Tuesday, January 13, 2015

Obama proposal: Hacked companies have 30 days to fess up

By Jose Pagliery 
January 12 2015

In a State of the Union preview, President Obama on Monday demanded quicker confessions from companies that lose your data as well as better privacy for students.

One proposed law would give a company 30 days to let you know if your personal information--such as your address or Social Security number--has been exposed by hackers or careless employees.

The Personal Data Notification & Protection Act is an attempt at a nationwide, uniform rule. Right now, there are 47 different state laws that govern data breaches. Depending on the situation, people in some states get notified, while others are left in the dark. It's a mess.

Data breaches are increasingly common. Last year, hackers broke in to Home Depot, Albertson's and so many others that CNN developed it's own tool: What hackers know about you

The president's other proposed law, the Student Digital Privacy Act, is meant to stop the sale of sensitive student data for non-education purposes. Now that students routinely use laptops, tablets, and computer programs at school, lots of that data is being collected--and sometimes sold to advertisers and financial companies.

The fear? That information might be used by money lenders to prey on students--or by colleges or future employers to judge students unfairly. 

"Parents have a legitimate concern about these kinds of practices," Obama said at a midday speech Monday before the Federal Trade Commission. "Our children are growing up in cyberspace."

The president also endorsed the "student privacy pledge", already signed by 75 firms including Apple and Microsoft. It's a promise by companies to only use student data collected at school for education purposes, not observe behavior to target advertisements and not keep data for long. 

Obama said any companies that provide school services and don't sign the pledge will be singled out and censured. 

The president also called for a "consumer privacy bill of rights" that gives consumers the ability to decide what personal data is collected and how it's used. He tried this in 2012, but the idea failed to take off. 

"This should not be a partisan issue. It's one of those new challenges our modern society and crosses our old divides," he said. "We pioneered the Internet, but we also pioneered the Bill of Rights and the sense that each of us as individuals have a sphere of privacy around us that should not be breached."
The administration cited a recent poll that showed 91% of Americans feel they've lost control of their personal information. Last year was so riddled with cyber break-ins that, early on, half of American adults had their personal information exposed.
"The more we protect consumer data, the harder it is for hackers to damage our businesses and hurt our economy," Obama said.
Other privacy and security bills
The national consciousness for cybersecurity peaked with the Sony hack over the holidays.
As a result, expect to hear a lot more about privacy and cybersecurity from politicians in 2015. Some in Congress are trying to revive a controversial cybersecurity bill that increases information sharing between companies and government to stop hackers.
The nameless bill, H.R. 234, was introduced to the House of Representatives on Friday by C. A. Dutch Ruppersberger, a Democrat from Maryland.
It's essentially another go at the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in 2012, but got knocked down in the Senate.
The idea is to provide basic rules to develop closer bonds between law enforcement and all types of companies: banks, energy providers, retailers, etc.
When hackers attack an industry, companies already share some information. But they often hold back data, afraid to give competitors an edge or admit they were hacked. Also, the tips they get from the FBI and Department of Homeland Security are late and vague, because few companies have permission to know "classified" government secrets.
This proposed law would protect firms from lawsuits related to this kind of data sharing and make them government insiders. But these ideas scare privacy advocates, because they could be used as a blanket excuse for snooping on your personal life. That's why President Obama threatened to veto it the first time around.
Read full post »

Tuesday, December 30, 2014

What caused Sony hack: What we now know

By Jose Pagliery
December 29, 2014

What we now know about the Sony Pictures hack shows this cybermystery isn't over yet.

The FBI presented evidence that North Korea was behind the hack. Upon closer examination, security experts, hackers, and people familiar with Sony's computer networks are uniting with this disheartening reality: Anyone could have pulled this off.

It could have been a disgruntled Sony employee, profit-seeking hackers, North Korea--or a combination of the three.

Here's the facts about the hack that we do know:

  • Hackers used computer servers in Bolivia, Cypress, Italy, Poland, Singapore, Thailand and the United States to attack Sony. 
  • The IP addresses associated with those servers have "previously [been] linked to North Korea" by the FBI
  • The malware used against Sony had what the FBI calls "lines of code" and "data deletion" methods similar to malware "North Korean actors previously developed."
  • The computer-wiping software used against Sony was also used in a 2013 attack against South Korean banks and news outlets, which the FBI attributed to North Korea. 
  • The malware was built on computers set to Korean language--unusual in the hacking world. 
  • Hackers demanded Sony Pictures pull "The Interview" to avoid starting a war over a movie.
These facts are why the Obama administration has accused North Korea of hacking Sony Pictures and has vowed to retaliate.

But security experts aren't 100% ready to point their fingers at North Korea--not yet, anyway.

