Data Theft and Fraud

This from Wall Street Journal:

 

“Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud.

 

Credit and debit card processor Global Payments has been hit by a security breach that has put some 50,000 cardholders at risk, Andrew Johnson reports on Lunch Break. Photo: Bloomberg News.

 

The breach at Global Payments, Inc. is the latest in a wave of data attacks that have heightened consumer concerns about identity theft. The card industry has been particularly vulnerable to those concerns amid a slew of big breaches in recent years as more Americans choose to pay with plastic rather than cash.”

 

The Wall Street Journal went on to say that “Global Payments didn't disclose what type of data had been accessed, but said it had notified ‘appropriate industry parties to allow them to minimize potential cardholder impact.’”

As these types of hacks continue to escalate, every company should ask, “How safe is our data?”

You can read the Wall Street Journal article here (subscription required).

read more

Shawn Henry, the FBI's executive assistant director and top cyber official recently stated in an interview that despite the growing prevalence of cyber crime against companies, most business owners and executives don't think that it will happen to their company.  Henry went on to tell of a company that went out of business after $5 million was looted from its bank accounts and of another business that had over decades worth of research and development valued at over $1 billion stolen, "virtually overnight".

 

Henry stated that most hackers fit into three broad categories, "namely nation states targeting research and development, intellectual property and corporate strategies of American companies, terrorists who have shown a growing interest in using cyber attacks against critical infrastructure, and organized criminals wielding botnets (or networks of zombie computers) to attack corporate computer networks."

 

Cyber crime is here and is rapidly growing. What have you done to protect your company? 

 

You can read more about the interview with Assistant Director Henry here.

 

 

read more

As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper

Read the rest of this post, after the jump.

read more

FastCompany.com is reporting that the biometric data of almost every Israeli citizen has been compromised and is now available on the Internet. According to FastCompany.com:

 

"Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He's a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel's primary national biometric database in 2006. He had access to the database, which is part of the country's population registry, through his office."

 

The FastCompany.com article went on to say that "[T]he stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis--including children--and detailed health information on individual citizens."

 

Clearly, as more governments, such as India and Germany, collect more biometric data on their citizens, the security of such information will continue to be an issue.  For corporate America, this breach underscores the need to keep security at the forefront as you collect and use more and more personal information for customers and employees.

 

You can read the FastCompany.com article by clicking here.

read more

As the eighth annual National Cyber Security Awareness month winds down, a new survey highlights the dangerous disconnect between perception and reality among small business owners about their cyber security efforts. The survey, sponsored by Symantec and the National Cyber Security Alliance, found that more than 80 percent of small business owners believed they were safe from cyber attacks, yet relatively few took steps to eliminate the risks of such attacks by, for example, formalizing an internet security policy or preparing a contingency plan in the event of a data breach. 

 

Perhaps more troubling, the survey demonstrated that the ill-preparedness of small businesses is not due to a lack of awareness of such risks, or an underestimation of the harm cyber attacks pose to their day-to-day operations. Indeed, two-thirds of the surveyed companies say their company is dependent on the Internet, and many of the companies indicated they deal with sensitive information such as financial records, private customer data and intellectual property. 

 

Because the media often focuses its attention on the large, sophisticated cyber attacks that disrupt large corporations and result in massive data and privacy breaches, it is easy for small businesses to believe that they are simply not an attractive target for cyber thieves. Yet in many respects smaller businesses represent the “low hanging fruit” for such attacks, since they still deal with sensitive and valuable information. Moreover, given their smaller size, small businesses may stand to lose more from cyber attacks.

 

Given the ease with which cyber attacks can be launched, and the increased frequency of such attacks, small business owners would do well to re-evaluate their efforts to keep their data safe and secure.

read more

According to a recent article that appeared on the “Krebs on Security” bog, a Florida-based financial institution recently fell victim to a $13 million heist, perpetrated by an international cybercrime gang. The cybercriminals in question used ATMs located around the world to cash out stolen pre-paid debit cards.

This crime is proof that cyber security and cyber crime are becoming increasingly sophisticated endeavors. As cyber criminals get smarter, cyber security professionals must work diligently to stay one step ahead of the game.

The entire “Krebs on Security” article can be accessed at the following location: http://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/

read more

More and more clients are beginning to inquire about cyber-insurance policies to guard against data breaches and other cyber-related losses.  However, when companies don’t have specialized coverages they have to rely on their general liability coverage in the event of a loss.

 

For these companies, however, Reuters is reporting a potentially troubling set of events. Specifically, Reuters is reporting that:

 

Zurich American Insurance Co asked a New York state court in documents filed late on Wednesday to rule it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general."

 

Zurich American, a unit of Zurich Financial Services, also sued units of Mitsui Sumitomo Insurance, AIG and ACE Ltd, asking the court to clarify their responsibilities under various insurance policies they had written for Sony.

 

"Zurich doesn't think there's coverage, but to the extent there may be a duty to defend it wants to make sure all of the insurers with a potential duty to defend are contributing," said Richard Bortnick, an attorney at Cozen O'Connor and publisher of the digital law blog CyberInquirer.

