Thoughts From The Scottrade Breach

Given the number of breaches that have happened in the last couple of years, many people have probably forgotten about the Scottrade breach.  To refresh your memory, back in 2013 hackers breached the Scottrade customer database and had their way with the credentials of 4 million plus customers.

Between September 2013 and February 2014, the hackers exfiltrated – a fancy word for stole – credentials for 4.6 million Scottrade customers.   While Scottrade has been very cagey as to exactly what was taken, the database breached contained name and address information, social security numbers, passwords and other sensitive data, whatever that means.

Scottrade was unaware of the breach and the only reason they ever found out about it is that the FBI came knocking on their front door one day in August 2015 and said, we’re from the government and…. In this case, they were not exactly there to help them, but rather to be the bearer of bad news.

What is also unclear is what happened between February 2014 when data was no longer being taken and August 2015 when the FBI came knocking on Scottrade’s door.  My guess is that there was no data left to steal.

The FBI asked them not to notify their customers until October of 2015 so they could complete their investigation.  Since, at the time the FBI showed up the hackers had been in the system for two years, what difference could a couple of months make?

A couple of relevant thoughts.

  • Scottrade is a financial services firm.  The fact that hackers had free roam of their system from September 2013 to August 2015 and they did not know it, is a bit disconcerting.  On the other hand, if a hacker was inside your system, would you know it?
  • It appears that Scottrade is not exactly sure what was accessed and what was taken.  That doesn’t inspire confidence either.  Again, if hackers were inside your system, would you know what data they had accessed?
  • The hacker(s) exfiltrated data on 4.6 customers.  While we do not know where this data was sent and they probably have customers all over the world, Scottrade did not detect their customer data dribbling out of their system.  Would you detect data being exfiltrated by hackers?

So, in summary, Scottrade never knew hackers were in their system for two years (until the FBI told them), don’t know what data was taken and did not detect the data being exfiltrated.  For a large financial services firm, this is a concern.  However, if your company was in the same position, would be in any better position?

That was all background.  Now on to the reason for the post.

Scottrade, like many companies who have been breached, was sued by their customers.  The customers alleged breach of contract, breach of implied contract, negligence and violations of multiple consumer protection statutes.

The Constitution requires that, in order to sue, you have to prove that you have suffered an injury, that the injury is fairly traceable to the conduct of the defendant and that a judicial decision will provide redress.  This is where most of the breach class action lawsuits get in trouble.  Since the credit card companies give you back your money in the case of fraud and even give you a new card, what, exactly, is your injury.

One creative breached company even went so far as to say “how do you know the credit card fraud was a result of our breach and not some other breach”.  Prove that hacker that used your card obtained it as a result of the breach we had and not some other breach, maybe unknown.  This, of course, is impossible.

This forces people to go towards loss of time, purchasing identity protection insurance, and risk of future harm. In this case, it appears that the hackers were interested in account information – so that they could spam Scottrade’s clients or possibly commit identity theft – no credit card data was believed to be taken, so there were no fraudulent credit card charges.

This made the lawyers really stretch.  They said that they didn’t get the full benefit of the Scottrade relationship since, as a result of the breach, their relationship was less valuable then they had bargained for and lastly, and this is a real stretch, as a result of the breach, their information became less valuable since someone else was already selling it and they were less able to monetize their data.

The last one is lawyering at it’s best.  They are complaining that because someone else is trafficking in their stolen information, they couldn’t traffic in their own data – which they allege was private and they would be harmed if it was used.  That claim makes my head hurt.

A few weeks ago the District Court for the Eastern District of Missouri, granted Scottrade’s motion to dismiss.

What is unclear is whether Scottrade lost customers as a result of the breach.  If I were in the market for an online broker, I would likely pick one that had not been breached over one that allowed hackers free roam of their system for two years and didn’t know.  Just my preference.

The useful lesson here for businesses is to understand how you would answer the questions in the bullets above.

Information for this post came from JDSupra.

Disgruntled Citi Bank Employee Shuts Down The Bank

In 2013 a disgruntled Citibank employee decided to get even.  Lennon Ray Brown, 38, who worked for Citi during 2012 and 2013 in the Dallas area, decided to teach the bank a lesson.

On December 23, 2013, Brown sent a set of commands to 10 of the Citi global core routers.   Those commands erased the running configurations in 9 of those routers.  It is not clear what happened with the 10th core router.

The result of this was to take 90 percent of Citi’s network down two days before Christmas at 6PM.  Right in the prime shopping and dinner hour.

At the time, he sent a text to a coworker that read:

“They was firing me,  I just beat them to the punch.  Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated.  I took one for the team.  Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.” 

Clearly, this guy was not a happy employee.  Equally clearly, he didn’t show any remorse and didn’t care if he got caught.

And, likely, at most companies, an unhappy IT guy could do this amount of damage or more.

Ricky Joe Mitchell, Security Architect at Home Depot at the time of the breach there pleaded guilty to sabotaging his former employer’s network and causing them a million dollars in damage.  His former employer, EnerVest spent 30 days recovering from the sabotage.