Technical evidence shows anyone can tap servers for hacking and spamming. Hackers routinely borrow and share computer code. Computer wiping software can be bought legally by anyone. A computer's language settings can be changed on a whim. And this hack actually started as an extortion attempt on Nov. 21 when Sony executives got emails saying "The compensation for it, monetary compensation we want."

Robert Graham, a researcher with Errata Security, stresses that anyone can hire hackers on the black market. These cybersoldiers of fortune might work on behalf of a country or an ex-Sony employee--and not even know it. 

He's also wary of how quickly the US government blamed North Korea. Hacking investigations typically take months, including the FBI's takedown of online drug bazaar Silk Road and hunting down members of LulzSec. 

"Even if its true that is was North Korea, I don't think the FBI would do it in three weeks," Graham said. "Maybe six months."

This year's major hacks are a perfect example. Law enforcement still hasn't publicly identified--or arrested--those who broke in to Target, Home Depot, and JPMorgan and stole millions of credit cards and lots of personal data. 

Robert M. Lee, co-founder of consulting and software firm Dragos Security, puts it this way: There might be evidence against North Korea, but what the FBI presented doesn't cut it. 

Lee, until recently a U.S. Air Force intelligence officer specializing in cyber warfare, also worries about how quickly North Korea was blamed. Lee said intelligence agencies and law enforcement don't typically work together at this kind of breakneck speed--and when they do, they often rely on outdated or inaccurate information, because there are so many conflicting intelligence reports. 

For its part, North Korea's government says it was framed. Take that for what you will.

Adding to the fog: Lots of Sony employees with critical access to the computer network were laid off by the company earlier this year, according to ex-employees. And early on, the hackers talked about seeking "equality" at Sony.

A simple explanation points to North Korea. But those who understand hacking worry its just too simple. 

Read full post »

Tuesday, December 9, 2014

Scam of the Week: "Shipping Problem"

Posted by Stu Sjouwerman

We have Black Friday and Cyber Monday behind us. After losing ground to online competitors, brick-and-mortar retailers have struck back with incredible online deals. Wal-Mart said Thanksgiving was its second biggest day ever for online sales and Target's online buying was up 40% over last year.

This is the time of year that people buy new smartphones, TVs, and new game consoles because they are able to get killer deals and they are dying to get their hands on these new goodies.

What you may not know is that similar to a magazine's editorial calendar, hackers have a "scam calendar" which focuses on events exactly like this. They have them planned and ready to roll starting TODAY for the rest of the month.

These malware campaigns do not discriminate between the home and the office, and use social engineering to trick users. A billion of these criminals emails are sent each day. So, I strongly recommend you send this to your users today. Feel free to edit in any way you like:

"Scammers are preying on people that have just made a lot of online purchases on Black Friday and Cyber Monday. There are several scam campaigns being sent right now.

1) Be on the lookout of "Shipping Problem" emails from FedEx, UPS, or the US Mail, where the email claims they tried to deliver a package from (for instance Apple Computer) but could not deliver due to an incomplete address. "Please click on the link to correct your address and you will get your package." If you do, your computer is likely to get infected with malware. Warn everyone in the family, especially teenagers.

2) Watch out of alerts via a TEXT to your smartphone that "confirm delivery" from FedEx, UPS, or the US Mail, and then asks you for some personal information. Do not enter anything. Think before you click!

3) And to reiterate a warning we sent out a few weeks ago, there is a fake refund scam going on that could come from a big retailer. It claims there was a "wrong transaction" and wants you to "click for a refund" but instead, your device may be infected with ransomware.

Read full post »

Monday, December 1, 2014

Sony pictures computer system hacked in online attack

25 November 2014

Sony Pictures Entertainment has been targeted by computer hackers in an attack which reports say forced it shut down its systems on Monday.

A skull appeared on computer screens along with a message threatening to release data "secrets" if undisclosed demands were not met, reports said.

The message showed "#GOP" indicating a group called Guardians of Peace was behind the attack.

Sony has issued a statement saying the firm is investigating the "IT matter".

The tech firm has reportedly shut down its computer network as a precaution and advised employees that resolving the situation could take anywhere from one day to three weeks.

Meanwhile, an anonymous user on the Reddit news website posted an image allegedly from a Sony computer screen, which said "Warning: We've already warned you, and this is just the beginning...We have obtained all your internal data including secrets and top secrets".

News of the online attack comes just months after Sony's Playstation network was forced offline by a cyber attack in August.

Wee Teck Loo, head of consumer electronics research at Euromonitor said any negative news for Sony just "piles" pressure on the company that has been struggling financially in both its TV and mobile business.

