Archive for April, 2014

A recent survey found that 43 percent of employees have accessed sensitive corporate data using their smart devices on unsecured private networks, . The survey was conducted by Osterman Research and sponsored by Centrify. The survey recorded answers from over 500 employees of U.S. companies and found that 15 percent of respondents feel their responsibility for protecting corporate data stored on their personal devices is "none to minimal." Additionally, 10 percent do not have any password or other security precaution on their phone they use for work. The study also found that 45 percent of respondents have more than six third-party apps on their devices. These applications may have security flaws. Over 15 percent of respondents have had their account or password hacked.

Mobile Security for Banking Customers
Mobile security doesn't only apply to those who work for a company. Customers who access their data from a company site on their phone are also subject to attack and must be protected with security measures. Wells Fargo Bank takes this very seriously, .

Mobile banking is one of the fastest growing applications that Wells Fargo is adding to its list of customer services, according to Armin Ajami, vice president and senior product manager of the digital channels group for Wells Fargo. He makes the security of his customers his top priority. His goal is to embed security into mobile software in such a way that it does not interfere with the banking experience of Wells Fargo customers.

Keeping Mobile Devices Secure
One of the best ways of protecting data on phones doesn't come from the sites that are being logged into – it comes from protecting the mobile phone itself from hacks. To that end, Wells Fargo provides educational materials that give tips to customers for how to protect themselves from breaches and cyberattacks. This applies equally to customers and those employees who access crucial data from their mobile phones at public servers.

Some of the advice that Wells Fargo provides includes putting a password on one's mobile device, as well as closing and fully logging out of an app when someone is finished using it. Additionally, the best way to handle sensitive data is simply not to store it on anything that isn't fully secured, and that includes most mobile devices.

One tip that might work for customers and employees alike is to provide such advice about mobile security and best practices in weekly newsletters.

tornado

Tornadoes have torn through —flattening neighborhoods, wiping out businesses, and injuring and killing many people.

Communities may take years to recover from the effects of a twister. Residents of areas affected by twisters can take steps and after to protect their families—and their identities. Here are four immediate steps to take after a disaster:

(more…)

Verizon's 2014 Data Breach Investigations Report (DBIR) reveals that nine types of attacks are responsible for 92 percent of 100,000 incidents over the past 10 years, . The nine attacks are web app attacks, cyber-espionage, point of sale intrusions, physical theft, crimeware, miscellaneous errors, and "everything else."

In 2013, the most common technique was the web app attack, which accounted for 35 percent of data breaches. Additionally, two-thirds of data breaches involved stolen passwords or misused credentials. In essence, hackers would find out the password to an Internet content management system like WordPress or Drupal, and then impersonate a valid user.

Spying
Of the attacks, 65 percent were done for motives that Verizon calls for purposes of "ideology or fun." About 33 percent of the attacks involved attempting to hack into something for financial gain. Twenty-two percent of attacks were for espionage in any form. Eleven percent of espionage is done by criminal organizations, and 87 percent is by various governments. The U.S. was the biggest target for cyberspying, with 49 percent of the attacks from Eastern Asia and 21 percent from Eastern Europe, in particular Russian-speaking countries.

Most Attacks Caused by Human Errors
Verizon gathered data from over 50 organizations across the world as well as its own research, and found that in 2013, there were at least 1,367 confirmed data breaches, along with more than 63,000 security incidents, . Cyberattacks against global governments account for 13 percent of all breaches and 75 percent of incidents.

For the public sector, of the nine factors that Verizon identifies as the most common ways hackers infiltrate a target, the most frequent (34 percent of cases) is a miscellaneous error. The next highest is insider misuse, at 23 percent, followed by crimeware and theft, at 21 and 19 percent, respectively. The next highest is only 2 percent of cases, which is "everything else."

Typically, the entity responsible for the error is an administrator, at 43 percent of cars.

The US Government Might be Skewing the Data
Typically, a miscellaneous error involves delivering data to the wrong recipient.

"According to our sample, government organizations frequently deliver non-public information to the wrong recipient…Why is that number so large?" Verizon asked in its report. "The United States federal government is the largest employer in that country, and maintains a massive volume of data on both its employees and constituents, so one can expect a high number of misdelivery incidents."

In other words, the data might be skewed by the government.

Mark McCurley is information security advisor at IDT911 Consulting.

has been nominated for an and we’re kindly requesting your help. The event is designed to recognize firms and individuals who are guiding and shaping the cyber liability space. (more…)

The Government Accountability Office (GAO) reported that the Securities Exchange Commission (SEC) has several major security weaknesses in its IT system, . For example, it does not encrypt sensitive data, nor does it properly identify and authenticate users. This puts the system at risk for data breaches, according to GAO.

