websites, then use Password Manager applications like RoboForm, 1Password, LastPass.
30 Sept 2016 © ONC Lawyers 2016. All right reserved
Ransomware
• Advice from FBI • Implement a robust data back-up and recovery plan. Maintain
copies of your files, particularly sensitive or proprietary data, in a separate secure location. Back-up copies of sensitive data should not be readily accessible from local networks i.e. store the back up offline.
• Never open attachments included in unsolicited emails. Be very vigilant about links contained in emails, even if the link appears to be from someone you know. Go to the links DIRECTLY.
• Keep your anti-virus software up to date. • Enable automated patches for your operating system and web
browser. • Only download software, especially free software, from sites
you know and trust. • Don’t pay the ransome (HKCERT advice too)
31 Sept 2016 © ONC Lawyers 2016. All right reserved
33
Dominic Wai Partner of ONC Lawyers 19/F., Three Exchange Square, 8 Connaught Place, Central, Hong Kong. Tel.: 3906 9649 Fax : 2804 6311 Email : [email protected]