"Three years ago, the hack on PlayStation network was massive, expensive and absolutely embarrassing. This time round, I don't believe that there will be massive damage, save for Sony's ego, even if the hack is real," Mr. Loo said.

Charles Lim, senior industry analyst at ICT, Frost & Sullivan Asia Pacific, however, said that the attack has put into question what "multi-layers of prevention" Sony has to detect and handle such risks.

"In this breach, GOP claimed to have accessed private keys, source codes, password files and even their production schedule and notes, and that will raise questions," Mr Lim said.

High profile companies like Sony can be targeted and hacked every day, according to Naveen Menon, partner at consulting firm AT Kearney.

In its latest research, the firm said that experts estimate that at least 25% of all companies have already suffered financial loss through some form of cyber attack.

Sony is understandably keen to downplay this latest hacking threat. "We are investigating the matter" is the kind of benign language more commonly used for routine technological issues, not chilling messages threatening to unleash reams of data to the world.

The demands are opaque so it is unclear how much damage could be wrought should Sony fail to resolve the situation before the deadline. Sony Pictures has at least reclaimed its compromised Twitter accounts.

Nevertheless, this internal corporate attack does not yet appear to be of the magnitude of previous public breaches that Sony has suffered.

But the fact that hackers have again apparently infiltrated Sony's systems will do nothing to restore public faith that the Japanese technology giant has its security affairs in order.

And it is somewhat ironic that Sony has only just dismissed the allegation made by hackers that they had succeeded in breaching the Playstation network earlier this year. This latest attack cannot be so easily dismissed.

Read full post »

Friday, November 14, 2014

How health history is more valuable to hackers than your credit card information

By Kelly Yee

A recent article stated that medical records could be sold for up to 20 times more than credit card information on the black market. There are various factors as to why consumers' medical information has become so valuable. This article considers those factors as well as some precautions medical providers can take to better protect themselves against malicious threats.

The first thing that needs to be addressed is why hackers prefer to buy and sell medical records versus credit card information.

If we start with credit card information, we need to address the question of how much a thief can profit from stealing a credit card? Sometimes zero, maybe a few thousand dollars if he or she is lucky. The fraud detection software that credit card companies deploy is so sophisticated that any attempt to purchase say a TV, in a state the victim has never been to, is flagged and rejected immediately. There are whole departments dedicated to try to track the thief, so that any loss in revenue by the credit card company is minimized. In other words, when it comes to stolen credit card information, there is a low reward for a moderate risk.

Now, take medical records. Most of us probably don't understand why our medical history is valuable. Why does it matter who knows our medical history?

But, in reality, in a thief's mind the real question is "who would be interested in paying the most for the medical information I have?" The answer lies with medical providers.

The advent of electronic records management has created a landscape where a thief could steal batches (tens of thousands) or patient records in one fell swoop. One of the original goals of electronic records management was to provide seamless access to an individual's medical records to many. This way, multiple departments and specialties could all have access to a singular account of a patient's medical history. This is great for a hospital where different departments need to communicate with one another. From a security standpoint, however, there are now multiple access points too. Electronic records are very useful in one sense as they help with efficiency, document management and overall accountability, but with anything that has multiple points of entry, there is now more vulnerability to malicious use.

HIPPA compliancy is also another area of consideration as it also attributes in some way to the increased value of medical records on the black market. HIPPA is a federal protection act that medical providers must adhere to. HIPPA protects a patient’s information, which also has security safeguards. Any violation by the medical providers or employees could be pursued by a court of law, criminally and civilly. Simply put, under HIPAA, medical providers are federally required to keep patient’s information safe.
Finally, reputation must also be taken into account when considering the value of health records. In the medical community, medical providers get the majority of their business from referral and reputation. A breach in security or any unprofessional act by a medical provider could cost them several patients and therefore business.
Now let’s look at all of the factors together. Electronic records allow thieves the ability to extract thousands of patients’ records in one attack. Medical providers are federally required to keep patient’s information safe through HIPPA. Any violation of HIPPA alone could cost the medical provider millions. Any known breach of patients’ information would negatively affect the provider’s reputation, from both a patient and partner level. This means that millions of dollars and perhaps the medical provider’s existence could be at stake. In other words when taking into consideration factors like the storage of electronic records, HIPAA compliancy and a medical provider’s reputation; when it comes to medical health data there is a high reward for moderate risk for hackers.
Fortunately, security has become a main topic for medical providers and the electronic records management vendors that support them.   Security features like the ones Penango offers where email is encrypted and authenticated is beginning to be the norm. Two-factor authentication is also becoming the norm. This is when the user will need to know a password and have access to the token that generates the time-varying code. While it is easy to figure out or skim passwords for most user accounts, getting access to the token is much harder, and an attacker would have to steal the user’s phone or physical key fob. All these options can help reduce the risk of an attack. 