In the grand scheme of things, the most likely cyber risk that any company has to deal with is the insider threat.  Most of the time it is not as dramatic as shutting down a bank’s network or sabotaging a former employer, but little attacks hurt as well.

I do not mean to single out IT employees;  it is just that they can make a pretty flashy entrance.  It really does not matter what department the employee works in.

When the Chase banker took data on 76 million customers, HE had no plans to post that data on the Internet.  But someone else did.  On top of it, Chase was fined a million dollars for not having the right controls in place to stop him.

Lennon was sentenced to 21 months in prison and $77,000 in restitution, but I suspect that for Citi, two days before Christmas, that penalty, three years later, doesn’t mean much.

So, sometimes, working on the easy stuff is what we should do first.  Monitoring.  Dual controls.  Alerting.  Keeping an ear to the ground.

Nothing is perfect when it comes to security.  We just want to continuously make things incrementally better.

Information for this post came from SC Magazine.

Data Breach Incident Response: Questions and New Laws

As more and more breaches happen every month, businesses everywhere need to consider what would happen if their company had a breach.  Here is advice from the national law firm of Perkins Coie.

  1. Is the breach reportable?  The list of data items which, when compromised, triggers a reportable breach keeps growing.  For example, this year Illinois and Nebraska joined a number of other states that dictate that compromised account credentials are now reportable.   This year Tennessee removed language which used to say that if the data was encrypted, the breach is not reportable.  For some states now, if the data was encrypted but the keys were likely compromised, the breach is reportable.  And, remember, what matters is where the owners of the data reside, not where your office is.
  2. How fast should you notify?  That is not a simple question to answer.  While different laws come into play for different groups, caution is advisable.  If the data lost was covered by HIPAA, you have a specific amount of time to notify.  If you are a Defense Contractor, you have a different, VERY SHORT amount of time to notify the Department of Defense.  What we saw earlier this year in the P.F. Chang breach is that they over disclosed and when it was discovered that relatively few customers were impacted and they tried to get lawsuits dismissed, the court said that they told everyone that they were at risk.
  3. What should the notice look like?  Some states, like Rhode Island, specify in significant detail what needs to be in the letter, but this language can get you in trouble later.  Judges are sometimes not real good at understanding the laws of other states.  When Neiman Marcus told customers, after their breach, to check their credit reports, even though the breach did not reveal any information that would allow a hacker to open a new account, the judge discounted Neiman’s claim that the reason they told people to check their credit report was that they were legally required to say that in some states.  Eventually, the courts and the legislatures will get in sync, but not as long as the legislatures keep tinkering with the laws.
  4. Who receives notice?  Well, besides the affected people, in some states, the state Attorney General must be notified.  For HIPAA breaches of over 500 records, the Secretary of Health and Human Services must be notified and for defense contractors, the DoD must be notified.  These are just SOME parties that have to be notified.  And, of course, you must use the approved, state specific form.
  5. Should we offer credit monitoring services? Credit monitoring and credit repair services seem to be the norm these days, at least for big breaches, but even this can come back to haunt you.  In the Neiman’s breach mentioned above, the court said that because they offered credit monitoring there must have been a risk for fraud – even though there wasn’t any, other than someone using your Neiman’s card.

All this says that the landscape is filled with landmines and you MUST have a cyber breach litigation wise attorney in your camp from the VERY FIRST MOMENTS.  As you can tell from the words above, even simple decisions have the possibility to backfire.

So if you do not have a cyber incident response plan written, approved, disseminated and tested, I recommend that be added to the high priority to do list.

Information for this post came from JDSupra.


New Vulnerability May Affect Cell Phones, Cell Towers, Routers and Switches

A bug in a software library used in a wide variety of communications products such as cell towers, routers and switches and even the radio chips inside of cell phones was recently announced.

The library in questions implements  standard known as ASN.1 and was developed by Objective Systems.

While we are all used to, for example, patching our iPhones or Android phones, what we are talking about here is patching the chip inside the phone that controls the radio that talks to the cell tower.  THAT is something that we are not used to patching.

If someone were to figure out how to exploit this flaw – and the experts say that this is not easy – then they are in control of the guts of the phone – possibly even bypassing encryption.  This is why this is such a big deal.  The same applies to any of the other affected communications equipment.

Right now we know that Qualcomm chips can be exploited, but researchers are furiously at work testing AT&T, Ericsson, Cisco and other implementations to see if they are also vulnerable.

While Objective Systems has released a patch, it is not likely that all of the equipment that uses the affected code will ever be patched.  Some of the equipment is on telephone poles in the middle of nowhere and other equipment is in old phones that are no longer ‘supported’ by the cell carrier.  It is even possible that for some of the equipment, the manufacturer did not provide a mechanism to field upgrade the firmware in these chips.

What is even worse is that it is unlikely that the owner of the equipment, whether that is you or me when it comes to a cell phone, Verizon when it comes to a cell tower or your IT department when it comes to an Internet router would ever know that the equipment has been compromised because we don’t have any monitoring software that operates at that level.

