breach

now browsing by tag

 
 

40 year impact from OPM breach

OPM Breach

Source: FedScoop

Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.

I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.

From the Article at FedScoop:

The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.

The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.

Scary new healthcare breach statistics

Source: DarkReading

Interesting new statistics out today about some scary new healthcare breach statistics. It has now been determined that breaches are now responsible for more damages than employee error.

So, while I understand, many might laugh at this statistic, but in all actuality, it is a very scary statistic. All things being said, people make mistakes, in fact, they make a lot of mistakes. Now, there are so many breaches, so many attacks against the healthcare system, that despite the number of daily mistakes potentially made by employees, is more more costly.

Now, of all times, the healthcare industry should be bulking up, on all security measures, inside and out.

From the article:

Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data:  cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.

The Ponemon Institute’s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That’s a first, since employee or insider negligence — user errors, lost laptops and thumb drives, etc. — accounted for the majority of breaches last year and in years past, according to Ponemon.

More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.

About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.

The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.

“For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches,” says Larry Ponemon, chairman and founder of Ponemon Institute. “Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial.”

Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They’re not confident in their incident response capabilities, either, with more than half saying their IR isn’t adequately funded or manned. And one-third don’t have an IR plan at all.

Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).

Healthcare Industry Struck Again – St. Mary’s Hacked

Source: Healthcare IT News

I don’t usually do this, but I’ll start of this post, with a quote from Health Care IT News:

Think healthcare is not a target for cyberattacks? Think again. Following a pattern of increasing attack frequency, one Indiana-based hospital is the newest target, after hackers swiped the personal data of thousands.

 

So, you look over the part of the sensationalism associated with this article, you know, the “Think healthcare is not a target for cyberattacks” portion, it really makes you wonder about that state of security in the healthcare industry. Why is the healthcare industry being struck again and again?

Having come from that field of work, I know the answer, in fact, I can 99% guarantee you, that I know the cause of the recent hacking of St. Mary’s Medical Center. Not because I have insider knowledge into the incident that occurred, but because I know the industry, I know where the weaknesses are, and I know that nobody is doing anything to combat these problems.

I’m not a betting man, but I would be willing to take a wager, that I know exactly what happened with this incident, here we go:

Hackers/Crackers/Attackers probably got St. Mary’s Medical Center on their radar from another hacked hospital/healthcare organization. Probably by scouring email from the attacked organization. I would wager that St. Mary’s did nothing to provoke the attack.

Once attackers got St. Mary’s Medical Center’s domain name, maybe a doctor or staff member’s name and email address; a little bit of simple recon occurred, scouring for more doctors and more administrator’s names and email addresses. Also, a little bit of scouting probably occurred on the website, with bad guys looking for VPN services, remote email, or something similar, that they could log into with the proper credentials.

Once a decent list of names and emails were collected, that is when the phishing attempts began. Maybe a phishing email about how to reset your password, or a phishing email offering a raise, and you need to enter your email information. They don’t need many submissions, they only need a couple, and with that, they can leverage more and more information.

Once they have working credentials for a user or two, the attacker is then able to leverage an attack into the infrastructure, by sending out emails, as a “trusted source”, requesting user’s visit a page to dish up their credentials; which leads to an avalanche effect, where they are able to gain more and more credentials.

Next revelation, will be a little bit shocking to most, but the Personal Health Information (PHI) data that was stolen, was most likely a “secondary” target of the breach. From my experience, I have seen that attackers are motivated by more substantial, quicker, and easier ways of getting money, rather than selling PHI data. What I believe the primary goal of the attackers, was to see if they could access the doctor’s HR files, and be able to modify the doctor’s direct deposit information, to a known bank account, where the attackers could take the money and run. PHI will provide some potential money for the attackers, however, the primary source could come from the doctor’s paychecks.

So, there you have it. There is my guess on what occurred at St. Mary’s. We may see, in the upcoming months what really happened, but that is my bet on what happened.

The only other option, is that St. Mary’s could hire some big name company to help them access the damage, and they could flip it around, to say it was a nation-state actor, who was trying to get there hands on super-secret formularies for a new breakthrough cure-all drug, that St. Mary’s, a 585 bed hospital bed is producing; but in the end, we all know that would be a lie.

Anthem (Blue Cross Blue Shield) hacked

Like so many other people, I woke up yesterday morning, to find myself reading another breach notification (see: here). Only to find news about the Anthem hack.

This time, it was a letter from Anthem, notifying me that my health information may have been compromised. Also, in reading the letter, I saw that Mandiant and the FBI had been retained for the purpose of investigating the breach.

I usually come to the same conclusion every time I hear certain things together. When I hear about a breach affected a HIPAA agency, I usually start thinking about a phishing/spear-phishing campaign that occurred, which usually results in someone giving up the details of their account/VPN; followed by the immediate breach, and scouring of their website for information and data.

The other thing I always think of, when Mandiant comes rushing to the scene is the immediate blame to a state-run actor. Of course, China, whose population is 1.35B, is going to find the SSN of impacted customers useful; oh wait, what value is there in the SSN of people of a foreign land. Or better yet, with the joke I make about the hack of CHS. Again, the problem I see, is what is the value of a SSN to a foreign country? Some claims went on, to say they were after formularies associated with drugs and medicine, which several news agencies ran with. But consider this, hospitals don’t have the same sort of pharmaceutical horse-power that huge drug manufacturers have; I would go so far, as to say that they aren’t even comparable.

So once again, I will ask, what value does a SSN have to a nation-state?

UPDATE: First posts about this being a state-sponsored attack are now emerging.

Report: NSA Hacked North Korea Before Sony Breach

Source: PCMag

More details are being released in regards to North Korea, and the breach that occurred at Sony.

What is now being reported is that the NSA has had access to North Korea’s computer (read: hacked) since 2010. Some are now reporting that the hack at Sony was in retaliation to the hacking that NSA had done against North Korea.

I’m still very hesitant to call the Sony breach as being a hack perpetrated by North Korea, even with the additional evidence/details about NSA being inside North Korea’s computers.

From the article:

As it turns out, the U.S. had some inside information. According to reports from Der Spiegel and The New York Times, the U.S. knew that North Korea hacked Sony because the U.S. had hacked North Korea.

The National Security Agency (NSA), in fact, has had access to North Korean networks and computers since 2010, the Times said. Officials wanted to keep tabs on the country’s nuclear program, its high-ranking officials, and any plans to attack South Korea, according to a document published by Der Spiegel.

North Korea did attack South Korea in 2013, crippling several of the nation’s leading financial and media organizations. At one point, however, the hackers revealed their IP addresses – the same IP addresses that popped up again in the Sony hack.

 

Chick-Fil-A Investigating Possible Data Breach

Source: Dark Reading and Krebs On Security

Another day, another company, and another breach.

The latest news is the supposed breach from Chick-Fil-A. I happen to know that the wife and I are frequent customers of Chick-Fil-A, partly for their pretty good food, but their kids play area as well. We go to Chick-Fil-A probably several times a week (This is important, I promise).

We are heading into week two (at least) after a supposed breach, which compromised customer credit cards. We are now looking at another breach where customers cards were compromised, the company will pay a minimal amount, for each of customers affected (if they can even reasonably determine the customers affected). Chick-Fil-A will be yet another company that gets off extremely light in this, their company won’t be impacted negatively (at least beyond a couple weeks, a quarter, at the absolute most). Banks and consumers will be the ones left footing the bill for the cost of this breach. The big question I’m going to ask you (and myself), will this effect my family’s patronage of Chick-Fil-A. From my wife’s prospective, I can definitely tell you, that it will have absolutely no consequences on her spending habit at Chick-Fil-A.

So, you may be asking yourself, what is your point. . .

My point, is that, Chick-Fil-A/Target/Home Depot and countless other companies are going to get their slap on the hand, pay their minimal fines, and will continue day-to-day business without any sort of consequences after losing all our credit card/payment information.

Until regulating bodies, and probably a combination of them, like PCI, banks, OCR (for HIPAA violations), FTC, and other organizations start holding companies responsible for the breaches that occur, they will keep occurring, and the consumer will be the one getting hit.

From the article:

Fast food restaurant chain Chick-Fil-A says it’s working with law enforcement, the payment industry, and security firms to determine whether reports of suspicious activity with payment cards used at some of its restaurants were due to a data breach.

“Chick-Fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants,” the company said in a statement. “We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.”

If It Can Happen to Sony, It Can Happen to You

Source:  Re/Code

Following up on the recent breach at Sony; this article states that 2014 was labelled as “The Year if the Breach”. The other thing that this article is pointing out, you don’t have to be a mega-corporation to get breached, you can be a small business, you can be a small start-up, it doesn’t matter. You can be targeted, your company may or may not contain valuable information, that is valued by the attacker.

Security experts are now saying there are only two types of companies left in the U.S.: Those that have been hacked, and those that don’t yet know they’ve been hacked. And although cybersecurity is being forced to the forefront of national consciousness, we still are not seeing the urgency needed to make a difference.