Read full post »

Friday, November 7, 2014

Online ads are attacking you

By Jose Pagliery
October 15, 2014: 3:37 PM ET

An especially sneaky type of hack is on the rise. Hackers can infect your computer by piggybacking on Web ads--even on trusted websites.

Hackers are slipping malware into legitimate-looking online advertisements. When you visit sites that serve those ads, you're automatically and unknowingly downloading computer viruses. 

"Malvertising" has hit Amazon, Answers.com, Dictionary.com, Examiner.com, The Jerusalem Post, Last.fm, The Pirate Bay, The Times of Israel, Yahoo, and YouTube this year. 

And it's blowing up. The number of malicious ads has nearly doubled every year since 2011, according to data from security firm RiskIQ. Its researchers have discovered 432,374 of them so far this year. 

"The ad tech industry recognizes this is a serious problem," said Geir Magnusson, CTO of online ad platform AppNexus.

Malvertising makes up a microscopic fraction of the 5 trillion online ads displayed each year in the US alone, according to trackers at comScore. But that's still half a million times our computers could get infected. 

Hackers have used malvertising to steal bank account information and lock up files to hold them for ransom.
A major concern now is that hackers are getting smarter at launching attacks that slip past security scanners -- and are customized to specifically attack you.
Online ad networks allow advertisers to know your physical location, Web history, and what kind of browser, device or operating system you use. Hackers are leveraging this to make ads that only deliver malware under specific circumstances.
If the malware exploits a bug in Windows XP, it won't appear if you use Windows 7. It might only target retirees in Florida on weekdays. That's why malvertisements don't always raise alarms. They won't appear for every scanner.
Hackers also take advantage of a vulnerability in the way online ads are bought and sold. When you navigate to a website, a complex negotiation between advertisers occurs in a matter of milliseconds. The highest-bidding advertiser can show you an ad -- or go back to the market and see if there's an even higher bidder somewhere out there -- all in half a second.
The box reserved for advertising on a website might redirect you to a dozen different computer servers before it finally loads the ad. That's how hackers go unnoticed: The first package of data they send seems fine, but they eventually redirect you to a server that spits out malware. They set up deceptive servers to trick ad networks and consumers alike.
"The ecosystem is optimized to get the right ad displayed at the right time at the highest price," said RiskIQ CEO Elias Manousos. "It was never built to stop fraud."
The system's complexity makes it harder to crack down. When Times of Israel was hit with malvertising in September, it took 14 hours to figure out what ad agency was unwittingly passing along the bad ads, according to Jess Dolgin, whose J Media firm serves as the news website's advertising department.
The advertising industry does take steps to protect the public. For example, AppNexuspays dozens of its staff in New York and India to monitor actual ads all day long. And a special software program, dubbed Sherlock, spots those that violate company policy.
Sherlock catches 35 malicious ads a week. But AppNexus serves 30 billion ads a day. Sherlock can't scan them all -- that would delay display time by minutes. Cybersecurity provider Bromium recently concluded the most thorough solution -- rigorous approval of 100% of ads -- is just not possible for the ad industry.
"There are limits to what you can do in milliseconds," said John Clyman, senior director of security at The Rubicon Project (RUBI), an ad exchange.
So how can you avoid malvertising?
The bare minimum: Don't click on ads, especially if they say something like, "Danger! You need to upgrade your antivirus!" And malware-laced ads can look like authentic car or movie commercials.
Minimize exposure: Always update your operating system, apps and Web browser (including plugins, like Java). Up-to-date antivirus programs will catch some malware -- but not all.
Go all the way: Use something like AdBlock, which stops all advertisements from appearing. But pages designed to look good with ads suddenly look horrendous. And worst of all, this chokes off the main revenue stream for publishers, like CNNMoney or your favorite blog.
Ad companies are also clamping down on each other. AppNexus has a three-strike policy before it suspends business with an ad agency. Security researchers suggest an ad industry honor system that universally revokes privileges. You spew malware, you're out. But the problem is so widespread that sounds untenable too.
"It would be interesting to see if anyone would be left standing," Dolgin said.
Read full post »

Wednesday, October 22, 2014

2014 October Shred Event!

Don't forget! Technology Services and New World Recycling will be holding our second annual October Shred Event next Monday, October 27th from 1:00-3:00pm. This is the perfect opportunity to celebrate National Cyber Security Awareness Month by shredding all the sensitive documents that have been taking up space in your home! The Kona Ice truck will be joining us as well!

See you there!
Read full post »