Feeds:
Posts
Comments

Archive for the ‘Encryption’ Category

Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.

Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.

How is this kind of specific attack done? Websense describes the seven stages of advanced threats.

  • Stage 1: Recon
    The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
  • Stage 2: Lure
    Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
  • Stage 3: Redirect
    When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
  • Stage 4: Exploit Kit
    An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
  • Stage 5: Dropper File
    Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
  • Stage 6: Call Home
    Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
  • Stage 7: Data Theft
    At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.

Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.

Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.

These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.

The last word:

Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.

Welcome to our brave new world.

Comments solicited.

Keep your sense of humor.

Walt.

Advertisements

Read Full Post »

TargetEarlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.

Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.

This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.

In order to claim any damages from Target, victims must prove:

  • That unauthorized charges were made to their credit card.
  • That they invested time in addressing the fraudulent charges.
  • That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
  • That the Target breach was responsible for their loss.

Matthew Esworthy, a litigation partner at Shapiro Sher Guinot and Sandler, said that many victims would have trouble proving that they lost money because of a specific data breach.

A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.

One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.

If you have a problem, report it as soon as possible at the web site Target sent you.

Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.

Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.

They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.

Don’t let this happen to your company.

The last word:

How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.

So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

1000-year-old-recipeA writer friend posted a blog about Ancient Remedies Resurrected. He blogs mostly to help other writers use medicine correctly in their fictional murders. This particular post discusses the surprising success of a medieval recipe in killing specific troubling antibiotic resistant bacteria.

  • Who would suspect that a thousand-year-old Anglo-Saxon recipe to vanquish an infected eyelash follicle could do that?
  • Who even tried the recipe on something different than its original documented purpose?
  • Why was the recipe still around?
  • Who could read it?

Babylon-recipeThe first two questions are relatively easy. Some ancient remedies actually work. They were created over hundreds or even thousands of years of experimentation in the real world. Many experiments failed, with the expected unpleasantotherresults. Some worked and were passed down orally from “doctor” to “doctor,” often from parent to child. Often the “doctor” was closely associated with the local religion. One recipe for curing fever occurring in the brain is on an eight century BC tablet. The particular poultice is attributed to oral medical lore dating back to around 1860 BC. The tablet itself cites “mythological sages from before the Flood.” It is hard to argue with such authority. Enough of these old recipes work that it is well worth the effort to test them. Government agencies, pharmaceutical companies and universities all spend some effort searching ancient texts and experimenting. Looking at what the recipe does from a scientific viewpoint may point out some other possible uses of the drug.

The last two questions are the really important ones.

The survival of any particular ancient text is more due to luck than good data management. There is so much that can go wrong. The document first of all has to avoid being broken into a thousand pieces, sunk in the middle of the ocean, cleaned and reused, or being damaged by the ravages of nature with floods, fire, mold, or rot. But perhaps the most danger to old documents is man. Opened in the third century BC, the Library of Alexandria was one of the largest and most significant libraries in the world of its time. The library was destroyed, first by Julius Caesar when he conquered Egypt in 30 AD, and finally by Coptic Pope Theophilus in 391. Pope Theophilus was very thorough. Not only did he complete the destruction of the main library, but also a smaller version, the Serapeum, located elsewhere in Alexandria. Perhaps the first recorded case of a backup failure.

Maya-CodexMaybe as significant for the preservation of possible ancient medicinal cures was the destruction of all but four of the thousands of Maya codices by Spanish conquistadors and Catholic priests. Why were they destroyed? According to Bishop Diego de Landa in July 1562, because “they contained nothing but … superstition and lies of the devil.”

Unfortunately, this organized destruction of the past continues to this day as the result of conquest and religious fanaticism.

We recently visited one such ancient document, and it was only 800 years old. If was both surprisingly readable and very hard to read, and it was a language we had some rusty familiarity with. Image the difficulty of even deciphering an ancient text and then determining its meaning. We do not have a Rosetta Stone for most ancient languages. I am referring to the multi-language stone found in Egypt during Napoleon’s conquest, not the language instruction company – although the statement applies to both. Often even the structure of the language as well as the meaning of individual characters or symbols had to be coaxed out of many documents by many people over many years. Only after that can other researchers begin to search for specific snippets of interest, like medical recipes.

In trying to recreate the recipe that began this post, researchers had to figure out what the ingredients really were, and hope that modern garlic is similar enough to 1,000 year old garlic to actually work. In most cases an ancient text will not describe exactly how hot or long to cook something, or even how much of each component was to be used.

As a discussed earlier, it is perhaps as difficult to keep data for the long term in today’s electronic age as it was in ancient times.

The last word:

Save the data, especially if you have no idea what value it might have in the future. Pictures, movies, personal history stories whether written or currently only oral could be important. Talk to older relatives and friends and get their stories saved. Do it now while you still can.

If you save oral recordings, go back and make transcripts that can also be saved. A hundred years from now there may be no one who can understand what was said.

If your family knows a language that is little used, work to preserve it so its oral and written legacy can be saved.

