Tag Archives: hackers

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

Data Breach Law Could Hurt Consumers

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers.

Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. The Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land.

The Data Security and Breach Notification Act of 2015 says it “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was written by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right.

The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information.

The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation.

Why It’s an Issue

Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony before the House of Representatives.

In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed.

And here’s the really bad news: they would be two of the less alarming casualties.

The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much.

As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief.

To give an example of the kinds of preemption that are possible here, Florida’s privacy law includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Eight other states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia and, as of July 1, Hawaii and Wyoming. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit.

In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached, and this proposed law in Congress says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on pay-per-view. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text.

And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items.

Defining Harm

According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain.

A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better.

What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies.

There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way that data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.

Data Security Critical as IoT Multiplies

When this century commenced, delivering new technology as quickly as possible, with scant concerns about quality, became standard practice. Consumers snookered into buying version 1.0 of anything were essentially quality-control testers.

How soon we forget. As we enter the age of the Internet of Things, companies are pushing out computing devices optimized to connect to the Web with little thought to security implications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ESET security researcher Cameron Camp has been paying close attention to data security. He recently sat down with ThirdCertainty to share his observations (answers edited for clarity and length):

3C: New devices with the capacity to link to the Internet seem to hit the market every day, and eager early adopters snatch them up. Why should they slow down?

Camp: Companies are going to live and die on whether they get to market fast. I think security tends to be an afterthought, and I’m concerned that some of the manufacturers don’t really have a solid way forward right now.

3C: That sounds ominous. What can and should we be doing?

Camp: We have to think about security in new ways. We have to secure the person, the experience and the data in rest and in motion at all times, and that’s not going to be done with a PC attitude toward security.

We don’t understand how to protect that data at all times and on a multitude of platforms. If you’re working on machines at home, and a lot of them are connected, and you have a breach on one, you have a breach on lots of them. All hackers need is a toehold into your system.

3C: What if someone doesn’t buy every new gizmo that comes along? Are they safe?

Camp: Hackers are finding interesting and novel ways to break into all kinds of things. Routers are one of the first things that really need security to be dealt with, because everyone has one. If your router is one to three years old, it is a gateway to get into everything you own.

3C: Why don’t routers get patched like PCs?

Camp: The manufacturer will be notified that these things are wide open to attacks, and they don’t seem to want to do anything; they’re more interested in the next product cycle. People replace a router when it dies after five years. In the meantime, if four of those years they’re vulnerable, we have a big problem.

Manufacturers have to keep the revenue up; they don’t do that by supporting their routers forever, especially low-cost routers. In the Internet of Things, if you have many sensors around the house, and you raise the cost of those sensors by $1, it makes your system cost too much. Nobody’s going to buy it, and you’re going to be out of business.

3C: Everyone is worried about their routers now; anything else consumers need to be concerned about?

Camp: The people who are good at breaking into Internet of Things devices may not be good at exploiting them, but they are good at entry, and they’re going to sell that to the highest bidder.

Many of these devices run a full Linux operating system; that means they are a server. You can load things on them and exfiltrate data, because Linux was always built to be networked; it was built to be in a server environment.

3C: Is there some good news on the horizon?

Camp: I think there’s going to be a standardization around operating system ecosystems. We’re going to see default operating systems used on the Internet of Things so a manufacturer can focus on their own sensor, their own technology, and just drop in a secure operating system. Right now, there’s many different permutations. In five years, we’re not going to see that, we’re going to see just a few that everyone uses, so if there’s a security issue, people will understand more how to patch them.

‘Safer’ Credit Cards Already Vulnerable

A recent Gallup survey found that 69% of Americans worry “frequently” or “occasionally” about having a credit card compromised by computer hackers. It’s not shocking. Consumers are becoming more educated on the topic, and financial institutions are beginning to do more to combat fraud, including introducing new types of credit cards. One example of the latter is chip-and-PIN technology, which everyone from consumers to the president has hailed for its ability to help prevent fraud. But is it the panacea that it’s been made out to be?

Let’s take a closer look at exactly what this technology entails. Unlike cards that use a magnetic stripe containing a user’s account information, chip cards implement an embedded microprocessor that contains the cardholder’s information in a way that renders it invisible even if hackers grab payment data while it is in transit between merchants and banks. The technology also generates unique information that is difficult to fake. There is a cryptogram that allows banks to see if the data flow has been modified and a counter that registers each sequential time the card is used (sort of like the numbers on a check), so that a would-be fraudster would have to guess the exact historical and dynamic transaction number for a charge to be approved.

Already used in every other G20 country as a more secure payment method, chip-and-PIN cards can be found on the consumer side of a global payment system known as EMV (short for Europay, MasterCard and Visa). The system will be rolled out in the U.S. in 2015, and many of us in the banking and data-security industries believe that it will stanch the flow of money lost to hackers while simultaneously cutting down on credit- and debit-card fraud.

MasterCard, Visa and American Express have already begun sending out chip cards to their American cardholders. The technology is expensive—the rollout of chip cards in the U.S. will cost an estimated $8 billion—and this cost may balloon exponentially if the implementation of the new technology is done incorrectly, as a recent spate of fraudulent charges using chip-and-PIN-based technology shows.

This recent trend is one early sign that chip-and-PIN may not be the cure-all many consumers were hoping for, at least during the rollout phase. According to Brian Krebs, during the past week, “at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit- and debit-card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.”

