Our lead story of the week is the breach disclosure from UCLA Health System: U.C.L.A. Health System Warns About Stolen Records. 16,288 medical records were on a computer stolen from a Doctor’s home as part of a robbery. The good news was that the hard drive was encrypted. The bad news was that the password was on a piece of paper near the computer and it too went missing.
Rule 1 is never write down passwords. Rule 2 is — if you’re going to break rule 1 — do it securely. If you must write a password down, write it on a piece of paper the size of a credit card and keep it in your wallet with your credit cards and your driver’s license. And just write the password: write “15Blah-blah-blah” not “my laptop password is 15Blah-blah-blah.”
Microsoft Issues Stopgap Fix for ‘Duqu’ Flaw: Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet. KrebsOnSecurity, November 4, 2011
Massive hack hit 760 companies: NEW YORK (CNNMoney) — A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week. CNN Money, October 28, 2011
U.C.L.A. Health System Warns About Stolen Records: LOS ANGELES (AP) — UCLA’s system of hospitals and clinics warned more than 16,000 patients that their personal information was on a computer hard drive stolen in the burglary of a doctor’s home, officials said Friday. The New York Times, November 4, 2011
Hackers Hit 29 Chemical Makers in ‘Nitro’ Attack, Symantec Says: Computer hackers struck 29 chemical companies in attacks this summer aimed at gathering data on formulas and manufacturing processes, according to security provider Symantec Corp. SF Gate, November 2, 2011
Are You on the Pwnedlist?: 2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised. KrebsOnSecurity, November 2, 2011
Should you share breach information?: When companies suffer a security breach today they face that core dilemma: Tell the world and hope the honesty helps others, or keep it under wraps to avoid tarnishing the brand and duck possible lawsuits? One thing is clear from the arguments below: It is time for the government to take the guesswork out of the equation. Network World, November 2, 2011
Ponemon Institute Survey on Cloud Data Security Exposes Gulf between IT Security and Compliance Officers: SAN JOSE, Calif., Nov 01, 2011 (BUSINESS WIRE) — Vormetric, Inc., the leader in enterprise systems encryption and key management, today announced the results from an independent research report conducted by the Ponemon Institute on how organizations manage data security risks in cloud computing environments. The survey of 1,000 IT security practitioners and enterprise compliance officers revealed that less than half of all respondents believe their organizations have adequate technologies to secure their cloud infrastructures. Meanwhile, the two groups sharply disagreed on whether the cloud is as secure as on-premise datacenters, who is responsible for cloud data security, and what security measures should be used. Market Watch, November 1, 2011
Most Execs Don’t Feel They Can Secure Cloud Infrastructures: Enterprises are using cloud infrastructures, but they aren’t very confident in their ability to secure them, according to a study to be published Wednesday. Dark Reading, November 2, 2011
Poll: 67% Security Fear Factor With Cloud Computing: Computing via the Internet cloud — like renting servers in a far-off data center from Amazon or Rackspace — can save companies money and keep them flexible. But it can be a security challenge. Investors.com, November 4, 2011
Lazy Hackers Port Ancient Linux Trojan to Mac OSX: Hackers are testing new Mac malware that they’ve ported from a nine-year-old Trojan horse originally written for Linux, according to security experts. Computer World, October 31, 2011
Community Bank Focus on Consumer Security Contradicts Regs: Community bankers are strengthening security on consumer accounts, but they are not always extending those protections to business accounts, which regulators say are at a higher risk. American Banker, August 16, 2011
Security Expert Warns of Cyber World War: LONDON – A leading Internet security expert warned Tuesday that a cyber terrorist attack with “catastrophic consequences” looked increasingly likely in a world already in a state of near cyber war. Fox News, November 1, 2011
Stuxnet Raises ‘Blowback’ Risk In Cyberwar: The Stuxnet computer worm, arguably the first and only cybersuperweapon ever deployed, continues to rattle security experts around the world, one year after its existence was made public. NPR, November 2, 2011
U.S. report blasts China, Russia for cyberattacks: WASHINGTON (AP) – U.S. intelligence officials accused China and Russia on Thursday of systematically stealing American high-tech data for their own national economic gain. USA Today, November 3, 2011
EU and US cybersecurity experts stress-test defences: EU and US cybersecurity officials have tested how they would co-ordinate their response to a hacking attack. BBC, November 3, 2011
Hague lists cyber ‘rules of the road’: Governments should follow seven cyber ‘rules of the road’ in deciding how to act and regulate behaviour online, UK foreign secretary William Hague has told a UK government cybersecurity conference. ZDNet, November 1, 2011
eThieves Steal $217k from Arena Firm: Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska. KrebsOnSecurity, August 16, 2011
BART website hacked, customer info leaked: The amorphous hacker group known as Anonymous made good Sunday on its threat to strike BART, breaching an agency website and releasing customers’ personal information in retaliation for BART’s decision to cut cellular phone service to prevent an antipolice protest in San Francisco. SF Gate, August 15, 2011
