Well I guess I am somewhat glad it isn’t just the U.S. that is getting hacked by China, Russia, and Al-Qaeda as well as others. It also doesn’t surprise me at all. But listen to the common theme we are seeing in this case as well as several we have seen, and I have written about before regarding U.S. assets. They said in an article in the UK-based paper “The Register” that of particular concern is the possibility that attackers could gain access to systems that control Britain’s utilities, financial systems and government and military networks. This is going to be a major component of wars and terrorism in the future. Just watch.
TJX Companies agreed to a $9.75 million dollar settlement the end of last month for the major data security breach they experienced (which in large part was due to neglegence). It looks like it was only a state win and not a consumer win. I say that because of the 9.75 million 2.5 million goes to states that were impacted and 1.75 million goes to cover the states legal fees for the investigation. The remaining 5.5 million will cover settlement fees. Unfortunately, the real burden of these breaches falls on the wrong companies and individuals. The issuing banks often get stuck holding the bill, and consumers have to deal with fraud and identity theft. While there is little in the way of monetary loss for consumers, the time, anxiety, stress, and possible reprecussions to credit and purchases can be devastating. I think TJX got off really easy on this one.
A laptop was stolen from Cornell University that had 45,000 current and former staff and their families information on the hard disk. Normally I would say that this is a perfect reason why we need to encrypt data on computers…especially mobile computers. With data breach disclosure laws passed in about 46 states currently…and only 4 of them require you to disclose if the data was encrypted should be enough. However in this case, (and so many like it) the data should simply have not been on this computer in the first place. Do you know where you data is? Do you know why certain data is located on systems such as laptops, thumbdrives, and other mobile or portable media? Likely the answer is no. A number of software products are now available that can scour your systems and network looking for sensitive data. Having written policies and procedures for the use and storage of sensitive data is the first step. Finding out where that data is is the 2nd step. Beyond that, you need to do whatever you can to enforce these policies and procedures. Remember, theft accounts for 30% of data breaches and many of those incidents could have been avoided by storing the data in the proper location and in the proper way (encrypted).
I travel more than my fair share, but was never wooed by other travelers into signing up for “Clear” the approved frequent traveler program that allows travelers to speed their way through long security lines at U.S. airports. I have never felt good about a program like this…especially when a slight convenience can lead to the debacle they are now in. As some of you know, “Clear” went out of business suddenly a few weeks ago. Now the 260,000 customers of Clear are left wondering what will become of the information they provided to the company including Social Security numbers (SSNs), credit card numbers, driver’s license numbers, iris scans and fingerprints.
We as a society are all-to-often willing to trust other people or companies with our very identities. While this is scary enough, doing it for the purpose of saving a couple of minutes in line at the airport seems a bit reckless. But I believe that this might be just the first minor step in a much larger program that everyone may be required to participate in. Obama passed the HITECH healthcare law in February of this year that promotes the creation of a national healthcare system. This system will be tied to identities of participants…which will likely be all Americans, or nearly all Americans. Whether this will turn out good or bad remains to be seen.
The real problem of course is what they do with the data. In a more recent article, Clear said it may sell its sensitive customer data to a similar provider if it’s authorized to do so by the US government.
It just shows that when you turn this type of information over to a provider, you really don’t know where it will end up, or what it might be used for.
Now U.S. Legislators want to know what the company plans to do with the information. In a letter dated June 25, 2009, Representative Bennie Thomas (D-Miss.), chairman of the House Homeland Security Committee, expressed concern about the security of the collected data and asked the TSA to describe its plans to secure the data.
A man was recently arrested for aledgedly selling client data to a mailing list company for a U.S. equivelant of $3,335. While this wasn’t sensitive data (account numbers, social security numbers, etc.), customer were solicited as a result ending in more than 15,000 customer complaints.
I have mentioned several times that while the economy is poor, insiders are a major threat to organizations. When a company has a data security breach as a result of an insider, the losses are the worst of any class of breach. Greater than hackers, theft, etc. Many say there isn’t much you can do about the insider threat. While a sophisticated and motivated insider would likely always be able to be successful, a company can do a lot to prevent desperate employees with fear and a conscience looking to make extra money. Good hiring practices, end user security awareness training (creating a culture of security in the company), and other practices can positively impact the security posture of a company.
Read the Bloomberg.com article here – Ex-Mitsubishi UFJ Unit Worker Arrested for Data Theft
While the credit card companies have been pushing to get all companies that accept credit cards for payments compliant with the now well known payment card industry data security standard (PCI-DSS), there is still little enforcement especially for those smaller merchants. Merchants are broken down into 4 categories. Tier 1 merchants are very large performing more tha 6 million transactions each year. Tier 2 perform between 1 and 6 million. Tier 3 between 20,000 and 1 million, and lastly Tier 4 that do less than 20k. Smaller organizations have been reluctant to implement everything they need to do in order to be PCI compliant due to the time, cost, and expertise required.
For those companies that do business in the state of Nevada, it will soon be required by law to be PCI-DSS compliant. Nevada passed a law that goes into effect January 1, 2010 that will make this mandetory. Of course it was mandetory before, but I believe this will add additional penalties to those that are not compliant. It should also be a strong reminder for those that keep putting this off, that PCI compliance is not going away.
While PCI-DSS is not perfect and truly doesn’t go far enough in many aspects of data security, it is a good first step because it requires those that do interact with sensitive consumer and customer data to reach a minimum level of complaince and at least be cognative of data security. It should be noted that for most companies this isn’t enough however. I am somewhat encouraged by Heartlands response over the past few months in response to their data security breach (while likely the largest in history), they seem to be taking steps to reach an adequate level of security. For example, they are implementing end to end encryption which is not specifically called out by the PCI DSS. While, I was not at all impressed with the way in which Heartland announced their breach (“coincidentally” at the same time as Obama’s inaguration), I am glad to see they aren’t taking the same approach now.