 

Bortnick, who is not involved in the case, said that while Sony may be able to claim there was property damage as a result of the data breach, Zurich is likely to argue that the sort of general liability insurance it wrote for Sony was never intended to cover digital attacks.

 

What type of coverage do you have and what do your policies say? 

 

You can read the article here:

http://www.reuters.com/article/2011/07/21/us-insurance-sony-idUSTRE76K3PY20110721

read more

SecureID from RSA has been widely considered to be one of the most secure forms of identification authentication available to corporate America. After the well publicized hack of the platform earlier this year and subsequent breaches, this is apparently no longer the case.

This from Peter Bright at arstechnica.com:

“RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it's this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

This admission puts paid to RSA's initial claims that the hack would not allow any "direct attack" on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.”

You can read the rest of the arstechnica.com article here: http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars   

read more

Last Thursday the White House announced that the Obama Administration has transmitted a cybersecurity legislative proposal to the Congress. Citing the approximately 50 cyber-related bills introduced in the last session of Congress, the Fact Sheet for the proposed legislation describes it as “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.” The proposal contains the following items:

• National Data Breach Reporting – The legislation would simply and standardize state law requirements regarding notification to customers when a breach has occurred.
• Penalties for Computer Criminals – The legislation would clarify penalties for computer crimes and set mandatory minimums for cyber intrusions into critical infrastructure.
• Voluntary Government Assistance and Information Sharing with Industry, States and Local Government – Clarifies the authority of the Department of Homeland Security (DHS) to assist organizations that suffer a cyber intrusion and provides immunity to businesses, states and local governments that provide cybersecurity information to DHS.
• Critical Infrastructure Cybersecurity Plans – The proposed legislation would require DHS to work with operators of critical infrastructure (i.e. those assets whose disruption “would have a debilitating impact on national security, national economic security, national public health or safety”) to develop frameworks for addressing core cyber-threats.
• Federal Cybersecurity – The legislation contains a number of measures designed to strengthen the cybersecurity of federal government computers, including measures related to the increased use of cloud computing by the federal government.
• Privacy and Civil Liberty – The proposed legislation requires DHS and all other federal agencies to follow privacy and civil liberties procedures in implementing the proposed cybersecurity measures.

Initial reactions to the White House’s proposal appear mixed--see, for example, here and here. Companies should pay close attention to the proposed data breach reporting rules to determine what impact the rules could have on their operations. Operators of critical infrastructure, in particular public utilities, internet service providers and telecommunications providers, should examine the proposed framework for addressing cyber-threats to their assets.

The complete text of the legislative proposal is available here.

read more

As you probably know by now, the Sony PlayStation platform was breached and a lot of personal information was compromised. According to reports, names, addresses, birthdates, physical addresses, email addresses, passwords and credit card numbers were stolen.

While most businesses do not operate multi-user gaming platforms such as Sony’s PlayStation, this episode, along with recent others, does underscore the need for companies to understand and protect their data before a breach occurs.

From what I understand, Sony is having to rebuild the PlayStation platform from the ground up and is physically moving the facility to another location. Along with that expense and the expense of notifying affected consumers, companies must also add damage to their reputation and brand, which can be many times more harmful than direct remediation costs.

The PlayStation platform has been down for over 2 weeks. Can your business afford to be down that long?

Time.com has a good article on the PlayStation breach which can be found here.

read more

According to a recent article on zdnetasia.com, small and medium-size businesses in the United States lost more than $11 million over the past year in online scams in which stolen banking credentials were used in fraudulent wire transfers to companies in China.

According to the article, “In most cases the criminals managed to compromise the computer of someone within a target company who could initiate funds transfers, according to a fraud alert issued by the FBI this week. The victim either receives a phishing e-mail designed to trick the recipient into revealing online banking credentials or into visiting a Web site hosting malware that steals the information from the computer.”

This is just another in a long list of scams and underscores that businesses are increasingly becoming targets and that everyone must remain vigilant.

You can read the article here.

read more

I read a report yesterday that said that the European Space Agency (ESA) website was hacked, hacked, resulting in the disclosure of sensitive project logs and exposing hundreds of email addresses and passwords associated with some of Europe’s top science institutes.

The hacker, known by the alias TinKode, posted a full disclosure of the attack. According to the hacker, he was able to gain access to FTP accounts, database users, hashed passwords as well as SHA1-hashed server root passwords.

The hacker was also able to gain access to some of the ESA's satellite activities and calibration sources.

I think we will see more and more of this type of attack going forward. I was recently with a group of general counsels in the manufacturing space and one main point that was stressed was that espionage type activities will continue to rise for the foreseeable future. I also advised them that they need to make certain that not only are their IT systems protected but that their IT governance and compliance models are current and relevant to the threats and to their organizations. In short, information security will be tougher to execute and will be a subject for corporate boards and c-suites.

You can read more about the situation at ESA here: http://www.zdnet.com.au/european-space-agency-hacked-339313416.htm

read more

I recently read highlights of a very interesting survey put out by the Ponemon Institute regarding data security. The survey, which was entitled “What Auditors Think of Crypto Technology” was conducted by the Ponemon and was commissioned by Thales, a firm that specializes in encryption software and Host Security Modules (HSMs). According to the survey, 43% of the auditors queried selected encryption for protecting data at the point of capture such as point of sale terminals, websites, cost centers, and email gateways. The survey found that tokenization came in second to encryption for protecting this type of sensitive information.