AntiSec hackers target Vanguard Defense exec: The hacktivist group AntiSec says it has released a gigabyte of private documents from Vanguard Defense Industries, including e-mails from an executive connected with a cybersecurity organization it has targeted previously. cnet, August 19, 2011
Hackers crack Purdue University server: Hackers illegally accessed a server containing the personal information, including Social Security numbers and course records, of more than 7,000 former Purdue University students. msnbc, August 19, 2011
Fired techie created virtual chaos at pharma company: Logging in from a Smyrna, Georgia, McDonald’s restaurant, a former employee of a U.S. pharmaceutical company was able to wipe out most of the company’s computer infrastructure earlier this year. Computer World, August 16, 2011
Investigation reveals widespread insider hacking at immigration agency: A yearlong probe into computer fraud at an immigration application processing center uncovered multiple incidents of internal hacking where staff accessed management-level emails and other confidential files, according to Homeland Security Department interviews, network analyses and internal emails obtained by Nextgov. Nextgov, August 18, 2011
5 things you probably didn’t know could be hacked: Hackers are making headlines these days like never before. From video game systems to voicemail accounts, it seems like almost every type of electronic device or information storage medium can be hacked to either give up information or perform actions it wasn’t initially designed to do. We’ve gathered a handful of the weirdest hacks out there, and the vulnerability of some of your everyday devices might surprise you. Yahoo News, August 15, 2011
GAO: FDIC cybersecurity lacking: The confidentiality and integrity of the Federal Deposit Insurance Corporation’s information systems are vulnerable, says a Government Accountability Office report (.pdf) published Aug. 12. Weak passwords, poor user-access policies, inconsistent encryption and unsatisfactory patch implementation threaten FDIC’s financial systems and databases, finds the GAO. Fierce Government, August 15, 2011
Beware of Juice-Jacking: You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware? KrebsOnSecurity, August 17, 2011
Watch out for botnet-driven Google Dorks, the next automated cyber attacks: Botnets have been taking down web sites for years by overwhelming sites with too much traffic. But now the swarms of compromised computers are being unleashed for the first time on an old kind of vulnerability: Google Dorks. Venture Beat, August 16, 2011
Theft via text: Cars vulnerable to hack attacks: Texting and driving don’t go well together — though not in the way you might think. Computer hackers can force some cars to unlock their doors and start their engines without a key by sending specially crafted messages to a car’s anti-theft system. They can also snoop at where you’ve been by tapping the car’s GPS system. VolunteerTV, August 19, 2011
Programs aim to get the word out when cyber attacks occur: It’s not the loud pronouncements by hacking groups or the highly visible denial-of-service attacks that scare cybersecurity experts. It’s silence. In the escalating battle against cyber attackers, the focus has been on new security software and cyber hygiene, but one of the greatest tools against “the adversary,” as cyber attackers are called in industry parlance, is the relatively low-tech approach of sharing information about attacks. Federal Times, August 20, 2011
The Dangers of Supercookies: Browser cookies have been around almost as long as the web. Invented by an engineer at Netscape in 1994, the method for keeping track of people’s browsing activity started out as a way for e-commerce sites to store your purchases in a shopping cart and are now widely used. But researchers and regulators now think that the evolution of a more advanced type of cookie known, appropriately, as a “supercookie” poses some serious privacy concerns. Used on websites like Hulu and MSN, invasive new tracking techniques like supercookies track users every move, steal your browser history and feed the data to advertisers, largely undetected. And whereas regular cookies are easy to find and delete, supercookies and history-stealing software are almost impossible to get rid of. The Atlantic, August 18, 2011
New documents undermine Murdoch phone-hacking defense: Phone hacking was “widely discussed” at News of the World, the royal correspondent jailed and sacked for the practice wrote in 2007, according to documents released Tuesday by a Parliament committee investigating the scandal. CNN, August 16, 2011
Administration issues far-reaching plan for building cyber workforce: The Obama administration on Friday released the first-ever roadmap for building a U.S. cybersecurity workforce and testing the government’s success at raising public awareness of computer threats. Nextgov, August 12, 2011
Security Summit Cautions Against Increasing Cybercrime: The Information Systems Security Association held the third annual Information Security Summit at Los Angeles. Hacking the cloud and cloud security were topics that figured prominently. Appropriately, the theme of the 2011 summit was The Growing Cyber Threat: Protect Your Business. infoTech Spotlight, June 29, 2011. Dr. Eugene Schultz, who spoke on cloud security at the Summit, and Dr. Stahl are both quoted in this story.
Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy: The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out. Bloomberg, June 27, 2011
The Cop on the Cyber Beat: Bruce McConnell, a senior cybersecurity official with the Department of Homeland Security, sat down with The Wall Street Journal’s John Bussey to discuss what role the government should play in this effort and why he’s especially concerned about the theft of intellectual property. The Wall Street Journal, June 27, 2011
Regulators Issue Updated eBanking Security Guidelines: Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers. KrebsOnSecurity, June 29, 2011
FFIEC Guidance: What Banks Should Know: More than six months after a draft of expected updates to the Federal Financial Institutions Examination Council 2005 “Authentication in an Internet Banking Environment” guidance inadvertently appeared briefly on the National Credit Union Administration’s website, the formal supplement has finally been issued. BankInfoSecurity, July 1, 2011
Internet Security Experts Say Potentially Big Holes In Cloud: In the light of a recent disclosure that “cloud” storage provider Dropbox failed to properly secure their customers’ documents, hacking the cloud and cloud security were timely topics covered at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) third annual Information Security Summit. The theme of this year’s summit was The Growing Cyber Threat: Protect Your Business. widePR.com, June 27, 2011. Dr. Eugene Schultz, who spoke on cloud security at the Summit, and Dr. Stahl are both quoted in this story.
Massive botnet ‘indestructible,’ say researchers: A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say.”TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday. Computerworld, June 29, 2011
Security Researchers Discover the Mother of All Botnets: A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over. PC Magazine, June 30, 2011
Al Qaeda web forum hacked, but why?: A popular jihadist Internet forum has been knocked off the Internet, and counterterrorism experts say it appears it was hacked. CBS News, June 30, 2011
Cisco Study Shows Mass Phishing Attacks Down, Targeted Attacks Up: New research released by Cisco Systems shows a steep decline in the number of mass spam or phishing attacks by cyber criminals, but a disturbing rise in the use of targeted phishing attacks that are more sophisticated and, for the criminals, more profitable. Network Computing, July 1, 2011
Former YouSendIt CEO pleads guilty to Web attack on his old company: The former chief executive of the YouSendIt, a website where users can post files too large to send over email, has admitted to launching an online attack against the company he once ran. Los Angeles Times, June 27
Two recent news items should serve to get every financial institution in America asking how it might better protect its e-bank account holders from online bank fraud.
In a lawsuit filed by a customer, Experi-Metal, against its bank, Comerica, over responsibility for an online bank fraud that cost Experi-Metal more than $500,000, United States District Court Judge Patrick Duggan held that Comerica failed to act “in good faith” in protecting Experi-Metal from on-line bank fraud. (For an overview of the decision see KrebsOnSecurity.com. The judge’s decision is available here as a downloadable PDF.)
