Archive for May, 2014

While the most commonly stolen information continues to be payment card data, there has been an increase in the theft of other data, according to the 2014 Trustwave Global Security Report.  studied 691 breach investigations in 24 countries, .

According to the findings, there has been a 33 percent increase in the theft of nonpayment card data, such as financial credentials, Social Security numbers, customer records and internal documents sensitive to a company. In total, 45 percent of ​data breaches involved stealing some form of nonpayment card information.

"Most data has some value attached and it's just a matter for criminals to parse it out and find a buyer," said Karl Sigler, threat intelligence manager at Trustwave.

Most of the time (54 percent of cases), the targets were Internet commerce sites. Point of sale devices at stores were hacked in 33 percent of the cases that Trustwave looked at. The most common industry subject to hacks is retail, while food and beverage retailers experienced 18 percent of data breaches, out of the 691 breach investigations.

Of the countries studied, the majority of victims resided in the U.S. (59 percent). The second most commonly targeted nation was the U.K., whose citizens were hacked 14 percent of the time.

Point of Sale Hacks Increasingly Sophisticated
While POS breaches did not account for the majority of breaches looked at in the study, their effects can be very widespread and concerning. The Target breach is the most recent example of payment card data being stolen directly from POS devices.

According to new research by Arbor Networks, attacks like the one at target have become increasingly sophisticated over the past several years, .

"While contemporary POS attackers are still successful in using older tools and methodologies that continue to bring results due to poor security, the more ambitious threat actors have moved rapidly, penetrating organizational defenses with targeted attack campaigns," Arbor Networks wrote in a blog entry.

The company also noted that many devices in stores can be compromised with malware for a long time before it comes to the attention of a security team. Even a business with Target's resources did not catch a breach until serious damage had occurred. Small companies may fear having data breaches go undetected for months because they do not have sophisticated security teams.

Mark McCurley is information security advisor at IDT911 Consulting.


As new graduates climb down from the ivory tower (diploma in hand), many will be facing “real world” transactions for the first time, and they are at risk. Identity-related crimes, bad deals and credit score pitfalls pockmark the road ahead. And for those new grads who are thinking, “It can’t happen to me,” prepare to say “Hello” to reality.

Data breaches and the identity theft cases that stem from them have become certainties in life, right behind death and taxes. There are things you can do to better protect yourself, detect the problems and lessen the damage when the inevitable occurs. However, if you think a compromise to your credit or identity won’t cost you much in actual dollars and cents, consider the emotional upheaval and hours of frustration spent dealing with it that are non-refundable.

The bottom line for new grads: Your identity and your credit are incredibly valuable assets. And while it may be a wee bit early to be thinking about your investment portfolio, you already have two investment-grade portfolios that you should be managing: your credit portfolio and your identity portfolio.

Here are some general rules of the road for protecting your identity that, if you follow them, could make life a tad easier for you.


Student Loan Fraud

Time to start studying up on student loan fraud. This fairly new form of identity theft is on the rise, and it costs a pretty penny, according to : about $874 million, with the government losing about $187 million.

With deadlines for federal student aid right around the corner, consider these two real stories: (more…)

U.S. companies are not taking cybersecurity seriously enough, . Although CEOs and other C-suite executives are aware of the risks of lax security, many are not taking enough measures with their technological infrastructure to prevent an attack before it happens. It may be necessary for a company to be seriously breached, as Target was, before security precautions are taken by other businesses to truly see the consequences of data breaches.

"If [CEOs] truly understood the risk they were taking, they would find it unacceptable," Digital Bond CEO Dale Peterson, a cybersecurity expert, told Reuters.

Many in the IT security industry, including Peterson, believe that programmer logic controllers, or PLCs, could be the most potentially dangerous weak points in a computer network. PLCs control the machines inside of facilities as varied as factories, waste-water treatment centers and energy plants. Currently, if a PLC were hacked, then it would obey without question any command sent to it. For a nuclear power plant, this could mean an explosion or even a nuclear meltdown.