The results of the survey were interesting in that encryption was the favorite method of protecting data even though a lot of organizations have problems with key management systems. However, the survey noted that tokenization is an up and coming technology and that tokenization will become a solid alternative to encryption.

It was also interesting that most auditors suggested that they used encryption primarily for compliance reasons and, in fact, use these types of tools only as required to achieve compliance. The auditors specifically noted that HIPAA and PCI were the biggest drivers of encryption followed by state data protection requirements and data breach notification laws.

In our information security practice, however, we are seeing more and more security technologies being implemented by companies not only from a compliance standpoint but also from a best practices standpoint. Notably, the question is beginning to be asked of C-suite executives and boards of directors as to the inquiries they have made regarding information security for their companies. This awareness and potential exposure at the C-Suite and board levels will continue to drive better practices with respect to information security. What questions are you asking?

read more

In today’s environment where cyber attacks are often launched to disrupt businesses or for political purposes, most C-level executives don’t realize that cyber attacks are happening every day and that the primary target of most of these attacks are their companies’ trade secrets.

According to a recent report by the security firm McAfee, the oil and gas industries have been the victims of repeated attempts to steal sensitive company information. According to the McAfee report, many if not most of these attacks are believed to originate from hackers in China. McAfee has given these attacks a name, “Night Dragon,” and outlines in their report how the attackers penetrate a company’s networks through compromised desk top computers and web servers, often by-passing safety guards by misusing company administrative credentials and other remote administrative tools.

More on this topic, after the jump.

read more

This is taken from the European Network and Information Security Agency (ENISA) website:

“The EU’s ‘cyber security’ Agency ENISA, (the European Network and Information Security Agency) has today issued a report on Data Breach Notifications. The EU data breach notification (DBN) requirement for the electronic communications sector in the ePrivacy Directive (2002/58/EC) is vital to increase in the long term the level of data security in Europe. The Agency has reviewed the current situation and identified the key concerns of both the telecom operators and the Data Protection Authorities (DPA)s in its new report.”

You can view the new report here: http://www.enisa.europa.eu/act/it/library/deliverables/dbn read more

According to news reports, Google's new Chrome operating system will rely on cloud-based storage rather than hard drives. Microsoft's Windows 8, currently under development, is rumored to take a similar approach, although combined with hard drive support.

The Chrome operating system is reported to boot up in only seven seconds, to avoid the potential loss of data inherent in possible hard drive failure, and to make the amount of storage needed essentially irrelevant. Presumably, such solutions would also cut down on the size and cost of PCs, tablets, and other devices. read more

The online edition of CNET has a very interesting article that once again underscores the importance of having an enterprise-wide IT governance plan that addresses, among other things, data privacy and security.

Apparently, NASA sold some computers to the public but failed to wipe the hard drives before they sold them. According to the CNET article, the "NASA Office of the Inspector General (OIG) found security breaches at four NASA facilities: the Kennedy and Johnson Space Centers and the Ames and Langley Research Centers." read more

Much has been written in the past few days in the blogosphere regarding Amazon's termination of cloud based services for WikiLeaks. The suggestion has been made that this should be a matter of considerable concern to those using cloud-based services. There is no doubt that users of cloud-based services should understand that the provider typically establishes both an acceptable use policy and reserves considerable (if not absolute) discretion to terminate services it deems potentially illegal or inappropriate.

Although termination of services (and how a user retrieves data upon termination) is a risk that should not be taken lightly, it probably will not come into play for the vast majority of users. Why? Because the vast majority of users of cloud-based services are engaged in ordinary business enterprises that raise no controversy. A cloud provider has every economic incentive not only to keep such users, but to keep them happy.

What are the real lessons of WikiLeaks? The real lessons - which should raise considerable concern for every business with confidential information - are listed after the jump.   read more

In a recent press release, the FBI warned that green technology, such as the technology behind hybrid vehicles, is "an increasingly attractive target to would-be information thieves looking to make a fast buck."

The FBI's warning should serve as a reminder to all technology companies to take proactive steps to safeguard trade secrets and other valuable confidential and proprietary information. This includes companies in the green energy space, other green technologies, and other technologies.

Technology companies are not the only ones at risk. Many traditional businesses also maintain their competitive edge through confidential and proprietary software, formulas and processes. Other important proprietary information may include customer lists, supplier lists, and financial information. read more

The Association of Certified Fraud Examiners just released their 2010 Report on Occupational Fraud and Abuse. You can find a copy of the report here.

The Report underscores the need for all organizations, regardless of size, to have policies and procedures in place to prevent and detect fraud. Fraud encompasses not only monetary losses but also the loss of sensitive information such as trade secrets, customer lists and business plans.

As we move to more and more information being accessible through electronic means, education and training on information security and fraud prevention are becoming necessary and critical parts of corporate business strategies.

Some of the findings from the reported are highlighted after the jump.  

read more