Monday, August 22, 2016

Ban the box update

We reviewed the Ban the Box movement in this blog in 2013 (Should the box be banned? ) as the movement was really started to grow. The purpose is to prevent hiring discrimination but now a recent study is claiming that banning the box may be causing racial discrimination.

What is “Ban the Box”?
For the last several years there has been a movement to remove from employment applications the “box” that asks the question, “Have you ever been convicted of a crime” or any inquiry about criminal history. What has become known as  “ban the box”, the campaign feels that one’s criminal history should not be a consideration of employment at the time an application is submitted, rather, at a later time during the interview process. It is felt that asking this question on the application reduces the chances of those with criminal records to be employed. Employers should meet applicants first, get to know them, give a chance to explain themselves and then get to the criminal history. The Equal Employment Opportunity Commission (EEOC) has updated its policies, issuing guidelines in 2012 suggesting that employers wait until after a personal interview before making inquiries about criminal history.

In January 2014, there were fifty-six cities that had “banned the box”. As of June 2016, that list included over 100 cities and counties, and twenty-four States (Nine of which have laws that include public employees)

Current State List (As compiled by the National Employment Law Project)

California                    Maryland                  Ohio
Colorado                     Massachusetts*     Oklahoma
Connecticut *            Minnesota*              Oregon*
Delaware                    Missouri                   Rhode Island*
Georgia                      Nebraska                 Tennessee
Hawaii*                      New Jersey*            Vermont*
Illinois*                      New Mexico             Virginia
Louisiana                    New York                  Wisconsin

*States with laws that cover private employees

New findings
The Ban the box movement is not saying to ignore criminal history during the hiring process, however, meet the applicant, conduct a personal interview, and allow them to explain themselves. Again, to reduce the chances of discrimination based solely on criminal records.

Researchers from Princeton University and the University of Michigan have concluded that jurisdictions with Ban the Box laws have an increase in racial discrimination. Researchers conducted the study by sending out job applications to employers in New York and New Jersey before and after those jurisdictions enacted laws. The applications were identical except for one applicant being black and the other white. They concluded that the Ban the Box laws did make it easier for those with criminal records to be hired, but the jobs were more often given to the white applicants.

A spokesperson for the National Employment Law Project hasn’t accepted the study’s conclusion as yet, saying that the study was conducted to soon after laws were passed.

Maryland Ban the Box
            Maryland’s law took effect October 1, 2013, and applies only to State of Maryland employment applications. State government cannot ask about criminal record or criminal history of an applicant until the applicant has been provided an opportunity for an interview. Exempt from the law are positions in the Department of Public Safety and Correctional Services. Baltimore passed a similar law in 2014, restricting employers with 10 or more workers from asking a candidate about criminal records until after a conditional employment offer is made.

See our blog archive for other posts relating to Ban the Box:

Monday, August 8, 2016

If you ever want to see your files again…

One computer in the office has a warning that it is being held ransom, “Provide 500 bitcoins to unlock the system”, is the message emblazoned on the screen. Any computer that requested data from the original would fall prey to the malware, which is now spreading through the office. The IT department had already been notified and the tech is running through the office unplugging data cables trying to isolate the attack.  No, this isn’t a mega corporation. It was a less than 100 employee accounting firm.

An automotive service center with less than 20 employees had a similar experience. The office manager starts the computers for the day and she sees a message that her computer has been locked. Pay up if you want the decryption key. An ordinary Joe is surfing the net when a warning appears on his monitor that all of his photographs have been encrypted. If he wants to have access ever again, he’ll need to pay $1200.

Ransomware has been in the news lately. More than likely you’ve heard the stories of hospitals, police departments, or large corporations having their computers locked and given a price to pay to have them set free. Or the more common terminology, held for ransom.  But cybercriminals are not just targeting institutions or corporations. As security features are improved, the criminals move on to more vulnerable prey. Any size business or any person can fall victim. Yes, the bigger fish will offer a more lucrative payday, but stack enough pennies and eventually you will have a dollar.