The curious part about this spate of credit- and debit-card fraud is that fraudsters used account information pilfered from old-school magnetic stripe cards skimmed in that attack and ran them as EMV purchases in what’s called a “replay” attack. “After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly,” Krebs reported. It sounds confusing, but the bottom line is money was stolen.

As with many scams, this particular evolution in the world of hacking for dollars cannot succeed without human error, which is probably the biggest liability in the coming chip card rollout. Krebs spoke with Avivah Litan, a fraud analyst with Gartner, who said, “It appears with these attacks that the crooks aren’t breaking the EMV protocol but taking advantage of bad implementations of it.” In a similar attack on Canadian banks a few months ago, one bank suffered a large loss because it was not checking the cryptogram and counter data, essential parts of the protocol.

As with all solutions in the realm of data-security, there is no such thing as a sure thing. Whether the hackers banked a false sense of security at the institutional level, knowing that the protocols might be deemed an unnecessary expense, or the recent attacks are merely part of the chip card learning curve, this latest technology is only as good as its implementation.

So, despite the best efforts of those in the financial services industry, the truth is I can’t blame anyone for worrying a bit about credit card fraud. The good news is that in almost all cases, the consumers aren’t responsible when they’ve been hit with fraud. The banks take care of it (though it can be trickier with debit cards, because money has actually left your account). These days, though, the reality is that you are your own first line of defense against fraudulent charges. That means pulling your credit reports at least once each year at AnnualCreditReport.com, monitoring your credit scores regularly for any sudden and unexplained changes (you can do that for free using free online tools, including those at Credit.com), keeping a close eye on your bank and credit card accounts daily and signing up for transactional monitoring programs offered by your financial institutions.

‘Smart Cities’ Are Wide Open to Hackers

A monster storm is on a collision course with New York City, and an evacuation is underway. The streets are clogged, and then it happens. Every traffic light turns red. Within minutes, the world’s largest polished diamond, the Cullinan I, on loan to the Metropolitan Museum of Art from the collection of the British crown jewels, is whisked away by helicopter.

While this may sound like the elevator pitch for an action film, the possibility of such a scenario is more fact than fiction these days.

Cesar Cerrudo is the chief technology officer at IOActive Labs, a global security firm that assesses hardware, software and wetware (that is, the human factor) for enterprises and municipalities. A year ago, Cerrudo made waves when he demonstrated how 200,000 traffic sensors located in major cities around the U/S. — including New York, Seattle, Washington, D.C., and San Francisco — as well as in the U.K., France and Australia, could be disabled or reprogrammed because the Sensys Networks sensors system that regulated them was not secure. According to ThreatPost, these sensors “accepted software modifications without double-checking the code’s integrity.” Translation: There was a vulnerability that made it possible for hackers to reprogram traffic lights and snarl traffic.

A widely reported discovery, first discussed last year at a “black hat” hacker convention in Amsterdam, highlighted a more alarming scenario than the attack of the zombie traffic lights. Researchers Javier Vazquez Vidal and Alberto Garcia Illera found that it was possible, through a simple reverse engineering approach to smart meters, for a hacker to order a citywide blackout.

The array of attacks made possible by the introduction of smart systems are many. With every innovation, a city’s attackable surface grows. The boon of smart systems brings with it the need for responsibility. It is critical for municipalities to ensure that these systems are secure. Unfortunately, there are signs out there of a responsibility gap.

According to the New York Times, Cerrudo successfully hacked the same traffic sensors that made news last year, this time in San Francisco, despite reports that the vulnerabilities had been addressed after the initial flurry of coverage when he revealed the problem a year ago. It bears saying the obvious here: Cerrudo’s findings are alarming.

The integration of smart technology into municipalities is a new thing. The same Times article notes that the market for smart city technology is expected to reach $1 trillion by 2020. As with all new technology, compromises are not only possible, but perhaps even likely, in the beginning. The problem here is that we’re talking about large, populous cities. As they become ever more wired, they become more vulnerable.

The issue is not dissimilar from the one facing private-sector leaders. Organizations must constantly defend against a barrage of advanced and persistent attacks from an ever-growing phalanx of highly sophisticated hackers. Some of them work alone. Still others are organized into squadrons recruited or sponsored by foreign powers — as we have seen with the North Korean attack on Sony Pictures and the megabreach of Anthem, suspected to be at the hand of Chinese hackers — for a variety of purposes, none of them good.

The vulnerabilities are numerous, ranging from the power grid to the water supply to the ability to transport food and other necessities to where they are needed. As Cerrudo told the Times, “The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger.”

The solution, however, may not be out of reach. As with the geometric expansion of the Internet of Things market, there is a simple problem here: lack of familiarity at the user level — where human error is always a factor — with proper security protocols. Those protocols are no secret: encryption, long and strong password protection and multifactor authentication for users with security clearance.

While the protocols are not a panacea for the problems that face our incipiently smart cities, they will go a long way toward addressing security hazards and pitfalls.

Cerrudo also has advocated the creation of computer emergency response teams (CERTs) “to address security incidents, coordinate responses and share threat information with other cities.” While CERTs are crucial, the creation of a chief information security officer role in municipal government to quarterback security initiatives and direct defense in a coordinated way may be even more crucial to the problems that arise from our new smart cities. In the pioneering days of the smart city, there are steps that municipalities can take to keep their cities running like clockwork.

It starts with an active approach to security.

This article was written by ThirdCertainty contributor Adam Levin. Levin is chairman and co-founder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.