Tag Archive for Security

| February 19, 2015
Comments Off on Anthem Data Breach Allows Phish of US Cyber Forces

Anthem Data Breach Allows Phish of US Cyber Forces

Anthem Data Breach Allows Phish of US Cyber Forces– Updated 10/25/2018 – Anthem, Inc. has agreed to pay a $16 million HIPAA fine to the U.S. Department of Health and Human Service, Office for Civil Rights. The OCR found that the data breach between December 2, 2014, and January 27, 2015, cyber-attackers stole the electronic protected health information of almost 79 million people. The stolen information in the data breach included names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

The $16 million settlement is the largest HIPAA settlement.

Anthem Breach Allows Phish of US Cyber ForcesMany online believe that the Anthem (ANTM) hack was a strategic cyber-war strike by China. Stu Sjouwerman at CyberheistNews writes that PII thefts would normally be a Russian operation. However, the Anthem data breach appears to be a Chinese attack. CNN reports that Chinese hackers tend to target trade, economic, and national security secrets that could help the Chinese economy. Mr. Sjouwerman says he received an insider tip that most of the three-letter U.S. Government agencies have their employees insured through Anthem’s Blue Cross Blue Shield. Anthem also provided health insurance defense contractors Northrop Grumman and Boeing.

Anthem Bluse Cross logoKnowbe4’s Sjouwerman speculates that the Chinese now own the identities of all the people fighting them. The stolen data can now be used in a multitude of social engineering scenarios. Dmitri Alperovitch, co-founder of security firm CrowdStrike told CNN that the attack fit the profile of a hacking group believed to be Chinese government spies called “Deep Panda.”

The objective of the “Deep Panda” data breach according to the CrowdStrike CTO is to amass a large collection of Americans’ personal information to find citizens willing to spy for the Chinese and find potential U.S. spies operating in China. Mr. Alperovitch told CNN that’s why Chinese hackers broke into U.S. federal employee network last year. They also broke at least three hospital chains and two insurance providers the public hasn’t yet heard about.

PhishingKnowbe4 speculates that many people in the Government have steam coming out of their ears about the Anthem hack. Cyberwar has suddenly become very personal to them. This may be why President Obama recently signed an executive order that will nudge private companies to share data about cybersecurity threats between each other and with the federal government.

Apart from the cost of the Anthem data breach are likely to smash $100 million barrier, it’s surprising that Anthem did not encrypt SSN’s which allowed wholesale identity theft of thousands of American cyber-warriors.

Deep Panda is amassimg a large collection of Americans' personal informationCEO Sjouwerman explains that hackers are going after healthcare records because they are much more valuable. He points out that healthcare records stay active for several months after a hack, as opposed to credit card numbers which quickly get nixed after a few days. Since Anthem is a healthcare company, you would expect them to take HIPAA compliance to the max and even top the required controls with higher standards. As we all know, compliance does not equal security, but it establishes a baseline at the very least.

rb-

There is enough blame to go around.

Time to go back to a cash society and barter.

Say, Doc Johnson, I’ll trade you two chickens for measles vaccination.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| February 17, 2015
Comments Off on Scary PII Numbers

Scary PII Numbers

Scary PII NumbersAs you may have heard by now, the second-largest health insurer Anthem gave away at least 80 million of their customers’ PII records to hackers. I say at least because these always grow as the experts dig through the wreckage. The WSJ reports the Indianapolis-based insured did not encrypt this data (I covered encryption here and here). That means customers’ social security numbers, phone numbers, and other PII were easy targets for Chinese hackers according to CNBC.

did not encrypt data

Anthem is just the latest. There are even larger targets out there. The Business Insider published some pretty scary numbers. BI reports that somehow the biggest tech companies have done a great job at convincing people that their services for sending/receiving payments and purchasing goods are trustworthy and worthwhile. The article estimates that Apple has somewhere around a billion iTunes accounts (with plenty of PII and credit cards) on file.

This chart from BI IntelligenceApple (AAPL) is nearing a billion iTunes accounts on file, and that number is likely to surge immensely. Customers in China can now link their UnionPay payment cards to their Apple IDs: For context, UnionPay is the largest card network in the world with more cards in circulation than Visa and MasterCard combined.

Amazon (AMZN) has approx. 300 million payment cards on file while PayPal has around 200 million payment cards on record.