Definition and history

Ransomware is a type of malware that infects a computer or network preventing users from accessing the system until a ransom is paid for the decrypt key. There are two kinds. The first is called “locker” which locks the user’s computer. The second and more sophisticated is called a Crytovirus, which targets specific files (Photos, personal, financial), encrypting them until a ransom is paid. Ransom payment is usually requested in the form of the electronic currency Bitcoin. (Bitcoin converts to roughly $575 U.S. dollars) Symantec estimates that over 60% of the malware detected is of the cryptovirus variety and the average ransom paid in the U.S. is $300.

The Symantec white paper, Evolution of Ransomware, August 2015, gives this chronology of ransomware appearances: The first ransomware appeared in 1989, but wasn’t that effective due in large part to the lack of the Internet. Crypto ransomware came on the scene in 2005. As each version was detected and defended against, the writers would learn from mistakes and rewrite the code to make the malware more resistant to computer security features. In 2008, the criminals began secreting the malware in the form of fake antivirus programs. The programs would appear to scan and identify problems and then ask the user for up to $100 to fix the fake problems. In 2011, cybercriminals moved away from the antivirus attacks and began completely disabling the victim’s computers. Criminals then stopped mimicking anti virus problems and jumped to directly locking the computer using a law enforcement warning style of hoax. This was so effective that law enforcement themed ransomware became quite popular between 2012 and 2014.

Like most malware, ransomware is delivered via an attachment to an email. The user clicks on the legitimate looking file and the malicious code is delivered. However, as users became savvier to suspicious emails and clicking on attachments, malware developers have learned to hide their code in websites. Either bogus sites setup for the purpose of delivering malware or within legitimate sites. Once the malware infects a computer it begins encrypting files. If the infected computer is attached to a network the malware spreads as that computer interacts with the network.

On the FBI website, FBI Cyber Division Assistant Director James Trainor writes, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Who is vulnerable?

Institutions, government agencies, big or small business, even personal computers can be targeted or infected. Some attacks are targeted and some are just malware creator’s phishing for victims.  For most small business and individuals it is the latter. Anyone or any business can be victimized. As with identity fraud it is not a matter of if but when. The world is so electronically social that malware gets passed around like a rhinovirus. Eventually, someone close to you will be victimized or you yourself.

Smaller businesses and individuals are more susceptible due to a lack of computer knowledge and access to technical support. They also lack an effective backup system. Files being held ransom or the threat of a fake criminal charge coupled with the lack of technical support make personal computers users more likely to pay.

The FBI, Internet Crime Complaint Center (IC3) reports that while companies and organizations are the primary targets, the IC3 continues to receive reports from individuals. According to reports to the IC3, most individuals are told that their personal/financial information or photos will be publicly released if a bitcoin ransom is not paid within a certain timeframe. Ransom amounts range from $250 to $1,200.


For business and individuals alike one of the main defenses is education. Know what the dangers are and be prepared. Businesses need to educate their employees on the tactics of cyber criminals and how to react if they feel they have been victims. After providing education and training, some companies will send their own “suspicious” emails to employees. The emails will look legit enough with the guise of signing up for training or providing personal information for system updates. However, each email will have the telltale signs of phishing that was thoroughly explained to employees. The IT department will monitor how many fall for the trick and how many reported it. Then they will provide further training and education to the employees.

The FBI confirms that ransomware has been around for several years. But there was an increase in 2015 with incidents still on the rise in 2016 due to lack of preparedness and protection. The FBI doesn’t support paying a ransom. Cyber Division Assistant Director James Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

What the FBI does recommend is prevention and a business continuity plan. The FBI website offers the below tips for businesses and individuals when dealing with a ransomware threat:

Prevention Efforts
  •  Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.Disable macro scripts from office files transmitted over e-mail. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

At the very least, educate your employees and have a conversation with whoever manages your computer system. At home, resist the urge to fall for “click bait” and pay attention to where you’re surfing. As for your smartphone? Don’t be lulled into a false sense of security. Your phone is a connected device. Someone, somewhere is figuring out a way to get in.

See our blog archive for other posts relating to security issues: