Archive for August, 2014

Cybercriminals have different motivations to hack into protected systems, from taking bank information to sell in underground markets to stealing intellectual property to make another nation more competitive in the global market. Hackers can also be driven to infiltrate companies for political purposes. Recently, hackers targeted several financial institutions and major banking companies, causing a data breach of customer information, including at JPMorgan Chase, .

Politically Charged Cyberattacks
However, the main reason for the attacks may not have just been about money. The U.S. Federal Bureau of Investigation is looking into the attacks with sources close to the investigation saying the attackers may have originated in Eastern Europe, with a focus on Russia.

One of the reasons why the FBI is concentrating on Russia in its investigation of the breach is due to the rise in attacks from hackers in Russia and Eastern Europe against the financial sector in the U.S., according to Bloomberg. There has been speculation that the attack was politically motivated due to U.S.-imposed sanctions on Russia for instigating the conflict in Ukraine, Bloomberg reported. The FBI is working to determine whether the attack against U.S. banks  - a crucial economic sector - was an act of defiance in response to the sanctions, which may threaten to lower growth in Russia. 

Politically charged attacks have been fueling cybercriminal activity as another group known for these types of hacks is the Syrian Electronic Army (SEA), which often posts messages of support for Syrian President Bashar al-Assad on its victims' websites. In July, SEA hacked into the Twitter account owned by the Israeli Defence Force and ended a post that said "Long live Palestine," . This post could have been in response to the Israeli airstrikes that targeted Palestine. 

Security Concerns at JPMorgan
Aside from IT security experts wondering about the political reasons for the JPMorgan attack, the latest high-profile data breach brings up questions about corporate security in the financial industry – one of the hardest hit sectors in the U.S. The breach at JPMorgan occurred in the middle of August. The information that has been breached at the affected organizations includes checking and savings account information.

In a response to the attack, JPMorgan said large companies often have to fend off cyberattacks on a daily basis.

"Companies of our size unfortunately experience cyberattacks nearly every day," Patricia Wexler, a JPMorgan spokeswoman, said in an email statement. "We have multiple layers of defense to counteract any threats and constantly monitor fraud levels."

This is not the first data breach for the banking giant. Last year, JPMorgan experienced a data breach that may have exposed the information of 465,000 customers that used prepeaid cash cards, . The breach impacted government employees as the cards were used to pay benefits and provide tax refunds. 

While companies can spend millions on their IT security systems to prevent cyberattacks and other common security risks, they may be fighting a losing battle if their worst enemy already has the password and unrestricted access to their systems. While detecting breaches and other security events from external causes are difficult to detect, tracking insider attacks might be an even bigger obstacle. A new report about insider threats in organizations brings to light the challenge of controlling for security risks that are due to malicious intentions or mistakes.

The majority of businesses in the U.S., Latin America and Europe said they did not have the means to fend off an insider threat, according to a survey by IT security firm SpectorSoft. Even worse, 59 percent of IT professionals said their employers did not have the ability to find threats that lurk within their company. 

With the wealth of data – customer information, trade secrets and intellectual property – stored in top corporations and government agencies, insiders might hope to take advantage of their ease of access to valuable information.

Insider misuse accounted for 8 percent of all breaches in 2013, and some of the biggest security risks surrounding insider threats include privilege abuse and unapproved hardware, . 

Insider Breaches and Concerns of Enterprise Security
In June, telecom giant AT&T reported a breach that may have compromised the personal information of an undetermined number of customers and the motives behind the perpetrators of the breach were shocking, . The employees working for a vendor for AT&T allegedly wanted to hack into locked phones sold by the company in order to sell them to willing buyers on the market. 

"It makes one wonder what AT&T and other vendors are doing to detect and prevent data leakage," Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWeek.

Almost half of the respondents in the SpectorSoft survey said their top priority was detecting insider threats, as they focused on a security strategy that is centered on prevention.

Companies need to improve on restricting data access to personnel, handling data securely and ensuring safe email use. 

"With so many data breaches happening, C-level executives are coming to the realization that their jobs could be on the line if company data isn't protected," Rob Williams, chief marketing officer at SpectorSoft, said in a statement. "Proper defense must include a comprehensive security solution, and with humans involved, education is just as key. The market is ripe for a new approach to internal security."

shutterstock_64869118

Nowadays, you don’t have to be a large corporation to attract the wrath of hackers. Limousine companies, escrow firms, and even hay-compressing companies have become the target of cyber attacks in recent years. According to an , 20 percent of small businesses are victims of cyber crime each year, and of those, some 60 percent go out of business within six months after an attack.

Fortunately, there are actions that companies of all sizes can take to help keep their information systems safe. In February, I wrote about what I call the “Three I’s” of computer virus protection: Install, Inform, and Insure. The first “I” is for installing antivirus software (AVS), and the last “I” is for insuring your company. Today, though, is just about the second “I”—which stands for informing staff.

