Recently in Data Breaches Category

This entire response has been comically bad to watch unfold. The type of data and scope of breach were bad enough but add in the bumbling response that reinforced a message of "these guys don't get it" across the industry and press...and it quickly became epic. But I'm inside the industry and have an understanding of how bad it is. What about those friends and family we have outside of industry, who might only find out about this through some apocalyptic local news story? 

I spend a lot of professional time communicating risks to a non-technical audiences (C-suite, boards, etc). I felt it important to do the same for friends and family with this breach. Below is an email I have tapped out and sent to a number of people proactively and after fielding some phone calls. Feel free to copy and use yourself.

---
Hi All,

I assume you've seen the news regarding the Equifax breach, but I wanted to emphasize that this is a big deal in terms of the amount and type of information lost. It is very likely that your personal information has been compromised including: name, date of birth, social security number, drivers license number, and potentially more. This is all the critical information people need for identity theft and fraud. Below are some of my recommendations for preventative and detective controls you can put in place to help protect yourself or get alerted quickly when (not if) something bad happens.


There are three things you should do immediately:
  • Check if your information was compromised at https://www.equifaxsecurity2017.com/
    • Do not enroll in Equifax's credit monitoring program until you read below
  • Enable Two Factor Authentication (2FA) on all financial account websites that offer it
    • 2FA generally involves receiving a unique code (via SMS/email/phone call) that is used as part of a login process for added security
  • Place a 90-day fraud alert on your credit report at one of the four credit reporting agencies: Equifax, Experian, Trans Union, and Innovis. They will communicate it to the others on your behalf. This should be relatively painless and give you some time to implement some of the actions below, which may take more time.


PREVENT:
If your information has been compromised, I would recommend lacing a freeze on your credit reports at Equifax, Experian, Trans Union, and Innovis.

A freeze locks your credit report and will block any inquiry/pull attempts unless you unfreeze the report. This is the strongest preventative control you can put in place to protect your credit and identity. There is a $0 - $15 max cost for placing a freeze on your credit reports depending on state laws. You can find state specific fees here: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection

Before placing a freeze on your file I highly recommend reading the following article to understand the ins-and-outs: https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

DETECT:
In addition to the freeze, you can put detective controls in place. Detective controls mean you will be alerted if something suspicious happens. These include:
  • Establishing alerts on your bank accounts and credit cards for transactions over a certain threshold. These alerts can be email or SMS.
  • Credit Monitoring*
*I am not a strong believer in credit monitoring based on the cost to subscribe over the course of many years especially if you have a credit freeze in effect and it does not prevent anything.

GENERAL TIPS:
Lastly, some general tips for good security hygiene:
  • Update/patch your computers, mobile phones, and apps as soon as you are notified of updates.
  • Use strong and unique passwords for each website you sign up for
    • Consider using a password manager like KeePass (professional edition, http://keepass.info/download.html) - Happy to give people a tutorial of the software if needed.
    • Never store your usernames and passwords in a file on your computer (exception for managers above, which are encrypted)
    • Writing them down is perfectly fine for home use...just keep in a safe place
  • Vary the usernames you use on websites - if you can see a pattern in your usage so can an attacker

Please don't hesitate to reach out with questions and please feel free to forward this along to family/friends.

Stay Safe,
...

---

Comments on the site are disabled. If you have any edits or concerns drop me an email or contact me on twitter!


UPDATE: 2017-09-14

It appears TransUnion is purposefully obfuscating their process for freezing your credit on their service and instead promoting their own ID Protection service. Reddit user equisux posted a thread detailing changes to the website using Archive.org's Wayback Machine to show changes made aroiund Sept. 11th that bury the freeze option.The post details the new click throughs on the TransUnion website that you need to do and can be found here: https://www.reddit.com/r/personalfinance/comments/6zur5h/transunion_burying_their_credit_freeze_to_sell

Direct phone numbers for all credit institutions are below. Expect massive hold times:
TransUnion Freeze hotline 888.909.8872
Equifax: 800.685.1111 (NY residents 1-800-349-9960 / Canadians 1-800-465-7166) 
Experian: 888.397.3742

Breach response for the jaded

I heard about the breach at [$COMPANY_NAME$] and the [$BREACH_QUANTITY$] [$DATA_TYPE$ one of "credit card", "patient record", "social security number", "user login", "hashed passwords", "national security secrets", "Hollywood star's 'selfies'"] compromised. Of course this is a serious matter and is the largest since [$YESTERDAY_DATE$]

The people at [$COMPANY_NAME$] have not yet released details, which is appropriate given an incident response of this magnitude. I understand that they have the [$RESPONDER_NAME$ multiple of "FBI", "NSA", "CIA", "Mandiant", "army of consultants", "Keystone Kops"] involved and have issued a press release.

