December 19, 2014

Security Breach Roundup: From Human Error to Well-hidden Malware, There’s No Shortage of Threats

Bookmark and Share

This month we’ve got four stories that neatly sum up the challenges IT security professionals face in their attempts to protect corporate data. They include a mix of breaches caused by human error, a lack of encryption, and some cleverly disguised malware.

Two States Suffer Medicaid-related Security Breaches

This headline from an InformationWeek story pretty much says it all: “2 Medicaid Data Breaches, 1 Weak Link: Employees.” Here’s the story of the latest Medicaid-related breach:

The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state’s Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach.

This occurred shortly after a similar breach in Utah:

A new tally of files stored on a server that contained Medicaid information at the Utah Department of Technology Services (DTS) reveals that 780,000 individuals have been affected by the theft of sensitive information. That’s far worse than initial estimates.

The data breach occurred on March 30, when a configuration error occurred at the password authentication level, allowing the hacker, located in Eastern Europe, to circumvent DTS’s security system.

In the Utah case, the problem was a test server with a weak password was put into production with no change to the password, which was a violation of policy. Probably that was simply an error, not a malicious act, as in the South Carolina case. But both stories point to the hard truth that humans are indeed the weakest link when it comes to security.

Nearly Half of all Mass. Residents had Personal Info Lost or Stolen

Massachusetts was also in the news in April, after the state’s Office of Consumer Affairs and Business Regulation issued a report stating that nearly half of the state’s residents had personal information lost or stolen over the past four years during one of about 1,800 data breaches. As The Boston Globe reports:

The report, the first of its kind in Massachusetts, found the financial services industry reported the greatest number of breaches over the last four years, with 955 incidents that exposed the data of 901,156 people. The vast majority of these breaches, however, involved credit card transactions that occurred at retail establishments. The financial services institutions then reported the incidents to state officials. The health care industry, meanwhile, had 214 breaches, but they exposed more people – about 983,746. That included the loss of more than 800,000 patient records at South Shore Hospital in Weymouth in 2010.

That one strikes close to home, as one of our Carousel Connect editors was born at South Shore Hospital, although probably long enough ago that he doesn’t have much to worry about.

One of the big reasons for all this data loss is a lack of encryption. As the Globe reports:

Of the 365 devices reported lost or stolen over the past four years, only 13 were encrypted, the state said.

“It’s taking businesses and institutions longer than we’d hope to encrypt these devices. That would certainly cut back enormously on the number of breaches where consumers data is more vulnerable,’’ said Barbara Anthony, the state’s consumer affairs and business regulation undersecretary. “Businesses, institutions, and others need to do a better job protecting the information of individuals. There is still a lot of work to be done.’’

Hard to argue with that.

Upstate NY Hotel Suffers Prolonged Breach from Foreign Hackers

This story, from the Desmond Hotel and Conference Center in upstate New York, has all the elements of the worst kind of security breach: a well-hidden piece of malware collects credit card data over a long period of time, and sends it to a perpetrator in another country.. As the Albany Times Union reports:

In an online letter to customers, operators of the 323-room hotel said the names, credit and debit card numbers and expiration dates, and other data been exposed between May 21, 2011 and March 10 of this year in what the hotel called a “serious data security breach.”

Debit card PIN numbers are not believed to have been affected, the hotel said.

While the U.S. Secret Service and a private firm continue to probe how the breach occurred, hotel General Manager John D’Adamo said the hack — like many cyber attacks — is believed to have come from a foreign country.

D’Adamo said The Desmond was tipped to the problem when Secret Service agents showed up in early March saying they were receiving fraud complaints from banks on accounts that seemed to trace back to the prominent hotel.

It’s likely not going to be a good day when the Secret Service shows up at your door talking about fraud. But in this case the hotel was warned months earlier by a customer who reported a charge from China on the card he had used shortly before at the Desmond – a card he rarely used. He got word back from a hotel official denying any culpability.

While there’s no telling how thoroughly the hotel investigated the customer’s complaint, it is true that such malware can be tough to find. As Professor Bulent Yener, director of Rensselaer Polytechnic Institute‘s Data Science Research Center, tells the Times Union:

Some of the attacks are so insidious, using what are known as rootkits, Yener said, that they take complete control of a computer and make it appear as though the security systems are working when they have long since been co-opted.

This story, and the Chinese connection, harkens back to last month’s Security Breach Report, which quoted Richard Clarke, a former terrorism, cybersecurity and cyberterrorism advisor for the White House, as saying, “Every major company in the United States has already been penetrated by China.”