Even mundane business records can have historical value in a distant future. Kyle Harper used ancient purchase records to reinterpret the end of Roman slavery by determining what slaves were eating in Rome around 300 AD. This kind of information can help fill in the gaps about a civilization and the well-being of its people, whether wealthy citizens or slaves.

As I have said before, keeping data on paper only is not the best idea.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

BMC-QualysThe world is fair; it just is not centered on you or your company. My last blog discussed yet another company who failed to protect their customers’ data and who faces a serious loss of reputation and expensive fines. The Identity Theft Resource Center reported 783 data breaches in 2014, up 27.5% over 2013. These are just the major breaches that get reported in the media or required notification to government agencies. In most cases these breaches involved exposure of information that increased the risk of identify theft to the company’s customers. The Ponemon Institute estimates the cost to a company of such a breach averages over $200 per lost record, plus any government or compliance fines. In January, Experion reported that almost half of the companies they surveyed reported at least one security incident in 2014. Cybercriminals and cyber-terrorists stole slightly over one billion records in 2014. I expect the 2015 number to be substantially higher.

As I have reported before, most of these attacks target known vulnerabilities. As anti-malware software keeps getting better, almost 80% of vulnerabilities have patches available on the day of disclosure. The obvious question is, “Why are so many companies still getting successfully attacked?” The answer varies from “We do not really care” to “It is hard.” Customer abandonment will eventually fix the first group of companies. For the rest, it is hard. It is hard to keep up with all of the patches and sometimes even harder to keep track of where everything is in your IT environment, especially as you move to the Cloud. It is hard to schedule the time to do the updates without impacting your customers or your internal operations. Sometimes the internal IT structure interferes with different organizations having seemingly contradictory priorities: “keep us up” vs. “keep us secure” vs. “reduce IT costs.” Target fell into this bind, and is still paying for that mistake.

The primarily reason the attacks that make the news are so large, impacting millions of people, is that companies are very slow to actually detect that they are being attacked, and then doing something about it. On average, it is taking companies six to nine months from the time malware is introduced into their IT environment until they have resolved the problem.

I had the privilege of talking to a couple of BMC executives in advance of their February 25, 2015, announcement of a new joint platform called the Intelligent Compliance Solution. Intelligent Compliance merges the security capabilities of Qualys into the remediation and operations management software provided by BMC. The result makes staying secure much easier and provides timely warnings of vulnerabilities and policy violations.

BMC is an American company incorporated in 1980. It’s name is not an acronym, but simply the first letter of the three founders last names: Scott Boulette, John Moores and Dan Cloer. Today it is a $2 billion company with about 6,000 employees specializing in transforming the IT digital enterprise. BMC products and services support about 20,000 companies and address six principles of digital transformation: an intuitive user experience, actionable intelligence, adaptive automation, optimized infrastructure and cost, agile applications, and compliance and risk mitigation.

Qualys is an American company founded in 1999 that provides cloud security, compliance and related services to about 7,700 companies. Qualys tag line is “Continuous Security in a Unified Cloud Solution.” Gartner Group has given Qualys a “Strong Positive” rating for these services for the past five years.

At the high level, what this partnership provides is the security scanning of Qualys feeding vulnerability information to BMC, where the vulnerabilities are matched with the appropriate software patches for automated remediation.

The bottom line:

  • Reduce the window of vulnerability by reducing time from detection to resolution.
  • Improve IT operations performance by correctly applying the appropriate patches automatically with minimal or no impact to customers.

Morningstar Inc. was an early user of the result. Michael Allen, Morningstar Information Security Officer, said, “With Intelligent Compliance we now have an integrated solution to automate our information security processes, greatly reducing time and cost.” Intelligent Compliance benefits reported by Morningstar include:

  • Reduced audit risk by decreasing configuration compliance audit cycle time from two months to five days.
  • Reduced audit and patch time by 97%.
  • Reduced compliance audit time from five days to twelve minutes per system.
  • Provided 100% SOX compliance.

Intelligent Compliance moves towards a concept of continuous audit. Instead of doing an audit every year or every quarter, Intelligent Compliance is auditing constantly, reporting vulnerabilities and security policy violations. It leaves audit trails so you know who did what where, and you can prove it when the actual auditors arrive for a formal audit or you need to do forensics.

The last word:

Both BMC and Qualys have historically used partnerships to expand their market and capabilities, so it seems, at least in retrospect, obvious that they would consider bringing the security scanning and monitoring capabilities of Qualys to the business service management of BMC products and services.

This solution will not protect you from every cyber attack, but it should significantly reduce your risk and free up some of your IT staff to work on additional security issues plus work on enhancing IT to better support your business.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

AnthemOnce again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.

Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.

Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.

Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.

Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.

The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.

What should you as an individual do if you think you were impacted?

  • You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
  • You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
  • According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
  • Take whatever identity theft services they offer.
  • Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
  • Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.

If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.

Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.

In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.

The last word:

Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

In December, SingleHop asked nearly 200 bloggers for their predictions for Cloud Computing in 2015. They published their favorite predictions in their blog and asked that the contributors share their picks with our readers.