There is no more time to wait on the issue of cybersecurity. Government agencies and corporations alike must become both educated and absolutely determined to stop cybercrime now. Neither can afford mediocre approaches to security and customers (whether citizens, in the case of government; or paying clients, in the case of corporations) must demand better. Organizations must have the right plans and the right technologies in place to deal with the threats we’ve seen do so much damage in 2014, and the threats we know are on the way in 2015.

It is important to keep you guard up, maintain safe systems, and keep your organization secure. Remember that 556 Forensics can assist you in keeping you and your organization safe.

JPMorgan Chase Details Breadth of Earlier Cyber Attack

Source: Re/Code and CNBC

JPMorgan Chase said it was fully cooperating with U.S. law officials to determine the scope of a previously disclosed security breach that compromised internal information and its clients’ contact info.

On Thursday, the company disclosed that the breach impacted about 76 million households and 7 million small businesses, but it did not find evidence of unusual fraud activity related to the incident.

“[T]here is no evidence that account information for such affected customers—account numbers, passwords, user IDs, dates of birth or Social Security numbers—was compromised during this attack,” the bank said in an SEC filing. “User contact information—name, address, phone number and email address—and internal JPMorgan Chase information relating to such users have been compromised.”

Pedestrians walk by JP Morgan Chase & Company headquarters in New York.

Emmanuel Dunand | AFP | Getty Images
Pedestrians walk by JP Morgan Chase & Company headquarters in New York.

The company moved to reassure customers that they would not be responsible for any fraudulent charges and said it was continuing to investigate the matter.

Earlier Thursday, JPMorgan Chase told CNBC it was not aware of a new cyberattack on its computer network, striking down a New York Timesreport that said it was battling its second security breach in the last three months. The Times later corrected its coverage.

Read MoreHow to tap the braintrust on cybersecurity

The banking giant plans to spend to spend $250 million annually to protect itself from cyberattacks and data protection. JPMorgan CEO Jamie Dimon said in his annual report that he plans to appoint 1,000 people to focus on the effort.

“In our existing environment and at our company, cybersecurity attacks are becoming increasingly complex and more dangerous,” Dimon said. “The threats are coming in not just from computer hackers … but also from highly coordinated external attacks both directly and via third-party systems.”

CORRECTION: JPMorgan Chase’s cyberattack reportedly started in June and was discovered in July. A headline on an earlier version of this article incorrectly stated the month of the attack.

What to Do If You’ve Been Hacked (And How to Prevent It)

Source: Re/Code

The recent celebrity hacking incident and Home Depot data breach may have you worried about your online security, and rightly so. As we bring more aspects of our lives online — social, shopping, banking, storage — the risks of cyber crime increase. But there are ways you can better protect yourself.

In this guide, I’ll outline some steps you can take to safeguard your various Web accounts and devices. The recommendations come from several Internet security experts I spoke with, including Laura Iwan, senior vice president of programs at the Center for Internet Security; Sean Sullivan, security adviser at F-Secure (an antivirus and online security solution provider); and Timo Hiroven, senior researcher at F-Secure. There are also tips on how to detect if you’ve been hacked and what to do about it.

De-fense! De-fense!

There are numerous precautions that you can take in order to protect yourself from hackers. One of the easiest and most simple ways is to create strong, unique passwords for every one of your accounts. Yet most people don’t.

While it’s tempting to use something like your child’s name and birthday because it’s easier to remember, creating a password with a random mix of uppercase and lowercase letters, numbers and characters will be harder to crack.

password_reminder

There are password apps like LastPass and 1Password that can help you with this by generating strong passcodes for each of your accounts. Plus, they’ll keep track of them all. When choosing such a program, Iwan recommends that you look for one that uses an industry-accepted standard for encryption like Advanced Encryption Standard, or AES, and one that stores your passwords locally on your computer, rather than in the cloud.

Another safety measure you should take is to enable two-factor authentication when available. Two-factor authentication requires a user to provide an extra form of identification beyond just your login ID and password. This may be a special PIN code that’s sent to your phone, a physical token like a key fob, or your fingerprint.

Two-factor authentication isn’t impervious to attacks, but it does add an extra layer of protection. Many popular Web services, including Gmail, Microsoft, Apple, Twitter,Facebook and Dropbox offer two-factor authentication, so take the extra few minutes to turn it on.

Be suspicious of emails asking for personal information. A lot of hackers use a method called “phishing” that aims to gather sensitive data from you by sending an email that looks like it’s from a legitimate entity like your bank or credit card company. Some signs of a scam might be requests for immediate action, spelling and grammar mistakes, and suspicious links. Do not respond to these. Instead, call up the institution that supposedly sent the email and confirm if it’s legit or alert them to the issue.

Also, it should go without saying, but in general, don’t click on suspicious links or browse unsafe websites. Only install applications that come from trusted, well-known sources. And be sure that the operating system and apps on your computers and mobile devices are updated with the latest versions and patches.

Here are some more specific tips for different Internet activities:

Email and social accounts

  • Think twice about what you post to your social networks, and monitor what others are posting about you. There’s a chance that hackers might use your social profile pages to gather personal information about you, and try to guess your password or answers to your secret question.
  • Related to that, check your account’s privacy settings to make sure you’re only sharing information with your friends, and not with the public.
  • Sullivan also recommends creating separate email addresses for your personal communication and everything else. For example, you might use a throwaway email address for news websites that make you register with a user name and password, or for retailers who want to send you coupons.

Cloud accounts

  • If you back up your files to the cloud, remember that even though you delete them on your computer or mobile device, they’re still stored in your cloud account. To completely delete the file, you’ll also need to remove it from your backup cloud account.

Online transactions

  • Don’t use public computers or public Wi-Fi networks to make any transactions. The machines might contain malicious software that can collect your credit card information, and criminals could also be monitoring public Wi-Fi networks for similar information.

Web browsing

  • Don’t respond to pop-up windows.
  • Secure your home Wi-Fi network using WPA-2 with AES encryption settings. There’s a good tutorial on how to do that here.
  • Set your Web browser to auto-update to ensure that you’re running the most current version.

Know the signs

How do you know if you’ve been hacked? There may be some obvious signs. For example, you may start getting emails from your friends saying they received a strange message from your email address. Or your bank or credit card company might call you about some suspicious activity on your account. If you installed a mobile app with malware on your smartphone, you might find some unauthorized charges on your phone bill.

Hacked Screen

There are other, more subtle indicators. You may find new toolbars installed on your Web browser, or new software on your computer. Your computer may also start behaving strangely or slow to a crawl.

These are all signs that you might have been hacked.

I’ve been hacked. Now what?

If you have been hacked, the first thing you should do is reset your passwords. Iwan recommends starting with your email account, followed by your financial and other critical accounts. This is because password resets for all your other accounts are typically sent to your email.

If you’re locked out of your account or blocked from accessing it, many Web services have steps in place so you can get back in. For example, Facebook has a system where you can use a trusted source like a friend to take back your account. Search each service’s help section for specific instructions.

Speaking of friends, you should let your contacts know that you’ve been hacked, and report the issue to the site. Also, run a scan of your computer or mobile device using a trusted and up-to-date antivirus program.

In the case of identity theft, order a copy of your credit reports, and file an initial fraud alert with the three major credit bureaus: Equifax, Experian and TransUnion. Contact your local police and report the identity theft, and request new cards from your bank and credit card companies. You should also continue to monitor your monthly statements for any more unusual activity.

Unfortunately, there’s no way to completely eliminate the risk of hack attacks and other cyber crimes. But by taking some safeguards and arming yourself with the knowledge of what actions to take in the event of an attack, you can help better protect yourself and minimize damage.

Say It’s Not So Home Depot!

NEW YORK (CNNMoney)

Home Depot is investigating a hack that possibly exposed its customer payment information.

The company on Tuesday confirmed it has partnered with banks and law enforcement to look into “some unusual activity” relating to customers.

Independent cybersecurity journalist Brian Krebs was the first to report this, saying “a massive new batch of stolen credit and debit cards” went for sale Tuesday in the black market online.

Krebs said hackers were possibly in Home Depot’s computer systems from May until now. If that’s true, this might be even larger than the three-week long Target breach that affected 40 million debit and credit cards late last year, he noted.

Related: Albertson’s stores hacked for credit card data

In a statement, Home Depot spokeswoman Paula Drake said: “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers.”

The company promised to alert customers as soon as it can ascertain a data breach has occurred.

This could turn out to be another giant hack like the ones that hit several brand name U.S. stores. Since late 2013, the list has gotten extensive: Albertson’s, Target, Michaels, Neiman Marcus, P.F. Chang’s and SuperValu.

So many companies have been hit, CNNMoney developed its own tool: What hackers know about you. Check it out.

For perspective, consider that Target (TGT) is still reeling from its brush with hackers. The company’s latest figures estimate the damage so far at $148 million — and that number continues to rise. The value of its stock has fallen nearly 5% this year, and the company’s CEO resigned.

Meanwhile, Target customers haven’t felt any direct impact — that they can attribute to the hack, anyway. But that’s partly because banks won’t let customers know what big hack forced them to temporarily freeze accounts, nix fraudulent expenses and reissue debit and credit cards.

Related: How safe are you? CNNMoney’s custom cybersecurity Flipboard magazine

CNN’s Devon Sayers contributed to this report.