My guess is that the attackers were able to initially breach the target using a [$ATTACK_TYPE$ one of "phishing attack", "brilliantly clever targeted phishing attack", "piece of custom malware", "cat with a WiFi interface implanted in its head", "SQL injection attack", "basic website vulnerability", "army of ninjas", "variant of Stuxnet"] which is [$UNEXPECTED$ one of "totally unexpected", "the way it usually happens", "innovative", "obscure as hell", "bloody typical"] form of attack that is often used by [$USUAL_SUSPECTS$ multiple of "China", "North Korea", "CIA", "NSA", "Anonymous", "brotherhood of blades", "Bavarian Illuminati", "Trilateral commission", "hackers who have read 'Hacking Exposed'", "any complete newbie"]  Until I know more about it, I can't really guess about the details.

However, this illustrates the basic issues in information security, which is that organizations don't appear to have effective responses to basic malware and/or phishing attacks, and have aggregated critical data into central locations on their networks where it is accessible. Once an attacker gets inside, it is pretty easy for them to escalate privileges, find out where the data is, and exfiltrate it. Organizations with critical data should segregate it off their network, perform regular vulnerability audits and remediation, maintain detailed system logs, and use two factor authentication for administrator access. If it's a large organization, Big Data also helps, but I am not sure how.

Sony hack commentary

Vice has a great interview with Peter Singer. Singer makes some excellent points, especially when it comes to applying the word terrorism to the Sony pictures hack.

The FBI's definition of terrorism is as follows:
18 U.S.C. ยง 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the Code, entitled "Terrorism":

"International terrorism" means activities with the following three characteristics:

  • Involve violent acts or acts dangerous to human life that violate federal or state law;
  • Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
  • Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*

Calling what happened to Sony terrorism cheapens the idea of terrorism for those who have suffered violence. The 132 children who were recently killed by the Taliban in Pakistan were victims of terrorism. Their families were victims of terrorism. What Sony is suffering from is embarrassment.

NB: Above, I am speaking solely of The Hack. Ensuing threats of violence from the Guardians of Peace certainly fall into the definition. But again, as Singer points out: is there capability to follow through with said threat?

Sony's label of "cyber terrorism" is being echoed by organizations like the MPAA who sent out this gem of a Press Release:
"The FBI's announcement that North Korea is responsible for the attack on Sony Pictures is confirmation of what we suspected to be the case: that cyber terrorists, bent on wreaking havoc, have violated a major company to steal personal information, company secrets and threaten the American public. It is a despicable, criminal act.

Disappointingly, that fact has been lost in a lot of the media coverage of this over the past few weeks. This situation is larger than a movie's release or the contents of someone's private emails. This is about the fact that criminals were able to hack in and steal what has now been identified as many times the volume of all of the printed material in the Library of Congress and threaten the livelihoods of thousands of Americans who work in the film and television industry, as well as the millions who simply choose to go to the movies. The Internet is a powerful force for good and it is deplorable that it is being used as a weapon not just by common criminals, but also, sophisticated cyber terrorists. We cannot allow that front to be opened again on American corporations or the American people" [emphasis added].
 
Which is it? Terrorists or criminals? These are dangerous waters being waded into in describing the hack. 

Was Sony at fault for this?
An acquaintance recently summed up some philosophical nuances: "...there is an important moral difference between 'creating a situation with a predictable effect they should have foreseen' and 'asking for it' or 'inviting it.' The latter phrases mitigate the immorality of the attackers, as if it makes it less wrong to do something predictably wrong. If you 'invite' or 'ask for' something you are condoning it. If you just stupidly leave yourself open to it, you are responsible for being stupid, but not for the wrong act that results."

