Posts

Malware Can Hide in the Most Obvious Places

You never know when malware will bite. Even browsing an online restaurant menu can download malicious code, put there by hackers.

6DMuch has been said that Target’s hackers accessed the giant’s records via its heating and cooling system. They’ve even infiltrated thermostats and printers among the “Internet of Things”.

It doesn’t help that swarms of third parties are routinely given access to corporate systems. A company relies upon software to control all sorts of things like A/C, heating, billing, graphics, health insurance providers, to name a few.

If just one of these systems can be busted into, the hacker can crack ‘em all. The extent of these leaky third parties is difficult to pinpoint, namely because of the confidential nature of the breach resolution process.

A New York Times online report points out that one security expert says that third party leaks may account for 70 percent of data breaches, and from the least suspected vendors, at that.

When the corporation’s software remotely connects to all those other things like the A/C, vending machines, etc., this is practically an invitation to hackers. Hackers love this “watering hole” type crime , especially when corporations use older systems like Windows XP.

Plus, many of the additional technological systems (such as video conference equipment) often come with switched-off security settings. Once a hacker gets in, they own the castle.

The New York Times online report adds that nobody thinks to look in these places. Who’d ever think a thermostat could be a portal to cyber crime?

Security researchers were even able to breach circuit breakers of the heating and cooling supplier for a sports arena—for the Sochi Olympics.

One way to strengthen security seems too simple: Keep the networks for vending machines, heating and cooling, printers, etc., separate from the networks leading to H.R. data, credit card information and other critical information. Access to sensitive data should require super strong passwords and be set up with a set of security protocols that can detect suspicious activity.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Law Enforcement Detects Breaches Before Victims

Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

1GUnlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches Equal Job Loss

Is it coincidence that Beth Jacob CIO resigned from her job as chief information officer of Target Corporation? Or could this possibly be connected to the data breach that slammed Target in December of 2013, affecting as many as 70 million customers? Being a CIO is no easy task, especially when you have thousands of criminals trying to breach your networks every minute of every day.

4DTarget also announced that its information security procedures and compliance division will be completely revamped. The retail giant will also be seeking an interim CIO.

That’s not all. Gregg Steinhafel, Target’s former chief executive, recently lost his job with the retailer due to the data breach. He had been with the company for 35 years.

Should weaknesses in computer safety be blamed on Chief Executive Officers? Yes, because ultimately, the CEO is responsible for protecting the customer’s sensitive data. For instance, Steinhafel was at the helm when thieves hacked customer data records such as credit card information and home addresses, from the retailer’s computer system. Boards are also latching onto this issue and will be very influential in the before and after of a breach.

The company CEO isn’t just responsible for sales; this individual is responsible for security. Target’s data breach is a rude awakening for CEOs everywhere; data security breaches influence sales—very negatively—not to mention customer loyalty.

And then there’s the enormous expense of recovering from the breach and regaining customer trust. In Target’s case it rings in at $17 million thus far. And it is growing. Ultimately, the costs for everything related to the data breach is projected to soar into the billions.

The Secret Service, which is involved in the ongoing investigation, reports that it may take years to nail the hackers.

Law Enforcements motto is “Serve and Protect” and people gripe “where’s a cop when you need one” suggesting Law Enforcement is supposed to be there to protect us at all times. This misconception has created an entire culture of “its not my job/responsibility/problem”. YES. IT. IS. As a company front line employee, an officer or a CEO, security is your responsibility. Security is everyone’s responsibility.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Brokers: Walking the Tightrope

Never mind the government nosing in on your business; there’s a much bigger snooper out there that’s mining to your personal data: thousands of companies whose names you may not even know.

2WThese “data brokers” aren’t “bad”, although a few are irresponsible. They collect and analyze your very personal information, then package it up and sell it for profit to advertisers and the government. Though this rather benign consumer marketing is nothing new, the volume and type of data has changed, thanks to the Internet, making data broking a multibillion dollar venture.

Today’s technology allows data brokers to snatch and sell information about your closest friends, medical conditions, unsavory habits, even your literal footsteps—online and offline.

Data brokers today will classify people into groups such as those with genetic diseases or poverty. These are called vulnerable consumers, with classification names such as Ethnic Second-City Strugglers.

As for medical conditions, there are classifications for particular diseases, such as multiple sclerosis and cancer. There is no legislation that regulates any of this mining into our most private information.

Surprisingly, some of these companies are also in the business of offering identity protection services to consumers.

It’s not known just where the bigger data brokers even harvest their information or to whom they are selling it.

Maybe this is because they consider their client list to be proprietary. One broker even stated that it purchases lists of financially vulnerable people from government agencies so that ultimately, those who are eligible for assistance can be identified. These government clients are public record, said the broker.