The Judge — suggesting that Comerica’s actions were illustrative of a “pure heart, empty head” — found that while (i) Comerica provided evidence that it properly intended to protect Experi-Metal — it’s heart was in the right place, (ii) Comerica failed to rebut plaintiff’s claim that the specific actions the bank took to protect Experi-Metal failed to met “reasonable commercial standards of fair dealing.” This is the second prong — the “head” component — required for a successful “good faith” argument.
The ruling suggests that — in a disagreement over responsibility for online bank fraud — a financial institution’s account holder may likely argue that the institution failed to act in “good faith,” i.e, commensurate with “reasonable commercial standards of fair dealing.”
The second piece of important financial cyber security news is that regulators have released a long-awaited update to their 2005 guidelines that describe what financial institutions should be doing to protect e-banking customers from hackers and account takeovers. (Good overviews of the regulations are available at BankInfoSecurity and KrebsOnSecurity.com. The new guidelines are available here as a downloadable PDF.)
The updated guidelines call on financial institutions to
Based on our firm’s experience, the specifics of Experi-Metal v Comerica leading the Judge to conclude that Comerica failed to act in good faith, and the new guidelines for protecting customers against online bank fraud, our expectation is that a significant percentage of community banks — as well as significant numbers of larger banks — fail to meet the “good faith” standard of “reasonable commercial standards of fair dealing.” (See our White Paper, The Commercial Reasonableness of Bank Security Procedures.)
Forward looking financial institutions will see in these two news items the opportunity to review how they currently protect e-customers from online bank fraud. They’ll want to carefully review the new guidelines, identify any gaps between the guidelines and current protections, and put in place Action Plans to close these gaps. By focusing on meeting the new guidelines, a financial institution in a dispute with an account holder will be better able to demonstrate that it acted in “good faith,” commensurate with “reasonable commercial standards of fair dealing.”
By doing more to educate account holders about the risks involved in online banking, these forward looking financial institutions will also reap the competitive advantage that comes anytime a business and its customer collaborate together to solve the customer’s problem. As more account holders become more concerned about the risk of online bank fraud, financial institutions with a reputation for working closely with their account holders to manage the problem will be positioned to take advantage of this market differentiator.
A cyber security breach at marketing firm, Epsilon, has exposed the names and email addresses of millions of customers of some of America’s largest companies, including JP Morgan Chase, Citibank, Barclays Bank, U.S. Bancorp, Walt Disney, Marriott, Best Buy, Target, Kroger and Walgreen’s.
As a result of this breach, customers of these companies are at increased risk of several kinds of cyber crime. This includes bank fraud, identity theft, and credit card theft. More subtly, victimized customers may find that cyber criminals have taken control of their computer, covertly using it to send spam or participate in other illegal activities such as distributed denial of service attacks.
A Warning for Consumers: Consumers need to be very suspicious of emails appearing to come from financial institutions or companies with whom they do business. Cyber criminals are expected to use these stolen email addresses to spear-phish customers. Customers will receive a phony email designed to look like it came from a legitimate company. The email may have a link in it. It may have an attachment. Or it may ask for sensitive information. Consumers need to delete these emails since following a link or opening an attachment can expose their computer to attack. And they should never put sensitive information in an email.
Consumers also need to keep their workstation upgraded with the latest security patches in case a spear-phishing attack gets through. Our Weekend Patch and Vulnerability Report can be used to help keep computer programs up-to-date. Consumers also want to make sure to use an antivirus program or, even better, a host-based intrusion prevention solution.
A Lesson for Organizations Sharing Information with 3rd Parties: Organizations that share information with 3rd-parties can learn an important lesson from the embarrassment suffered by Epsilon’s customers. Cyber security management is a challenge that is not to be taken for granted. Organizations who provide 3rd-parties with access to consumer or other sensitive information have a responsibility to be diligent in assuring these 3rd-parties are properly protecting it. (See the papers in our CEO-Library for examples of what to expect of a 3rd party before sharing sensitive information.) This includes not only 3rd-party marketing companies like Epsilon but also 3rd-parties having access to sensitive information or who write the programs which manage access to sensitive information:
A Lesson for All: All organizations with consumer or other sensitive information can draw a lesson from Epsilon’s travails: You never get a second chance to make a good first impression. Epsilon’s brand will forever be tainted by this exposure. Solid cyber security management is a lot less costly.