Apple, Amazon, PayPal Payment Cards on File - Business Insider

A second BI article indicates that based on leaked Uber data charted analyzed by BI Intelligence, the ride-sharing firm has well over 12 million payment cards on file. Their closest competitor Hailo has 4.4 million payment cards on file.

Ride-Sharing Payment Cards on File - Business Insider

rb-

You have been warned. The next mega data breach could come from a tech firm like Apple or Amazon.

Data theftThe WSJ article argues that companies can use many techniques to secure their data, but those things slow companies down, sometimes to a degree they find unacceptable.

I think most victims of identity theft or credit fraud find that unacceptable.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 12, 2015
Comments Off on 25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Docs

25% of Employees Access Past Employers Work Doc'sMore than 25% of file-sharing service users report still having access to work documents from their previous employer, according to a “Rogue Cloud in Business” survey of 2,000 U.S. adults by Harris Interactive for Egnyte, an enterprise file-sharing platform provider.

uncontrolled file-sharingAccording to FierceITSecurity, the survey highlights the security risks uncontrolled file-sharing practices pose to the work place from these practices are obvious. An Egnyte presser claims The survey results illustrate a major exposure for today’s businesses when it comes to the transfer and storage of data through unapproved and insecure cloud-only file-sharing services.

The new survey uncovers deep issues around the rogue usage of consumer-based cloud services and illustrates the need for IT to deploy a secure enterprise-grade solution that meets the file-sharing needs of employees while protecting sensitive business data from the risks associated with insecure file sharing through the cloud

The survey found that:

  • easy to take sensitive business documents51% agree that collaborating on file-sharing services (such as Dropbox and YouSendIt) is secure for work documents;
  • 46% agree that it would be easy to take sensitive business documents to another employer;
  • 41% agree that they could easily transfer business-sensitive data outside the company using a file-sharing service;
  • 38% have used file-sharing services have transferred sensitive files on an unapproved file-sharing service to someone else at least once; 10% have done it 6 or more times;
  • 31% agree that they would share large documents that are too big for email through a file-sharing service without checking with their IT departments;
  • 27% of file-share service users report still having access to documents from that previous employer.

mobile users are willing to bypass IT policiesAnother report from Workshare paints a grimmer picture for those of us tasked with protecting a firm’s intellectual property. The report titled “Workforce Mobilization” shows the true extent to which mobile users are willing to bypass IT policies and use unsanctioned applications to share large files and collaborate on documents outside of the office.

  • 72% of workers are using free file-sharing services without authorization from their IT departments.
  • 62% of knowledge workers use their personal devices for work.
  • 69% of these workers also use free file sharing services to collaborate and access shared documents.
  • At companies with fewer than 500 employees only 24% of employees using authorized file sharing solutions.

Robert Hamilton, director of information risk management at Symantec (SYMC) in Mountain View, CA also told FierceCIO a continued threat to the company’s data comes from employees who feel like they live in a “finder’s keepers” environment.

Not encouraging

The results of the survey report, entitled “What’s Yours Is Mine,” were not encouraging to IT security professionals and IT management. According to the Symantec survey of employees:

  • "finder's keepers" environment68% of their company doesn’t take proper steps to protect sensitive work information;
  • 56% do not believe it is a crime to use a competitor’s trade secrets;
  • 40% download work files to personal devices;
  • 40% plan to use old company information in a new job role.

Symantec’s Hamilton told FierceCIO:

Employees are taking increasing amounts of data outside the company, and most people do not believe using corporate data for themselves is wrong … The attitude is that ownership lies with the person that created it, not with the company that employs them.

rb-

All three of these firms sell products they claim that can stop a firm’s intellectual property from leaking out through public file-sharing services. But before you engage any firm, some basic steps should be taken.

  1. Develop a technology acceptable use policy.
  2. Include public file-sharing services in the AUP.
  3. Incorporate the AUP in the staff handbook, and make sure staff sign it before they are given network access.
  4. Train staff on the risks associated with using public file sharing services for sharing corporate documents. Risks include HIPAA violations, PII release, Malware, PCI-DSS violations, and Government “Snooping.” Only then –
  5. Engage a service provider to implement an enterprise-approved alternative to the free file-sharing services.
What's Your is Mine

Symantec Infographic

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| February 5, 2015
Comments Off on Spies Say Encryption Best to Protect Data

Spies Say Encryption Best to Protect Data

Updated August 01, 2019 – Trump’s top cop U.S. Attorney General William Barr rehashed the time-worn government demands for private firms to break encryption. AG Barr closed his July 23, 2019 speech at the International Conference on Cyber Security, by saying that U.S. citizens should accept encryption backdoors because backdoors are essential to our security.