According to Stuart McClure, chief executive of cybersecurity company Cylance, the danger is so great that the government needs to get involved with more incentives and compliance protocols. At the moment, many believe the government is not providing enough pressure on executives to spend money on security.

The Threat Is Real
There is a growing threat of cyberspying from abroad. Recently, five Chinese citizens have been charged with spying on six U.S. companies and stealing trade secrets, . The hackers allegedly breached the security networks of firms involved with nuclear power, metal refining and solar product creation, and then downloaded information to send to competitors in China.

This has been the first time the U.S. Department of Justice has publicly accused China of cyberspying. The court case has not yet gone to trial. Many remain skeptical that – if China is spying on U.S. companies – the country will be deterred by the accusations.

"It won't slow China down," said Eric Johnson, an information technology expert at Vanderbilt University and dean of its School of Management.

When Will the C-Suite Take Notice?
Whether the accusations of spying are verified in a court of law or not, it still remains to be seen whether these alleged breaches will encourage those in charge of major companies to take security seriously.

According to Charles Croom, vice president of cybersecurity solutions at Lockheed Martin Corp., the Target breach was "just the beginning of a bow wave," in which companies take action.

Many firms are still having difficulties following even the most basic security protocols, by the United Kingdom's Information Commissioner's Office (ICO). The ICO reports many companies are completely open to security breaches and are "hemorrhaging data" because of structured query language (SQL) injection flaws, along with other vulnerabilities, . Although this report is based on companies in the U.K., the lessons are universal.

The ICO identified eight focal points where companies lack security protection. These include matters as simple as installing security software and keeping it updated, along with updating all other software, such as java and Internet browsers.

Charles Sweeney, CEO of Web-filtering firm Bloxx​, explained to Infosecurity that solving such problems is not as easy as it might seem. For example, networks can have multiple programs and systems, and some of them may be regularly updated while others may not be.

Another issue he addresses is poor password protection. Some passwords, such as those used in multiple devices of varying security levels by one person, are easy to break.

"It's the reason that old Common Business-Orientated Language (COBOL) applications from 20 years ago can still be exploited by hackers today as a way of gaining access to the corporate infrastructure and why lost laptops 'secured' with weak passwords still strike the fear of God into any IT director when they get left on trains," Sweeney said.

The basic message is to keep things simplified and reduce loopholes any points where a company is at risk. This means retiring legacy software and getting rid of devices that aren't used.

Getting the C-suite Involved
One suggestion for how to get security up and running so that the network can block security breaches is to get the upper-level executives more deeply involved with the IT department, .

A report by market research firm Wakefield Research on behalf of Avanade, a business technology company, found that there is "real tension" between IT and other budgetary matters by a company, Tech Republic reported.

In other words, upper-management may not realize how much it takes to make a network secure, or they may not understand the price of a security breach or not anticipate their network being hacked at all. All of this comes from ignorance on the part of managers, but part of the fault lies with security staff not taking the time to explain the real dangers of an under-budgeted IT department.

Mark McCurley is information security advisor at IDT911 Consulting.

Post Office

Buying stamps from a kiosk at your local post office may be hazardous to your identity.

The United States Postal Inspection Service (USPIS) has launched an investigation into reports of skimming devices on stamp vending machines at post offices nationwide, according to .


Child idt

Kimberly Reed panicked when a state health worker told her that her son wouldn’t be eligible to renew his free health care because he made too much money.

The strange part: Her son Cory* was only 2 years old. Someone had used his Social Security number to receive $548 in paychecks from a business in the Pacific Northwest. The boy had become a victim of a troubling category of identity crime: child identity theft.

Reed was fortunate to detect the crime so early: It allowed her to take the necessary steps to resolve the problem. In most cases, child identity theft remains undiscovered for years until victims are teenagers or in their 20s, and are applying for a student loan or their first credit card. By then, they can encounter horrible credit ratings and histories or thousands of dollars of debt in their names.

Due to the increasing frequency of Twitter account hacks, Twitter has begun making improvements to its password security, . Twitter has added backend features that make it easier for the security team to spot suspicious activity. The social media sites has expanded options for resetting passwords on mobile devices.