(more…)

In the aftermath of the Heartbleed Bug's discovery, the security flaw continues to spark security concerns. The Heartbleed Bug was revealed in many of the world's most popular sites in April, and Internet users were shocked at its scope. From retail sites to social networks, it seemed as though no Internet giant was immune to the problems of the Heartbleed Bug, which affects site encryption and security technology Secure Sockets Layer (SSL). Companies urged users to change their passwords, saying the vulnerability may compromise personal and financial information.

"Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed," social media site Instagram said in a statement, . "But because this event impacted many services across the Web, we recommend you update your password on Instagram and other sites, particularly if you use the same password on multiple sites."

Hospital Group Reports Data Breach Linked to Heartbleed
Fears about the security flaw were realized after a hospital group notified 4.5 million patients about a data breach after cybercriminals from China stole their personal information. New details have emerged that show evidence that the attackers managed to use the Heartbleed Bug to perpetuate the breach at Community Health Systems, . The firm said the attackers were able to access user credentials because of the Heartbleed Bug and then logged into the internal computer network that contained millions of patient records. 

The Community Health data breach was the biggest incident in which cyberattackers exploited the Heartbleed Bug, . 

In light of the massive breach, TrustSec advised organizations to monitor and detect threats to its security and response rapidly before data breaches occur. 

"Having the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly," the IT security firm said in a blog post. "What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay."

Flaw Inspires Response from Tech Firms
In response to the Heartbleed Bug and the cyberthreats posed by this vulnerability, IT security professionals and tech firms are banding together to support OpenSSL software and make this technology more secure, . The industry-wide effort has led to the creation of the Core Infrastructure Initiative, which is already backed by Google and International Business Machines Corp. to develop the source code that will protect websites from vulnerabilities like the Heartbleed Bug. 

shutterstock_137117807

More British organizations are likely to experience security breaches—and the costs are going up, according to a survey from the Department for Business Innovation and Skills. Learn more in this handy infographic that reveals five key takeaways for businesses.

(more…)

With cyber-related threats increasing as criminals find new ways to infiltrate computer and mobile systems, businesses and consumers might find themselves vulnerable to the rippling economic impact of cyberattacks. A company on average spent $3.5 million to respond to a data breach – a rise of 15 percent compared to the previous year, . 

Not only are businesses facing costs related to downtime and repairing their systems after a breach, but they also might be named the defendant in class action lawsuits. The basis of these lawsuits is often claims of financial loss because data breaches could lead to identity theft.

In addition to consumer-driven lawsuits, businesses that work with other corporations that experienced a data breach could sue for revenue losses associated with data breaches and other cybercriminal activity.

Recently, a Tennessee industrial maintenance and construction firm filed a lawsuit against TriSummit Bank for more than $327,000 in losses after the bank allowed cybercriminals to steal money out of the company's accounts, .

Financial Institutions Fight Back
Banks also hit back with lawsuits after the industry was forced to reissue millions of cards following the Target data breach, which is more money coming out of these payment networks' pockets. Target was named the defendant in more than 140 lawsuits after a data breach exposed the personal and financial information of 110 million consumers at the height of last year's holiday shopping season, . Of the lawsuits against Target, 29 represented the bank and financial services industry. 

Connecticut-based community financial institution Putnam Bank filed a class action lawsuit against the retail giant, claiming the sector lost money due to reimbursing consumers for fraudulent activity, closing customer accounts and other losses from the data breach. Putnam Bank alleged Target had weak system security that left customer information vulnerable. 

"Target's failure to adequately safeguard customer confidential information and related data and Target's failure to maintain adequate encryption, intrusion detection, and prevention procedures in its computer systems caused the losses hereinafter set forth," Putnam Bank said in a claim, according to Bank InfoSecurity.

Other Business Costs Related to Breaches
Businesses that report hacking, malware and internal data breaches are also at risk for intellectual property theft and other types of losses that are hard to calculate. In addition to the legal costs stemming from lawsuits corporations often have to shoulder, settlements are also a large expense. As part of a settlement, grocery store chain Schnucks has set aside an undisclosed amount of money to pay consumers affected by a financial data breach between Dec. 9, 2012, and March 30, 2013, . 

With high legal costs and the risk of business losses, companies should determine whether their existing systems will fend off the impact cyberattacks have on their security as well as bottom line. 

As more Americans become conscious about their health and strive to achieve fitness goals, they may choose to buy wearable activity monitors that collect information about their heart rate, steps taken and more. While many consumers consider these devices to be a lifesaver when it comes to tracking their achievements, others are concerned about lack of privacy protection. 

Since activity monitors gather data related to consumer personal information, such as age, weight, diet and even location, third parties may be seeking out this same data, . From insurance providers to data brokers, these companies are likely to use this data for marketing and business purposes. 