"The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location," .

According to the report, GAO found that access controls were not strong enough because the SEC did not consistently update its software with the latest patches. Additionally, there was not enough segregation of duties between development and production. Thus, a developer's account could be active on a production server, allowing that developer access to files he or she should not have access to. Additionally, there was not enough redundancy in case of downed systems.

GAO recommended to the SEC that it assign security staff to monitor all contractors and also that it improve its IT security as well as its risk management operations.

The SEC'S Response to the Report
SEC's Chief Information Officer Thomas Bayer responded positively, saying the members of the SEC IT staff would "continue to optimize our controls and further improve the security of our systems that support financial processes and our overall risk management process."

How the Issues with SEC Security Happened
The security problems found by GAO were the result of SEC's new financial system going live before the contractor assigned to complete the security tasks was finished, . This was part of the SEC's project to move its financial system from the SEC operations center to a new data center.

The GAO report states that "SEC officials attributed this lack of rigorous oversight to their reliance on the ability of the contractor to adequately complete the effort."

Among the weaknesses GAO found in the SEC's financial system, were passwords shorter than eight characters, which is an SEC requirement. Additionally, the system administrator work stations were readily accessible. Typically, they are kept behind a locked room to prevent unauthorized access.

Bill That Would Restrict Storing Data
California legislators have acted to prevent a similar problem with state businesses regarding increased protection with financial data, introducing a bill that would limit the storage of credit card data, . If the bill is implemented then the critical data would only be allowed on a computer server for as long as it took to process the payment.

Michaels has confirmed that two different eight-month-long security breaches have exposed up to 3 million credit and debit cards to hackers,

Michaels CEO Chuck Rubin writes that the security companies the firm hired to prevent hacks did not initially detect the malware used to steal credit cards.

"After weeks of analysis, the company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms," the statement said.

The hackers managed to steal payment card information, such as credit and debit card numbers and expiration dates, however, customers' names, addresses and debit card PINs do not seem to have been compromised. Additionally, only a smart percentage of Michaels shoppers are predicted to have been affected during this period, .

This story broke not long after Target became the victim of a cyberattack in which more than 40 million credit and debit card numbers were stolen between Nov. 27 and Dec. 15, 2013.

How the Hackers Got In
Based on early reports, it would seem that Michaels was the victim of an advanced persistent threat (APT) attack. APTs use malware that hackers code to breach a specific target in such a way that it goes unknown and undetected by most anti-malware applications.

It is not year clear how the hackers breached Michaels' computer system, but there are many ways that they could have transferred the malicious code to the target system. One technique is through a spear phishing email, in which a seemingly legitimate email is sent directly to an employee at the retailer, tricking authorized users into downloading the code onto the network.

How to Safeguard Your Network
Whatever the cause may be, retailers are now scrambling to bolster their network security defenses with advanced persistent threat detection systems that can potentially detect previously unknown malware such as the cyberthreat that broke into the Michaels network.

Hackers break into a network by exploiting weaknesses in point of sale (POS) systems and computer networks. One way is by targeting weak administrative passwords. To strengthen a POS system, retailers can use strong password or two-factor authentication for POS administrative access. They can also continuously ensure their POS software is the most up to date. Additionally, they can restrict outside access to POS systems from the Internet, or even disallow remote access completely.

Mark McCurley is information security advisor at IDT911 Consulting.

The Canadian Revenue Agency (CRA) discovered April 11 that hundreds of Canadians had their social insurance numbers stolen due to the Heartbleed security bug. However, the agency waited until the April 14 to make this information public because the Royal Canadian Mounted Police (RCMP) asked the CRA to delay notifying the public, .

"Social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said in a statement. "Late Friday afternoon, given that further access to data was no longer possible and that we had identified a viable investigative path, the RCMP asked CRA to delay advising the public of the breach until Monday morning. This deferral permitted us to advance our investigation over the weekend, identify possible offender[s] and has helped mitigated further risk."

The "King of Identity Theft"
Murray Rankin, a New Democratic Party critic for the CRA, claims that this hack is by a "king of identity theft" and the government should have let its people know immediately so they could begin taking preventative measures in order to avoid having their data be further compromised. Additionally, he is asking the government to explain why the CRA spent days repairing the Heartbleed Bug when banks fixed the problem much faster.

The Heartbleed vulnerability is still very serious business, . Fred Kost, the vice president of security solutions at Ixia, sent an email to ISM explaining the dangers of Heartbleed. He said it was no surprise that it continues to be used to hack into various websites. One of the problems with the bug, according to Kost, is that it went from being a theoretical problem to a real one. Hackers very easily were able to hack several websites by exploiting the virus simply because the method to do so was explained via the news that went along with the discovery of the bug.

Make Sure to Update and Then Change Passwords
Kost advises website hosts to update their security as soon as possible with the latest patch that protects servers from the exploit. After which, all passwords for accessing the server should be changed in order to prevent man-in-the-middle attacks. This attack involves hackers being able to trick a computer into the thinking it is logging into one server when it is really logging into another, and then the hacker stands between the two servers, "in the middle," sending data from one server to the other and gathering information.

The number of U.S. citizens who have experienced a data breach has increased, . In fact, 18 percent of adults have had information stolen via the Internet between 2013 and 2014. Such information could be a Social Security number, credit card or bank account data. In 2013, that number was only 11 percent. The total percentage of adults who have had their email or social networking account hacked was 21 percent, or more than one out of five adults.

Cybersecurity isn't as safe as some may have thought. Companies as large as Target and Neiman Marcus have experienced major data breaches that resulted in the compromise of millions of customers' credit and debit card information. Additionally, the Heartbleed Bug in Internet security protocols used by a large portion of the Web was recently exposed, raising awareness of major holes in the protection that keeps user information secure.

In addition to basic security breaches, many are also becoming concerned about the amount of personal information that is available to hackers online through social networking sites. Half of those surveyed reported this concern in 2014, while only 33 percent were worried about this issue in 2009.

The Latest Data Breach
A "massive" data breach that compromises up to 200 million Social Security numbers was . In 2012, a man used a false identity to purchase Social Security numbers from a database called Court Ventures. Experian was then purchased by Court Ventures, and it is unclear when either company became aware of the serious data breach.

"Experian and Court Ventures are each pointing a finger at the other company, saying they have to notify their customers," said financial crimes expert Chris Swecker. "Meanwhile, the consumer is left the odd person out with all of their vital information exposed."

The culprit was identified last month as Vietnamese national Hieu Minh Ngo, . Ngo ran an underground website that offered Social Security numbers he had acquired from Experian and Court Ventures. It is unclear how many Social Security numbers have been compromised through this data breach, but the total pool of information from which Ngo could have pulled numbers amounted to about 200 million.

The companies involved say they are unable to determine which records Ngo had accessed, and cannot notify the victims.

The data breach has resulted in a multistate investigation. North Carolina is the most recent state to get involved in the case.

The best way to keep protected health information secure is for health IT security professionals to treat the information as though it were their own. Health information management professionals can prevent medical identity theft in a number of different ways, following certain strategies, .

One such strategy is to treat awareness of medical identity theft as a quality of care issue. Another method is to make patients aware of the dangers of medical identity theft. If patients are aware of the risks that come when their private health information (PHI) is exposed, they will act quickly in the event of a breach. There should also be a policy in place if a breach or act of identity theft occurs – with a clear outline of how to respond if such a thing happens, and then train the members of staff who will be responsible for carrying out these procedures.

In addition to a program that will act when fraud has already occurred, there should also be a program in place that will defend against fraud by detecting any suspicious activity and marking it such that it will come to the attention of proper authorities in the IT department.

Patients who believe they have been victims of identity theft should be given as much of their records as they need to verify whether or not this has happened.

Medical Theft Is On the Rise
Health fraud is becoming more common, . In 2013, according to statistics reported by nonprofit Identity Theft Resource Center, 44 percent of all data breaches were health care breaches. This emphasizes the need for health care companies to carefully monitor their computer networks and paperwork-handling approaches to ensure the possibility of fraud is minimized as much as possible.

One risk of fraud is the employees and vendors who work for a hospital. This can include not only current but even past employees. Although data breaches may come from a disgruntled employee, which is the most likely possibility, the 2013 Ponemon Institute Study on Medical Identity Theft revealed that many instances of medical identity theft come from insiders, which the company defines as family, friends and care givers.

This ought to emphasize the vital importance of making sure that all security breaches are looked at closely so that even those who are close to the family are investigated.

Padlock

The green padlock that appears before a website address has long been an indicator of a website’s secure connection. Not anymore.

Security experts in the software that provides extra protection for websites. Yahoo, Facebook, Google and Amazon are all working to fix the problem, which could render users’ sensitive information—passwords, Social Security numbers, bank information—vulnerable.

(more…)