DPRK (official according to FBI) is 100% at fault for the morality of their actions, i.e. that they were wrong. Sony is the victim. 

Now, let's talk about the responsibility Sony had.

Sony had a responsibility to their employees and shareholders to protect their personal and intellectual property. They had a responsibility to identify, understand, and operate within their threat environment. Sony failed to uphold that responsibility in an epic and very public fashion. Sony has not acknowledged this failure. "Being a victim is more palatable than having to recognize the intrinsic contradictions of one's own governing philosophy." ? Tom Clancy, The Hunt for Red October

Sony has chosen a response I certainly would not have advised had I been standing in their incident response room. Singer calls this the 'lose our shit' mentality, "[t]he reality is we can either choose a 'lose our shit' mentality, or we can choose a mentality that is far more successful, which is focusing on resilience." 

Perhaps Sony can stop losing their shit and focus on resilience.





RSA Postmortem: 5 months later

Great post from F-Secure Labs on how one dedicated employee, Timo Hirvonen, found the actual attack e-mail and 0-day exploit payload used in compromising RSA (the security division of EMC) back in March, 2011.

While the attack vector (phishing) was not advanced, the exploit code was. As the F-Secure article points out, RSA could not have defended against this brand new threat via antivirus or other network/system defense. However, proper training of employees on opening suspicious attachments could have prevented the whole thing.

My favorite detail in the post is that an RSA employee uploaded the e-mail to VirusTotal. This is speculation, but I can imagine the additional virus scanning occurred immediately after opening the file and seeing the actions (see video on F-Secure post). I can further imagine the "oh, crap" reaction of the person who watched, on their screen, as one of the leading security product providers got owned.

Building an organizational culture of security and privacy can go a very long way. Training and awareness is a critical complement to any enterprise defense strategy. You can deploy millions of dollars worth of defense systems and still be compromised by the actions of a dedicated and resourceful adversary and the actions of one, untrained, employee.

A closing note: In the beginning of August the RSA breach was revealed, through an EMC earnings calling, to have cost $66 million to investigate, mitigate, and help customers.
Do you know who all of your social networking connections really are?  Can you vouch for each of them personally?  Do you trust each of those connections to keep your information safe? 

Earlier this summer, Thomas Ryan, Co-Founder & Managing Partner of Provide Security, LLC., began an experiment he dubbed Robin Sage with the intent of exploiting the trust that seems to be inherent in social media.  The trust that what a person's profile says is true.  The trust that, if my friends are friends with someone, that person must be legit.  In his 28-day experiment, Thomas built an identity simply by joining mailing lists, Twitter, LinkedIn, and Facebook and by choosing credentials that invoked a notion of status within the INFOSEC community.

In Thomas' words, "Given the vast number of security breaches via the internet, The Robin Sage Experiment seeks to exploit the fundamental levels of information leakage--the outflow of information as a result of people's haphazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people's decisions to trust and share information with the false identity. The main factors observed were: the ability to exploit other individuals' level of trust based on gender, occupation, education/credentials, and friends (connections)."

For some reason the normal amount of security we take into real life interactions falls away online.  In real life, we very rarely talk to strangers about our jobs, especially if those jobs are of importance to national security.  Yet in the online world, the Robin Sage identity received job offers from government and corporate sectors and options to speak at a variety of security conferences, with no verification that this person was, in fact, real or even a true expert.  However, there were individuals who called Robin out as a fraudster.  Omachonu Ogali, security researcher and (full disclosure) good friend, was one of those individuals.  I wanted to pick his brain as to how he identified Robin Sage as a fraudster and what happened soon after.  Below is an interview I conducted with Omachonu over e-mail after discussing the topic in person:

Facebook Insecurity and Privacy

The ever growing facebook saga has reached a new chapter and a new low.

Facebook has been receiving the ire of the privacy and security community for all of 2010.  Yesterday, security researcher Ron Bowes of SkullSecurity found a new vulnerability and this one is huge.

Facebook's Directory page - https://www.facebook.com/directory - you can get a list of every searchable user on facebook.

Ron put together a Ruby script that harvested over 171 million names, usernames, and profile URLs.  You could easily add a picture and location information to this dataset and have a nice data-mining project on your hands. 