And perhaps some not-so-major companies.

Security Breach Roundup: A Heavy Dose of Scary Security Facts and Suppositions

Bookmark and Share

We’re taking a slightly different tack than usual with this month’s security breach report by focusing on a couple of security studies and an interview with a high-profile security expert, although we will report on one high-profile breach at a certain U.S. space agency.

Clarke Asserts China Has Hacked Every Major U.S. Company

After reading this first item it’s tempting to just stop doing these roundups and make a simple declaration: everyone’s been breached. We can stop counting.

But the warning from Richard Clarke, a former terrorism, cybersecurity and cyberterrorism advisor for the White House, is quite serious, as reported by Ron Rosenbaum in a fascinating interview in the Smithsonian:

“I’m about to say something that people think is an exaggeration, but I think the evidence is pretty strong,” he tells me. “Every major company in the United States has already been penetrated by China…

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….After a while you can’t compete.”

This from the man that was desperately trying to tell the president that Bin Laden was planning to attack the US before 9/11 and was right on the money when it came to Al Qaeda. Let’s hope we pay more attention to this warning.

Verizon Study Quantifies the Rise of Hacktivism

If you work for a big company and that doesn’t scare you, maybe this will. From Forbes:

On Thursday, Verizon released its annual Data Breach Investigations Report, [PDF here] the largest study of its kind, and one that delves into data from hundreds of the company’s breach responses, along with those performed by law enforcement agencies including the U.S. Secret Service as well as Australian, Dutch, U.K. and Irish police. The result of this year’s study is clear enough: In 2011, hacktivists made their presence felt in the world of information security more than ever before, and by some measures even more than the financial criminals who usually dominate data breach statistics.

Of the 855 breach incidents from the last year that Verizon’s security team analyzed, three percent were attributed to “hacktivists.” That may seem like a small proportion, but Verizon’s director of security research Wade Baker says it’s giant compared to the same category in previous studies, which barely created a blip on Verizon’s radar last year and accounted for less than one percent of incidents. Narrow the field of victims to only large organizations, which hackers within Anonymous and its splinters target for maximum exposure, and the number of hacktivist incidents rises to 25%.
But the real impact of last year’s radical hacktivism can be seen in the numbers of actual compromised records–each one representing data attached to an individual. Of the 177 million records stolen by hackers over the last year, 100 million were taken by hacktivists. The stats don’t even include common hacktivist techniques like website takedowns with denial of service attacks or defacements, instead focusing only on actual data theft.

That means more than one out of every two stolen records is the result of hacktivism. Looking at it another way, the hacktivists are beating the criminals.

Data Breach Costs Dip – But Hold the Celebration

If you need a bit of good news after those little nuggets, here it is, from the annual Ponemon Institute data breach cost study, (PDF) as reported by SmartPlanet:

For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The study, which examined 49 data breach cases with a range of nearly 4,500 to 98,000 affected records, found the average cost per affected record declined from $214 to $194. The organizational cost declined from $7.2 million to $5.5 million.

That’s the good news. Here’s the bad:

There is a huge Achilles’ Heel in data security, and that is insiders with privileged — and often unmonitored — access. The greatest data security vulnerability is slackers, not hackers, the survey finds. Thirty-nine percent of companies said insider negligence was the root cause of the data breaches. Most breaches occur because of employee mistakes and lax operating procedures. As companies grow, many fail to put training and protocols in place to safeguard data. Others delegate data protection to the IT department, which does little to protect against human error, the Ponemon report claims.

NASA Admits to Security Breach and Blames – You Guessed It – the Chinese

To bring this month’s report full-circle, we have this account of an actual breach – at NASA, of all places. As the Web Host Industry Review reported in early March:

Hackers successfully breached networks at NASA’s Jet Propulsion Laboratory last November, where they were able to install malware, delete or steal private information, and take control of user accounts to access privileged sections of the network, according to a report released this week from the National Aeronautics and Space Administration’s inspector general.

If there is anything to learn from the multiple security breaches at NASA, it is that no single hosting environment is ever fully secure. After all, NASA has an annual IT security budget of $58 million and hosts all its content in-house on its own infrastructure, built by some of the brightest minds in the world, and yet its network was successfully hacked on multiple accounts.

The breach was found to originate from Chinese-based IP addresses, where hackers were able to hijack the accounts of “privileged JPL users” to gain “full access to key JPL systems,” Inspector General Paul K. Martin wrote in a report to Congress.

Seriously, if the Jet Propulsion Laboratory is being breached, what does a Pearl Harbor moment look like?