Despite the good things that PCI-DSS does, there is a lot of negative feedback regarding the cost and effectiveness of PCI-DSS. As a result, the PCI Council is eliciting feedback to improve the standard. It is true that merchants will have to spend some money to be more secure, but frankly, this is over due. Merchants do not like spending money on these types of things…especially when the economy is like it is. The bigger problem is that companies and people get it in their mind that if they are compliant…they are secure. And these are very different things. Being PCI compliant does not mean you will not be hacked. Just ask all the companies that have had breaches in the last couple of years even though they are PCI compliant including Hanaford and Heartland.
I read an interesting article recently about how researches have “essentially” broken the code for social security number distribution. I say essentially, because it isn’t perfect, which the social security administration was quick to point out. This is what happened. You can now search for deceased persons online and get their social security numbers. What the group did was take a list of these individuals that were more sequentially in specific states and then using computer algorythms, figured out the basic method the government uses to assign SS#. It wasn’t a perfect science, but had quite remarkable results. The accuracy largely depended on the population of the state you were born in (or got your SS# in). Obviously the smaller the population, the easier it was to accurately guess. What this means is that if someone learns where you were born, and what your birth date is, it wouldn’t be very difficult to figure out your social security number. Social security numbers are of high value (in conjuction with other information like name, address, birthday, etc.) to criminals to perform fraud and identity theft. This could make it quite a bit easier for criminals to gain this usually (more) illusive piece of information. The Social Security Administration said that they are currently working on a process that will randomly select SS#’s rather than systemically assigning them. Of course they didn’t mention that all the SS#’s that have been assigned systematically over the past decades will always be subject to this system of discovery.
Beware with fraud and identity theft being at all time highs, something like this (if it gets into the hands of criminals) can make it grow at an even faster pace. Check your credit often as this type of data would most often be used to create new accounts.
Banks are closing at a very fast pace. Still a lot of fall-out to come. Cyber criminals are taking advantage of this in a variety of ways. Creating phishing emails and pharming redirections are just the beginning. It isn’t difficult to create targeted attacks towards the customers of a bank that has recently gone under. These lures can be very effective in routing these unsuspecting end users to false websites where their information can be captured.
To put it into perspective, here is what the history of bank closings has been:
2009 – 43 closed banks
2008 – 24 closed banks
2007 – 3 closed banks
2006 – 0 closed banks
2005 – 0 closed banks
Mercury was used to make hats years ago. Of course mercury is a heavy metal that if exposure occurs can cause major psychological, neurological, and other problems. This is why these individuals were often called “The Mad Hatter” because the materials they used would literally drive them mad. The way Twitter has build their application and service used (metaphorically speaking) a whole lot of Mercury. They must have been crazy to build it the way they did allowing no limit to the number of security exploits that can be run.
The issue is this: They didn’t think through the security when initially developing the service (which is common for new services…especially when they didn’t have any idea how popular the service might become). Then on top of that (due to popularity), other 3rd party apps, sites, and organizations are layering their services on top of Twitter. So Twitter has difficulty making any large scale changes without breaking a lot of its users. Then, when making a rash move toward enhanced security using Open Source such as OAuth, they find it susceptible to certain types of attacks and have to abandon it. As a result many, many different types of exploits are being run from a myriad of vantage points. Hackers are exploiting 3rd party apps that link to Twitter. Hackers are exploiting the way Twitter validates users and mobile phones to spoof messages. Hackers are compromising celebrity and popular accounts to send false messages. Cross-Site Scripting and other more “traditional” hacking methods are being used to exploit the service. etc.
This reminds me of the late 90′s and earlier this decade when hackers would compromise websites. Once compromised, they would change the homepage to a political message, hate message, or maybe just a picture of themselves, and let you know just how stupid you are and how easily they can disrupt your life. You don’t see those things any more although website compromise has never been more prevalent. The change is that hackers learned they could make money. If they have that level of access to a website, there is a lot they can do. As time goes on, these attacks on Twitter will begin to be more serious. This has somewhat already started. One of the most popular things a hacker can or will do after compromising an account is to post a message with a link. The message is designed to grab their attention and then give them a link where they can learn more information. These links often go to malicious software sites where the user’s computer or laptop can be completely compromised with Trojan horse or other malware. This can give access and control to hackers, essentially giving them more rights, privileges, and access to your system then you have. Yes, they can remotely control the system, capture anything you type or look at, turn on your video camera and microphone, or anything else they want to do. Honestly, I think we are only at the beginning of problems with Twitter. They need to do a ground-up rebuild of their entire security infrastructure. Of course the problem is that this would cause major disruption in the service which they do not want, and probably won’t do. Hence if you use Twitter..plan to be hacked.
A few more details that were uncovered on the Golden Cash Bot that can be leased by individuals for $5 to $100 for 1000 compromised PCs. Once under your control, you can use it to steal data, send SPAM or any number of other nefarious purposes.
They call it Golden Cash because it is “Your money-making machine”. Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries. In their examples 1,000 bots in Australia go for $100, but 1,000 bots in Vietnam go for a mere $5.
There was a good breakdown of the most common ways you can be infected “a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server. Then the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash’s control.” 100,000 domains is a whole lot of compromised websites. Think how many hundreds, thousands, and millions of users hit these various websites daily. For those interested, the Trojan name is “Trojan-Spy.Win32.Agent.amdz”.