With this dataset as a baseline we could start crawling other social networking and media sites for similar user names, location information, and attempt to make social media profiles of individuals.  This would be a gold mine data set for advertising, law enforcement, intel gathering, etc.

The privacy issue is pretty clear cut here.  Facebook, in its continued march toward wide-open, unrestricted, and identifiable social networking has exposed the name, username, and picture of every searchable user to the public.  A smart hacker got wise and downloaded all of this information to prove a point.  He also released the 2.8GB of data through a torrent.  A smart advertising agency or foreign government can do the same thing to targeting individuals for profit or something worse.

171 Million names, usernames, and profile URLs exposed.  Keep repeating that until the gravity of it all sets in.

"August 4, 2006, the personal search queries of 650,000 AOL (America Online) users accidentally ended up on the Internet, for all to see. These search queries were entered in AOL's search engine over a three-month period. After three days AOL realized their blunder and removed the data from their site, but the sensitive private data had already leaked to several other sites.

I love Alaska tells the story of one of those AOL users. We get to know a religious middle-aged woman from Houston, Texas, who spends her days at home behind her TV and computer. Her unique style of phrasing combined with her putting her ideas, convictions and obsessions into AOL's search engine,  turn her personal story into a disconcerting novel of sorts.

Over a period of three months, a portrait of a woman emerges who is diligently searching for likeminded souls. The list of her search queries read aloud by a voice-over reads like a revealing character study of a somewhat obese middle-aged lady in her menopause, who is looking for a way to rejuvenate her sex life. In the end, when she cheats on her husband with a man she met online, her life seems to crumble around her. She regrets her deceit, admits to her Internet addiction and dreams of a new life in Alaska." ~http://www.minimovies.org/documentaires/view/ilovealaska

The few policies that have come out addressing Government 2.0 (social media, networking, etc) have been fairly weak on the privacy front, barely addressing the multitude of risks these technologies bring to a government agency.  This dearth of policy has lead to addressing issues on an ad hoc basis and trying to fit those answers into the current frame work of policy and legislation.  I have been trying to proactively come up with and address those ad hoc inquiries in advance of actually being asked.  The first situation I came up with was government's role in breaches; specifically with inbound (public to an agency) sharing.  If a person compromises their own information on a government run web 2.0 site, what role does the government play?  This is situation is expanded below.

I will be presenting these situations, questions, and observations as a series here on PrivacyWonk.  I invite your feedback through the comments section or by e-mail.  Please add to the discussion! 
 
---

A distraught individual, who has experienced the proverbial run-around with a government agency, begins posting messages to an agency's facebook page containing very sensitive information in the hopes of reaching someone who will help. The information includes a name (as detailed by facebook user account), a case number, and a description of a medical condition.

Background: The government agency elected to begin using social networking sites to increase public interaction with the agency.  It has chosen to use facebook, allows public viewing of the page, and allows search engines to index the page. The agency has developed a social media policy that states all comments will be published but may be moderated after the fact if they contain improper language, are off topic, or contain personal information. Due to resource limitations, the agency has elected to only review the site once a week.
 
Impact: The individual has compromised their own information. The government run facebook page is now displaying Personally Identifiable Information (PII) and Protected Health Information (PHI) to the world, further compromising the information every time a new visitor lands on the page.
 
Resulting Questions:
  1. While there is no question who is at fault for the original compromise, does the government agency share responsibility for allowing further compromise of the information?
  2. Does the agency have a legal responsibility to report it as a breach*?
  3. Does the agency have a moral/ethical responsibility to report it as a breach?
  4. Would tracking situations of public/government interaction via social media sites that result in a compromise of PII be useful for making decisions on directing training, notification, and design of social media presence? If so, would they result in a more restrictive approach or simply a better design?
 
Definitions:
(1) OMB Memorandum (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information defines a breach as (verbatim copy): "For the purposes of this policy, the term "breach" is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic."
 
(2) HIPAA HITECH's defines a breach as (verbatim copy):
"SEC. 13400. DEFINITIONS. In this subtitle, except as specified otherwise:
 
(1) BREACH."
 
(A) IN GENERAL."The term "breach" means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
 
(B) EXCEPTIONS."The term "breach" does not include"
 
(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if"
(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
(II) such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person."