The FTC consumer protection head believes that data brokers should be required to allow consumers access to the data that’s been scooped up about them. Meanwhile, data brokers records have become attractive to criminals. Ever since the ChoicePoint breach there have been multiple info/data brokers compromised.

When considering who you choose to do business with, relationships with data brokers, especially any who are also involved with protecting your customers’ identities, should be reassessed.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen.See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches: How To Protect Your Business From Internal Threats

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

7 Ways we leak our Private Data

Smartphone apps. There are apps wanting your location when they do not need it. Are there any apps requesting your location? You should deny them this information unless it’s absolutely necessary.

2PAnother way your phone knows where you are in terms of location is through the data of a photo. Put up lots of photos on Facebook, and the metadata will contain your location. A stranger can then figure out your where you’ve parked yourself.

Solve this problem with these apps for iOS and Android: deGeo and Pixelgarde, respectively. They’ll rid your GPS data prior to the photos getting posted.

Too close for comfort. When services are linked together, your private information is more likely to get leaked. An example would be to hook an app into Facebook. If you link an account, that’s set to private, with a second, public account, anyone might see your activities. Unknowingly granting unwanted access to an app can result in data leakage. To make the process of figuring out all the different privacy rules, you can use MyPermissions. Don’t be lax on privacy issues.

Always being connected. Always staying connected to social networks means they can track your activities via cookies. If you don’t need to be connected online, then disconnect your device from the cyber world. However, it’s easy to forget to keep doing this.

A browser extension can solve this problem by preventing entities from tracking where you visit online. You should also make a habit of deleting cookies from your browser.

And if you want to know how your phone “knows” your shopping habits, it’s because your Wi-Fi is enabled when you walk into stores or even past a retailer without ever stepping inside; stores implement wireless technology to collect your data, even track your walking pattern inside the store. Turn your Wi-Fi connection off when being near retailers.

A retailer’s free service. Sign up for this and they’ll probably collect data from you, somehow, some way. The customer reward card that you get at the supermarket will likely collect lots of your private information.

Not encrypting. Encryption, by scrambling messages, prevents snoops from reading the messages you’re sending while they’re in transit, but the messages can still be found on your device. However, encryption is one way to reduce the amount of data that gets in unwanted hands. Encryption isn’t just for using a public computer; use it on your home computer and mobile too.

Using free WiFi. Every time you log into free WiFi you are either giving your data away through the carrier who logs your device or criminal hackers are sniffing out your information via unencrypted wireless. Never log into free WiFi without a virtual private network (VPN ) like that offered by Hotspot Shield.

Using a public computer to log into a private service. When you access one of your accounts on a computer at a coffee shop or hotel, this can leave your data on that computer. The browser’s private mode is the solution: use it. If you’re particularly concerned, use Tails, a private operating system.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Courts side with Consumers in Data Breach

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

2D

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Security Legislation is inevitable

A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers.

3DDespite this mushrooming problem, no consensus has yet arrived regarding just what role the government should assume to protect peoples’ data. But a common thread to the many ideas is customer notification once a data breach occurs. Though 46 states do have notification laws, retailers gripe that this makes them spend precious time complying with this instead of on fighting data infiltrations and repairing the fallout.

“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year,” says Brian Dodge, a senior vice president at the Retail Industry Leaders Association.

Recently the Data Security Act was introduced. It would require companies and banks to have privacy protections and investigate breaches, plus alert customers about big risks of theft or fraud. Banks have complained about the costs of responding to data breaches and have insisted that retailers take more action to the fallout. The DSA could take some of this burden off banks.

“We think it’s important that essentially everybody up their game,” says Kenneth Clayton, an executive VP and chief counsel at the American Bankers Association. This needs to occur whether through law or industry action, Clayton adds.

The FTC may even get involved. But how much should the government get involved, though? “The idea that the government would do a better job than private industry is a horrible idea,” says John Kindervag, a principal analyst at Forrester Research, an advisory firm.

However, a 2014 priority for the FTC is to protect sensitive health and financial information. “The FTC has long been concerned that this type of sensitive data warrants special protections,” says Jessica Rich, head of the FTC’s consumer protection bureau. She adds that the FTC strongly supports the possibility of new laws that would protect consumers.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cyber Insurance vs. General Liability

One of the biggest data breaches of all time involved that of Sony Corp. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

4HAnd why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.

It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.

To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.

Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.

Insurers all across the nation are wanting to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.

Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.

K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”

It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Insurance Company fined BIG for Breach

Why would an insurance company be fined for a data breach?

2DThere was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.