To spot illegal activity, Twitter has created a method for determining the location where someone is logging in from, what device they are using and what their login history is. This feature will make it easier to detect unauthorized access.

"If we identify a login attempt as suspicious, we'll ask you a simple question about your account – something that only you know – to verify that your account is secure before granting access," wrote Twitter Product Manager, Mollie Vandor​ in a .

Resetting Passwords
Twitter users have several options for reseting their passwords. There are now some that make it easier to reset Twitter passwords with a phone number or an email address that has been connected to the account.

"That way, whether you've recently changed your phone number, or are traveling with limited access to your devices, or had an old email address connected to your Twitter account, you've got options," Vandor wrote.

Wall Street Journal's Twitter Account Hacked
On May 6, The Wall Street Journal's own Twitter account was hacked, highlighting the need for the updated security on Twitter, . During that afternoon, @WSJD tweeted a picture of a cockroach with the face of online security expert Ira Winkler pasted over its head.

Many experts are blaming the attack on the Syrian Electronic Army (SEA), which is a hacking group with funding from Syria. The SEA has hacked several other media organizations, including CNN and the New York Times.

Other Twitter Hacks
British National Party Member Nick Griffin's Twitter account has also been hacked – this time by the group called Anonymous, . Griffin's account had several messages posted to it by a hacker calling himself Anon 0×03, who claims that he or she is also a member of an unnamed Venezuelan hacking group.

Twitter hacks on news sites and members of politics can spread misinformation. It is important to keep your passwords safe and to use a different one for each site. Many hackers will hack into one website to find someone's password, and then see if it works on other websites that are harder to hack.

Data Security

Gregg Steinhafel’s ouster at Target this week was a major C-Suite casualty in corporate America’s war on hackers. Sales took a major nosedive after the retailer’s big breach hit the news last December, with fourth-quarter profits down 46%. So what’s a CEO to do?

First of all, if it seems a little overblown to blame Target’s poor performance of late solely on the breach, I’d tend to agree with you. There was the weak rollout in Canada (arguably breach-related) that would not warm the cockles of any board member I know, and, speaking of warmth (or the lack thereof) it’s important to bear in mind that retail suffered across the board this winter because of the extreme cold weather.


Performing a risk ​analysis stands at the core of building a secure network, particularly regarding health care and Health Information Portability and Accountability Act audits, . In an interview with the health care news outlet, Edward Zacharias, partner and member of the Global Privacy and Data Protection Group at law firm McDermott Will and Emery, explained why it is so crucial to perform risk analysis.

According to Zacharias, there have been a large number of reported breaches lately. Companies need to become more proactive with how they address potential threats like a cyberattack or security breach. If they wait for a breach to happen, it will already be too late to quell the damage, and the Department of Health and Human Services will often step in and give penalties for the lack of security that caused the breaches, rather than the breaches themselves.

Zacharias adds that protecting mobile devices or laptops is also important. The health IT world is becoming more cloud-based than ever before, and this enforces a need to keep data that has been stored through easily accessible devices - a laptop with an easily hackable password, a smartphone or thumb drive - as safe as possible.

The best way to offer data protection is to begin analyzing the potential risks (high in the case of laptops), and to provide security at levels appropriate to the risk and degree of damage a breach might cause.

Security in the Cloud
A new study by reveals that data stored in a cloud is not as secure as many might think, . Many cloud-based servers do not use even the most basic protection.

"You would think that a higher percent of companies would have data encryption or a similar form of protection, because it does present a risk," said Larry Ponemon, lead author on the study and founder of the Ponemon Institute. "Especially if the data sent to them is confidential, as we found."

However, others believe that cloud security can be safe if the proper precautions are taken. George Kurtz, CEO and co-founder of security company CrowdStrike said that clouds are safe if the cloud service provider is secure. Such providers often have more resources than a business dedicated to other projects to keep their cloud-servers highly secure.

Assessing risk is important. In the case of cloud or other third party servers, risk can be determined through evaluating certifications and security standards, which the companies should offer.

Mark McCurley is information security advisor at IDT911 Consulting.