SH_CloudPredictions

My prediction did not make their favorite list, possibly in part because it was a prediction of a serious cloud-based problem in 2015. The Cloud has so far been a fairly safe place to play. For the past four years I have reviewed the Verizon Risk Team annual security report and various Ponemon Institute reports. While the Cloud has been involved in some serious security breaches, the Cloud was not a contributing factor: the breaches were due to companies’ failure to properly protect their networks and data. I believe that for many organizations, the additional security expertise provided by Cloud Service Providers and existing cloud management software actually makes the Cloud safer than their own data centers.

I recently reported on Websense Security Labs 2015 Security Predictions. One of their predictions nicely supports my submission to SingleHop: Sometime in 2015 one of the Cloud-based collaboration tools will be hacked and a company’s confidential and proprietary information will be stolen. Two factors are driving this prediction:

  1. Hackers are becoming much more targeted, going after specific companies for a specific purpose. That purpose could be financial, such as selling your information to a competitor or holding your data hostage. It could an act of hacktivism, someone who does not like what or how you do business. It could also be part of a government attack at your country’s economy.
  2. These collaboration sites provide a place for hackers to hide their command and control infrastructure. Your company is probably watching the places you visit in the Cloud, but will not flag traffic to and from places like Google Drive, Microsoft Office 365 or the like, especially if your company supports using those collaboration tools. The hackers do not have to deliver malware to your desktop in order to capture your information.

The last word:

Unfortunately, neither Microsoft nor Google have stellar security reputations. If your company uses collaboration services, make sure your security team is monitoring for news of successful hacks through these services. The best thing to do is to encrypt any confidential or proprietary data that your employees and contractors store in these collaboration spaces, and periodically review the cloud-based documents for violation of your encryption policy.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Do you use Dropbox at home or work?   Dropbox is an easy way to share documents among your devices and coworkers, plus it offers storage in the Cloud. For businesses, it can eliminate many of the IT support issues around backup and collaboration, especially in a BYOD (bring your own devices) environment. Dropbox currently has over 300 million users.

But Dropbox has had some security hiccups. Dropbox blames one of the largest events on their customers’ reuse of passwords. Dropbox claims that it was not hacked, but that usernames and passwords were stolen from other unrelated services. The cybercriminals then used those passwords on Dropbox. While I in general don’t like the “blame the customer” defense, I also have little patience with reusing passwords. Yes, it makes it easier to remember, but it makes your data, or your company’s data, much more vulnerable.

Enter Cloudifile from Cloud Labs. Cloudifile does two things: it encrypts your critical documents in Dropbox and on your own devices, and it automatically syncs these documents through Dropbox. Once you have installed Cloudifile on your device, you designate the specific files and folders that you want protected. Cloudifile encrypts each file with a different 256-bit key that has itself been encrypted with a 2048-bit key that is unique to your Cloudifile account. On your local device, a virtual unencrypted file is immediately available for use. As you update the file, the encrypted copy on Dropbox is also automatically updated. When you add a new file to a specified folder, Cloudifile will automatically add the encrypted copy to Dropbox. I find it very easy to use. Once you specify a file or folder via a right-click action, Cloudifile handles everything invisibly.

You can share Cloudifile folders with specific other Cloudifile users. You use the basic Dropbox sharing facilities along with Cloudifile requests to approve the share request. If you decide to no longer share a folder, all files in the folder are re-encrypted with different keys so the other person can no longer access those files.

If someone gains access to your Dropbox account they can see what files you have under Cloudifle control in a Cloudifile folder. However, each of those files is strongly encrypted.

What if someone gains possession of your device and can log on to the device? They probably now have access to your Dropbox account, but without your Cloudifile credentials, your files are safe. Files on your local device are not even present if you are not logged into Cloudifile.

Since there is an encrypted copy of your local files on your local device, when you are logged in to Cloudifile those local files are available for your use even if you are not connected to the Internet. When you next connect, Cloudifile will automatically re-sync your data with Dropbox.

Cloud Labs does not have a copy of your logon password, nor does it have any of your encryption keys. At no time does your data pass through any Cloud Lab’s servers. When you set up your Cloudifile account, you receive a “password reset” string. This 1,600+-character string enables you to reset your password and recover your data. Make sure you keep this “password reset” string someplace safe, but not on any Cloudifile protected device.

If you lose your local device, simply logging on to Dropbox and then Cloudifile on your replacement device will immediately restore all of the Cloudifile files and folders.

Cloudifile is currently available on Windows devices (Windows 7, 8, 8.1). I expect to see Android and iOS versions mid first quarter 2015. Cloud Labs is working on a Mac version. Currently, you can download Cloudifile for free.

The last word:

All of your stuff does not require the same level of security. If you started using Dropbox as a place to capture and consolidate images and videos from all of your devices, then the convenience of an easy to remember password made sense. But if you are now putting your tax or medical records, or worse, your company’s product plans on Dropbox then I recommend you look at Cloudifile for those private or proprietary documents you wish to keep secure.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

« Newer Posts - Older Posts »