Spies Say Encryption Best to Protect DataDespite what current US policy appears to be, a newly leaked document courtesy of Edward Snowden revealed that some U.S. officials are encouraging the use of encryption to protect data. GigaOm points out a 2009 document penned by the U.S. National Intelligence Council, which explained that companies and the government are prone to attacks by nation-states and criminal syndicates “due to the slower than expected adoption…of encryption and other technologies.” The report detailed a five-year prognosis on the “global cyber threat to the US information infrastructure” and stated that encryption technology is the “[b]est defense to protect data.”

750 major data breaches exposing more than 81 million private records.Seems that these spooks were right. FierceITSecurity reports there were 750 major data breaches in the U.S. last year, exposing more than 81 million private records. FierceITSecurity cites data from SysCloud, a provider of security and data backup for enterprises which provided the following infographic about data breaches.

 

SysCloud infographic

U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers2015 will be worse. The WSJ reports a single data breach at the U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers when attackers broke into a database. According to the WSJ, the breach exposed names, birthdays, addresses, and Social Security numbers. Anthem said in a statement that the affected (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. Anthem did not encrypt the stolen PII according to reports.

GigaOm explains that encryption makes it possible for documents and messages to be unreadable to people who don’t have the proper cryptographic key.

encryption

A cryptographic key is the core part of cryptographic operations which scramble information. Cryptographic systems include pairs of operations, such as encryption and decryption. A key is a part of the variable data that is provided as input to a cryptographic algorithm to execute this sort of operation. The security of the scheme is dependent on the security of the keys used.

The spooks also encouraged multi-factor authentication, which adds another step to the security process beyond simply entering a password.

vocal opponent of encryption technologyDespite the totally porous nature of online security, GigaOm points out that the Obama administration is a vocal opponent of encryption technology. According to Bruce Schneier the gooberments opposition to encryption on phones is all bluster and sound bites.

Encryption is no doubt a hot topic in the security space. GigaOm says there’s been a wave of security start-ups focusing on encryption scoring millions of dollars in investment in recent months. Security start-ups VeradocsCipherCloud, and Ionic Security have recently landed over $100 million in investments.

Despite political pushback, it’s clear that companies won’t slow down on implementing encryption any time soon, so long as large-scale data breaches continue to occur on a seemingly weekly basis.

rb-

Is it time to go back to a cash economy?

 

Related articles
  • Crypto-Wars Escalate: Congress Plans Bill To Force Companies To Comply With Decryption Orders (thenewsdoctors.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| January 13, 2015
Comments Off on 2014’s Major Web Vulnerabilities

2014’s Major Web Vulnerabilities

2014's Major Web Vulnerabilities2014 was the year of cyber-security mega-vulnerabilities. What makes mega vulnerabilities unique are they strike at the core of the Internet infrastructure and can impact nearly every connected device and every Internet user on the globe. 2014 saw the emergence of three mega-vulnerabilities Hearbleed, Shellshock, and POODLE.

Heartbleed, Shellshock, and POODLE were the top three major web vulnerabilities uncovered in 2014 according to Fred Donovan at FierceITSecurity. In case you have not heard of this trio of troublemakers, Web security firm Incapsula produced the following infographic.

The Incapsula infographic looks at each of these vulnerabilities and layout when they were discovered, what type of vulnerability they are, what systems and the number that are affected, the risks posed by the vulnerabilities, their severity, how easy they are to exploit, and the difficulty of fixing. Tim Matthews, vice president of marketing for Incapsula wrote in their blog:

What makes these mega vulnerabilities special is that unlike most vulnerabilities that are specific to a particular OS, browser or software application, these three relate to the core Internet infrastructure (e.g., SSL and Linux devices) and, in essence, affect just about every connected device owner and every Internet user on the globe.

Incapsula 2014 Mega Vulnetabilities

rb-

In their blog, Incapsula warns this is the tip of the iceberg of mega-vuln‘s that exploit other structural core functions of the Intertubes. Wired reports that after 8 months, 300,000 machines remain unpatched against Heartbleed.

Related articles
  • Web Freedom Is Seen as a Growing Global Issue (cacm.acm.org)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »