in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.
  • Hilton To Pay $700,000 Over 2015 Data Breach, Slow Notifications

    The New York attorney general has announced a $700,000 settlement with Hilton Worldwide Holdings over issues related to the two data breaches that occurred in 2014 and 2015. $400,000 will go to New York. The remaining goes to Vermont which collaborated in the investigation.  

    Reported Breaches Late, In November 2015

    Multinational corporations being hacked is old news. It happened to Yahoo, Target, Merck, Equifax, etc. – the list is endless and varied. No industry is exempt, no company is free from the internet renegades who are willing to compromise a network for financial rewards, to make political statements… or just because they're bored and they can.
    When a company is fined hundreds of thousands of dollars in this day and age by the government for a data security breach, it means the victimized companies must have grievously erred somehow. In Hilton's case, they were apparently employing lax security practices and were slow with their data breach notifications.
    The famed hospitality company became aware of a data breach in February 2015 (the actual hack occurred sometime between November and December 2014). Another breach was discovered in July 2015, with the intrusion occurring between April and July of the same year. The notifications were not sent out until late November. If your yardstick starts from the second breach, it's about two months after discovery; if you're measuring from the first data breach, it's nine months.
    Which one to use? Common sense would dictate that it's the first. Especially considering that, while many states' data breach notification laws require a notification no later than 60 calendar days, not all states do. New York, in fact, only states that:
    The disclosure must be made in the most expedient time possible and without unreasonable delay…
    One could argue that 60 days was as expedient as it could get, but nine months?
    In addition, it turned out that Hilton was not compliant with PCI-DSS requirements, a set of security rules meant to minimize the incident of credit card number hacks.  

    Have You Seen HLT's 10-K?

    Seven-hundred thousand dollars is a big chunk of money. However, it's meaningless to a company like Hilton. The holding company had revenues of over $11.6 billion in 2016 with net income of $348 million. That makes $700K a cost of doing business, and a small one at that.
    Look at it this way: In Hilton's case, over 360,000 credit cards were put at risk. That works out to nearly a $2 fine per credit card compromised. Their hotels' profit margins on minibar peanuts is probably higher. I imagine that management is probably more concerned about the cost of towels and robes that go missing each year.
    So, the AG's proclamation that data breaches take top priority can feel a little anticlimactic based on the figures involved. But, it's not his fault. He doesn't make the law; he merely does what he can with the legal tools he's given. People have been calling for greater punitive damages against companies who appear to be less than concerned that their security is compromised (who in turn have been whining since the early 2000s that they're victims, too. For companies that do this, let's put this way: it's hard to sympathize with a drunk driver who ran over the neighbor's dog but asks for pity because his car was totaled and his ribs are broken).
    Case in point regarding the legal branch having its hands tied: despite the disaster that is Equifax, the US Congress has voted this week to make it harder for people to sue it.  
     
    Related Articles and Sites:
    https://www.engadget.com/2017/10/31/hilton-data-breaches-700-000-penalty/
    https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed
    http://codes.findlaw.com/ny/general-business-law/gbs-sect-899-aa.html
    https://finance.yahoo.com/quote/HLT/financials?p=HLT
    https://techcrunch.com/2017/10/24/congress-votes-to-disallow-consumers-from-suing-equifax-and-other-companies-with-arbitration-agreements/
     
  • FBI Unable to Access 7000 Encrypted Devices in 2017

    At the International Association of Chiefs of Police conference, held in Philadelphia last week, Federal Bureau of Investigation Director Christopher Wray noted that the FBI has nearly 7,000 encrypted devices it cannot access. Per the phillyvoice.com:
    In the first 11 months of the fiscal year [2017], federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech….
    Considering what Wray's predecessor had to say about the issue in 2016, the problem is growing, fast:
    [Former FBI Director James Comey] said, during the last three months of 2016 the FBI lab received 2,800 electronic devices sent in by local police and federal agents looking for evidence they contain. But analysts were unable to open 1,200 of them, "using any technique."
    Assuming that the influx of inaccessible encrypted devices to the FBI's labs remained relatively constant last year, the implication is that the FBI possessed 4,800 encrypted mobile devices in 2016. In other words, there was a 50% increase year-over-year.  

    A Growing Problem

    One can expect the number of inaccessible smartphones to keep growing for a number of reasons.
    First, older devices get replaced with new ones, eventually. That in of itself doesn't mean anything security-wise, except that encryption was not turned on by default for many older devices. Even if encryption were turned on, a password may not have been required.
    Smartphones and tablets now come with encryption turned on by default and require a form of password; one can assume that nearly 100% of the phones the FBI needs to search in the future will be inaccessible.
    Second, encryption tends to get stronger over time because researchers are constantly trying to find flaws in it. When found, they're patched up. Cracking techniques that may have worked in the past may not be available on newer devices.
    When the FBI filed and then dropped a lawsuit against Apple in 2016, the Bureau revealed that it had obtained a method to gain access to an iPhone 5C (they didn't reveal what it was). Thus, it didn't need to force Apple through the courts. It also noted that this method didn't work on iPhones newer than the 5C, so that's as far as that technique will go. Seeing how OS updates to the iPhone 5C ended this past summer, the FBI's mysterious technique will see limited action in the future.
    This tends to be the general pattern for flaws in security (assuming, of course, that you have bright people working on the problem; sometimes, flaws go undetected for years, possibly decades. Still, encryption performance points in one direction).
    Third, more people are aware of the power and need for encryption. When the FBI butted heads with Apple (and, indirectly, with the entire tech community) in 2016, many in Congress initially supported the FBI. Calls for encryption backdoors, explicit or otherwise, were in the air. As time went by and these representatives educated themselves on the pros and cons of purposefully hamstringing cryptography, they started backtracking.
    But, it's not just Congress. Ironically, the Apple vs. FBI case caused ripples and worked to educate a lot of people about encryption and its benefits, detriments, and importance. With more people aware of what encryption does and how it works, you can expect encryption to extend to even those devices that don't come with it by default.  

    How to Solve It?

    So, yeah, encryption is problematic for the FBI. And, it will continue to be problematic. Hence, it's not surprising to find that,
    The Justice Department under President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from technology companies. But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take. [apnews.com]
    Honestly, short of a backdoor, there isn't a solution here, and a backdoor is not a solution. Still, seeing how strange 2017 has been (and will probably be for the next three years, at least), it wouldn't be surprising if the FBI finally got what they wished for. No matter how ill-advised it might be.
     
    Related Articles and Sites:
    http://www.phillyvoice.com/fbi-couldnt-access-nearly-7k-devices-because-of-en/
    https://gizmodo.com/the-fbi-cant-stop-fearmongering-about-encryption-1819772851
    https://www.nbcnews.com/news/us-news/comey-fbi-couldn-t-access-hundreds-devices-because-encryption-n730646
    https://apnews.com/04791dfbe30a4d3596e8d187b16d837e
     
  • 47.5 GB of PHI Left Exposed on the Cloud. (That's 316,000 PDFs)

    According to gizmodo.com, security researchers at Kromtech Security Center found a wide-open Amazon Web Services (AWS) bucket that contained over 300,000 PDFs, each one a medical file that would fall under the governance of the Health Insurance Portability and Accountability Act (or HIPAA which, arguably, finally jumpstarted the drive towards encrypting sensitive digital files thanks to generous fines levied on hospitals and other legally-covered entities that screwed up their data security).
    There have been (too) many similar cases over the years, although we're beginning to see a transition of sorts: while the past showed incorrectly configured servers at the center of an "accidental" data breach (that is, the blame didn't lie on hackers but on what a company's IT staff decided to do…or not do), today's incidents increasingly tend to involve incorrectly configured cloud services, be it AWS, Microsoft's Azure, Dropbox, or others.
    Technically, they're the same problem – misconfigured settings on boxes connected to the internet – but the former was more complex than what one deals with today: nowadays, you click on a checkbox in a webform, hit the save button, and companies like Amazon take care of the rest.
    (Although, if one were to play Devil's Advocate, it should be pointed out that AWS does support programmatic read-write permissions which are similar, but nowhere close, to server configurations of yore).  

    Quick Remediation

    When Kromtech alerted the healthcare company of the error, the situation was corrected the very same day. However, they appear to have remained incommunicado to subsequent reach outs by the security company. Not necessarily the height of gratitude but, hey, it doesn't look like they're ignorantly suing Kromtech "for hacking" them, so that's a plus. The downside: the PDFs contained,
    In addition to names, addresses, and other contact information, many of the records contained dates of birth, diagnoses, as well as the names of physicians overseeing care of the patients…
    No SSNs or credit card details. However, with information like the above, obtaining such data is literally a phone call away. In a world where millions get scammed for computer tech support they don't need, how hard would it be to socially engineer sensitive data by posing as hospital staff that know real details about someone's recent medical history?
    The answer is "not very hard."  

    Prevention

    One easy way to lower the odds of suffering similar data breaches is to use file encryption prior to uploading digital documents to the cloud. This was the case when people set up their own internet-facing databases in the past and still is the case with cloud services. Granted, AWS's security options are more than adequate, at least when it comes to conforming to data security requirements and regulations across the US.
    But that's within the confines of the cloud service (and assuming one doesn't screw it up by unchecking the wrong box). If the internet is used as a cloud-based document repository, then those files will descend from the cloud at some point (which seems pretty likely for PDFs). Will they be downloaded to a laptop or a desktop? Backed up to tape? Copied over to a USB drive? Emailed as an attachment?
    In each case, encrypting a file is basically the only way to secure the data. And if so, if the files are being uploaded and downloaded from the cloud, why not encrypt them before doing anything at all? The risk of something going awry may be small, but the expected ramifications are huge if or when something does go wrong.
     
    Related Articles and Sites:
    https://gizmodo.com/data-breach-exposed-medical-records-including-blood-te-1819322884
     
  • Equifax Data Breach Continues To Bear Poisoned Fruit

    About two weeks ago, when Equifax first revealed their massive data breach, it was noted by many that the company didn't appear to be prepared nor equipped to deal with the demands of whatever contingency plans they had prepared for the day they would be hacked. That was on the first day after Equifax had gone public.
    In the two weeks since, those observations have proven to be more than prescient. Because so much has happened, I present you a list. Between then and as of September 19, 2017, the following are true:
    • The price of Equifax's stock has plunged 35% in response to the data breach and all the other news following it.
    • A couple of Equifax honcho's "retired" after the breach was made public, including the Chief Security Officer (CSO).
    • It turns out that Equifax's CSO has a bachelor's and master's degree in music.
      • It should be noted, however, that she has worked in security-related positions at other big companies.
      • Plus, plenty of programmers (security or otherwise) are music majors, philosophy majors, art majors… you get the idea. (On the other hand, this is apparently not the case for the ex-CSO, as far as one can tell).
    • More than 30 lawsuits have been filed.
    • The Federal Trade Commission announced an investigation into the data breach.
    • The US DOJ started criminal investigations to see if the three executives who recently sold nearly $2 million in stock violated federal law.
    • Security researchers found that Equifax's Argentinian branch had an employee portal that used "admin" and "admin" for the username and password.
    • Equifax initially blamed a vulnerability in Apache software for the hack. The latter immediately issued a press release pointing out that a security patch had been available since March.
    • Speaking of March, it turns out that there was an initial data breach at Equifax that occurred in that same month.
      • While currently being treated separately, it could possibly be the initial ingress into Equifax, well before the July data breach that was initially proclaimed.
    • Equifax revealed that up to 400,000 in England had been affected by the breach.
      • As well as 10,000 in Canada.
      • And let's not forget the 143 million in the USA.
    • The site Equifax set up to reveal whether a person was affected by the data breach gave inaccurate answers.
      • That site was set up outside of the main Equifax.com site. As certain security researchers noted, it made for easy phishing. One proved it by setting up a fake site, which ended up being passed via Twitter by whoever was managing Equifax's Twitter account.
    • Equifax tried to charge consumers for freezing their credit reports – and then announced that they wouldn't.

    Some of the reactions to the data breach are not unexpected, and yet surprising – like the lawsuits. It was expected, but thirty of them filed in less than a week? Wow.

    Other outcomes, such as charging people for freezing their credit reports, are mind-blowing. It's like no one thought to consult the PR department because… at this point, what's the use?

    The stock market seems to think that the other shoe has fallen. At the beginning of this week, Equifax's stock price stopped its losses and ever so slowly begun to rise, although some say that it's nothing but a dead cat bounce, either because the market hasn't effectively priced everything in or because there's more bad news on the horizon.

    Based on the last couple of weeks, it wouldn't be foolhardy to wait and see what other surprises spring up.  

    Related Articles and Sites: https://www.databreaches.net/equifax-data-breach-aftermath-lawsuits-and-criticism-mount-stock-prices-plummet/

     
  • Equifax Hack Affects 143 Million SSNs

    Equifax, one of the three largest credit reporting agencies in the US, announced yesterday that they have been hacked. The leaked information includes full names, SSNs, birth dates, and addresses, among other data.
    It's not the biggest hack to date – that dubious honor goes to Yahoo, which claimed 1 billion users and 500 million users (that's right; two data breaches involving over 100 million people each).
    However, the Equifax data breach is more worrisome since it involves truly sensitive information. If Yahoo's data conundrum gave the bad guys a phishing line, Equifax equipped them with a ordnance store full of dynamite.

    Nearly Half the US Population Affected, Took 2 Months to Raise Alert

    Per Equifax's admission, approximately 143 million Americans were affected by this data breach. Taking into consideration that the US population is somewhere around 300 million people, it means that nearly 50% of the entire US has been touched by this latest hack.
    And, when you consider that people are married, live together, etc, it wouldn't be surprising to find that close to 100% of American households are affected.
    Even more shocking: Equifax discovered the hack on July 29 (the hack itself was in May). It took them nearly a month to go public with the information. And while that's probably within the legal boundaries, Equifax more than other companies, probably knows that going public with the admission sooner would have been better.
    It is, after all, one of the go-to guys for other companies when they experience a data breach. One can only assume that Equifax knows all the ins and out of what to do when data breaches strike; they probably developed marketing and services around it. (Which brings up an interesting question: will Equifax, with a straight face, offer their own credit monitoring and identity protection services to 143 million people, "out of an abundance of caution," as the industry saying goes?)
    There are even reports that credit card numbers (for approximately 200,000 people) were also stolen in the hack. Which is weird because you're not supposed to be storing such data, at least not without encryption.

    Stock Down 12% After Hours, Insider Trading Accusations

    The news didn't go well. Aside from all the major (and minor) news networks reporting on this latest data incidence, people with access to after hours stock trading managed to push the price down by 12% (and today's pre-market is pushing it further down).
    This probably wasn't helped by reports that three executives sold $1.8 million worth of shares shortly after the data breach was discovered. It could very well have been "innocent" (the sales were not pre-scheduled) but such news incentivizes outsiders to start dumping shares now, ask questions later.
    All in all, these are not the actions of an organization prepared to meet head-on the demands of a data contingency plan.
    Which is surprising.
    Equifax and other similar companies know they are hacking targets for the digital data that they possess. They are the mother lode, so to speak. One would have expected them to plan accordingly, but if you look at tweets and whatnot, it's beginning to look like they were caught with their pants down in every aspect.
    For example, someone managed to reach Equifax's help, and the person on the end of the line admitted being hired outside help and not having access to a database for checking whether the caller was affected or not by the data breach. More than one month into discovering the data breach.

    The Silver Lining

    Can any good come out of this? When you consider that half of the US is affected, you just know that government officials are going to be swept up in this. Perhaps enough P.O.'ed congresspeople will lead to something (finally).
    But, if the past is the guide to the future, you're best off betting that remarkably little will change.
     
    Related Articles and Sites:
    https://www.bloomberg.com/news/articles/2017-09-07/equifax-says-cyber-intrusion-affected-143-million-customers
    http://digg.com/2017/equifax-hack
    https://arstechnica.com/information-technology/2017/09/why-the-equifax-breach-is-very-possibly-the-worst-leak-of-personal-info-ever/
    https://techcrunch.com/2017/09/08/equifax-breach-disclosure-would-have-failed-europes-tough-new-rules/
     
  • Delaware Updates Data Breach Notification Rules

    Delaware, the second-smallest state but the leader in business incorporations, at least within the USA, has updated its legal framework regarding data breach notifications. Beginning on August 14, 2018, companies that experience a data breach must notify any affected individuals in Delaware within 60 days. In addition, credit monitoring – free of charge, of course – is now a legal requirement, not a "favor" or "show of goodwill" on the part of the companies.

    And there's more, much more.  

    Changes, Long Time Coming

    Delaware is famous for being a pro-business state; there's a reason why over 60% of Fortune 500 business are legally incorporated there. Indeed, it's so pro-business that sometimes it seems that Delaware residents take a back seat to their "legally-people" brethren. Case in point: the original data breach laws Delaware passed in 2005, and all the problems it had.

    Well, in less than one year, real people will see their rights elevated:

    • Reasonable protection of personal information.
      • Includes an update on the definition of "encryption."
      • A change in the language so that, if encryption is compromised in the data breach, encryption as safe harbor doesn't kick in.
    • Updated definition of "personal information."
      • Under the new law, medical information; biometric data; user names and passwords; health insurance policy numbers; passport numbers; financial account routing numbers; and individual taxpayer identification numbers, among others, have been added as personal information.
    • Notification to residents within 60 days of a data breach.
    • Notification to the Attorney General if more than 500 people are affected.
    • Free credit monitoring for one year.
    Obviously, the above doesn't cover everything. The legislature included a handy synopsis in the bill, copied verbatim below. As you read over the list, you'll notice that an effort was made to remove certain things, which is interesting as well.
    This Act revises HB 180 to reflect input from a wide group of stakeholders. This Substitute Act differs from HB 180 as follows:
    • Terminology has been revised to be more accurate and consistent.
    • A definition of "person" is added and includes government, consistent with current law.
    • A definition of “determination of breach of security” is added.
    • Marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures are removed from the definition of "personal information."
    • An application for health insurance is removed from the definition of personal information because all of the information in an application that is of concern is separately listed in the definition of personal information.
    • Removes the requirement that the Department of Justice develop regulations and a model form of notice.
    • Clarifies how to provide notice if a breach involves login credentials of an email account that is the basis of the breach.
    • Clarifies that notice of a breach can be provided after 60 days from discovery when it is determined at a later time that the breach includes additional residents.
    • Provides examples of federal laws that can be complied with to constitute compliance with this chapter.
    • Removes the private right of action for the failure of a person to provide notice under this chapter. The Common Law cause of action for actual damages as a result of a breach is unaffected by this change.

    Some Controversy

    On providing credit monitoring for free, some have pointed out the potential outsized effect on small and medium sized businesses.

    In this day and age when it's easier than ever to compile extremely large databases, even for the smallest mom-and-pop store, the concerns are more than valid. Indeed, when you think about it, many things work against small businesses, especially when it comes to data security. For example, they ostensibly have less money than a megacorporation, meaning they cannot afford the best digital security on offer. Nor can they afford to upgrade their existing security as often. Nor can they guarantee access to dedicated IT professionals who could potentially lower the risk of a data breach in their day-to-day jobs.

    On the other hand, hackers don't give breaks just because you happen to be an SMB. And, at the end of the day, if 100,000 people (or more!) are affected by a data breach, the damage is the same whether the breached entity is a business operated by two people or twenty-thousand people.

     

    Related Articles and Sites:
    https://www.bna.com/delaware-adds-stringent-n73014463341/
    https://www.lexology.com/library/detail.aspx?g=4a54016c-c241-4327-8127-e35a36bcb6a1
    http://legis.delaware.gov/BillDetail/26009

     
More Posts « Previous page - Next page »