The value of the global wearable devices market, which includes heart rate and activity monitors, is projected to increase to $5.8 billion by 2019, according to market research firm ResearchMoz. Activity monitors will be especially in demand from consumers as more people will use these devices to monitor their progress toward fitness and weight loss targets.

As new wearable technology, such as activity trackers, is only just emerging, privacy laws are struggling to keep up.

Calls for Stronger Privacy Regulations Grow Louder
As the market for activity monitors grows, more consumers are calling for stricter regulations of this new technology. 

New York Senator Chuck Schumer drew attention to privacy protection issues connected to wearables, urging the Federal Trade Commission to establish rules for how activity trackers manage data, . Schumer said fitness applications were a "privacy nightmare," claiming some applications sell sensitive health information to third parties without user permission.

With no federal privacy rules regarding activity trackers, Schumer said, there is no stopping developers from sharing sensitiveinformation with companies that aim to use this data for profit. 

"Personal fitness bracelets and the data they collect on your health, sleep, and location, should be just that – personal," Schumer said in a statement.

The closest regulators have come to reining in mobile apps that collect medical information is the introduction of data privacy guidelines set out by the U.S. Food and Drug Administration. However, these rules may not apply to fitness apps as the FDA said mobile apps that serve as a personal health record system do not have to adhere to the mobile medical app policy, . With the market only increasing for activity monitors, federal regulators may soon have to focus on creating privacy rules designed specifically for these devices. 

Some companies that produce activity monitors have addressed consumer concerns, with FitBit becoming the biggest high-profile firm to say it does not sell user data. Quelling consumer worries about privacy and data management will also be important for firms to ensure customers are running toward activity monitors – not away. 

shutterstock_104843165

Identity theft can wreak havoc on a person’s life—impacting their finances, health and good standing in the community. This growing crime poses an even greater threat for military personnel who require security clearance to do their jobs.

Security clearance gives military personnel, as well as civilians working for the government or contractors, access to classified information. But to earn it, they must undergo a rigorous review of their employment history, medical history, criminal record and finances to ensure a company’s or the government’s security.

(more…)

shutterstock_189022316

Even for a celebrity death, the worldwide response to Robin Williams’ passing has been remarkable. Within minutes on Monday, news of the comedian’s death was dominating trending topics on Twitter and filling up Facebook news feeds. Unfortunately, that makes it a tremendous opportunity for scam artists and computer virus writers, who never fail to take advantage of major news events for nefarious purposes.

After tragedies such as the earthquake in Haiti, fake charities emerge almost instantly. That’s unlikely to happen here. Instead, celebrity deaths generally send people, understandably, searching for answers. Those can come in the form of last words, last pictures or an alleged suicide note. Williams did in fact send out a Tweet and Instagram message recently, a birthday wish to his daughter.

However, there are already generic warnings about some of the more sensational ways these scammers will try to get you to click.

(more…)

With the risk of data breaches plaguing the health care sector, participants at the Black Hat conference for cybersecurity professionals discussed the struggles associated with protecting medical devices, . Medical devices present a unique challenge for IT security teams because the definition of this technology is very broad and the protections used to protect information for other sectors of the economy often do not apply to medical devices. 

The U.S. Department of Health and Human Services (HHS) said the No. 1 source of security issues in 2012 were laptops, with 27 percent of all breaches, . Portable devices accounted for 9 percent of data breaches in 2012, down from 13 percent the previous year. Although incidents involving portable technology like medical devices might be declining, the danger associated with data breaches still exists as stolen information is still a significant source of data breaches. 

Jay Radcliffe, security researcher and expert on medical device security, said medical devices encompass insulin pumps, pacemakers and other technology for health management. Since these devices store protected health information (PHI), such as patient names and medical diagnoses, it is often difficult for medical facilities to keep track of and guard all this data. 

Theft was the leading cause of data breaches in 2012 with stolen information resulting in 52 percent of data breaches, according to the HHS report. Another major reason for data breaches of PHI were cyberattacks and hacking incidents. Hacking events rose to 27 percent in 2012, up from 8 percent in 2011. Both causes of data breaches can impact medical devices. 

Confusion Surrounds Medical Device Security and Oversight
In addition to health care providers having to monitor the safety of various medical devices, medical facilities may not understand which entity is responsible for keeping this technology updated to maintain security. Technology that has not had frequent updates may be more vulnerable to cyberattacks. However, there is confusion over which agency is supposed to make sure hospitals and other medical facilities are protecting their devices from security flaws. The U.S. Food and Drug Administration oversees medical device approval, but other devices might be monitored by the U.S. Department of Homeland Security, according to Infosecurity Magazine. 

Although health care providers may not be able to implement long, complicated passwords to protect vital instruments like pacemakers, they can take other precautions recommended by the HHS Office for Civil Rights. These involve encrypting information stored by portable electronic devices and making sure access to sensitive data is restricted to authorized persons.