That is a bit disconcerting.  But not surprising, unfortunately.

Information for this post came from Ars Technica.

For First Time Federal Judge Tosses Evidence Based On Stingray

A Federal judge in New York tossed evidence in a drug bust based on the use of a Stingray cell site simulator,  But the devil is in the details.  To be clear, this is not about getting a warrant to use a Stingray and catching a drug dealer.  This is about lying to or omitting key facts from a Federal judge when asking that judge to sign a warrant.

For those of you who read my blog, you know that I have written about Stingray cell site simulators several times.  Those devices Hoover up huge quantities of cell phone and text message traffic and then the agency that collected it is free to go through that data – not just to find that one bad guy, but also so go on a fishing expedition to see what else might be there.  And, they get to keep all that data for as long as they want.

So what happened in New York?

The Feds were looking for a possible drug deal that was going to move large quantities of drugs from South America.  As part of their investigation, they received a wiretap warrant to monitor traffic between two suspected drug traffickers.  Curiously, the traffic that they were going to monitor was done on Blackberrys.  Until recently, we thought that Blackberrys were secure.  Then we found out that Blackberry was secretly intercepting Blackberry traffic without the hassle of pesky warrants and handing that over to anyone who asked (law enforcement agencies only, we assume).

Then the DEA asked for a warrant to get location information for the phone.  What they told the judge was that they were going to ask the cell provider for that information.  So far, so good.

They did, in fact, get that information from the provider, but that only told them that the phone in question was in the area of Broadway and 177th Street in Manhattan.

So what did the DEA do?  They decided, on their own and absent a judge’s approval – which I can guarantee 99% would have been granted – to use a Stingray to get better location information.

Using the Stingray, they located the building and then the apartment where that phone was likely located.  The agents then knocked on the door and the suspect’s father let them in and consented to a search.

Ultimately, they found a kilo of coke and eight cell phones.  Certainly, not a massive amount of drugs, but also, just as certainly, not a personal use amount.

In the past, some courts have ruled that with any data that you give to a third party (such as Microsoft, Google or your cell phone carrier), you revoke your right to privacy because you gave that information to someone else.  In some cases, lawyers have used that third party theory to justify using a Stingray.

This judge, however, said, that Stingrays are different.  This is not data that you gave to anyone.  Since there is no third party involved (Like Google or Verizon), the third party doctrine does not apply.

The government has not said whether they will appeal the case or not.  Historically, the government has kept a pretty low profile on Stingray cases, even to the extent of dismissing charges rather than explain to a judge what a Stingray does, so it is unclear if they will open their kimono this time.

And this case is not even about drugs.  It is about following the law and not hiding from the courts and the public what, exactly, law enforcement officials are doing.

Curiously, the week after this guy was arrested, the Department of Justice changed their own rules and said, yes, we will ask for a warrant before we use a Stingray.  That decision doesn’t affect this case, however.

However this case ends and whatever happens to this drug dealer, this is another example of the changing rules on using Stingrays as judges begin to read the news and understand what they are, because, it seems, they are not getting that information from prosecutors.

Stay tuned for more details.

Information for this post came from Ars Technica.

Update Your iPhones and Macs to Fix This HUUUGE Bug

About a year ago, Android users were fighting something called the Stagefright bug.  Buried deep in the bowels of the operating system was a series of bugs that would allow an attacker to send you a specially crafted text message and take over your Android phone.  Stagefright affected close to a billion phones in the worst case scenario, but more likely about half that number – still a HUUUGE problem.

This week it is Apple’s turn. Cisco’s security research arm, Talos, discovered what is really a similar problem to Stagefright.  All an attacker needs is your phone number – likely not hard to get.  Then they send a specially crafted iMessage or MMS message.

The attack could be exploited via Safari by getting the user to visit an infected web site.

In any case, no user interaction is required.

So what can the attack do for the hacker?

Nothing important.  Just leak your authentication credentials stored in memory to the hacker.  Forbes says this includes any credentials the target is using in the browser such as website credentials or email logins.

Due to other security mechanisms in the iPhone, the attacker can’t completely take over the phone, but this is sufficiently bad.  Apparently, on a Mac, the problem is worse because the Mac sandbox works differently.

And, this even affects WatchOS.

In addition to this bug, the researchers at Talos also found a memory corruption bug.

And a security engineer at Salesforce found a flaw in FaceTime that would allow hackers who were located on the same network as the user (i.e., they came from outside but already compromised some other PC on your network) to spy on your FaceTime conversations.  Apple says “an attacker in a privileged network position (which they don’t define) may be able to cause a call to continue transmitting audio while appearing as if the call was hung up.

In total, 43 bugs were fixed in the new version of iOS.

If you are not running iOS 9.3.3 which was released on July 18th or MAC OS El Capitan 10.11.6, released on the same day, you should update now.

Given the complexity of computers and phones these days, it is not completely surprising that serious bugs are found.  This means we need to make sure that researchers are not hampered by Washington’s lack of understanding of technology – but that is a whole ‘nother post.

Like Stagefright, this bugs affect all versions of iOS before the one that was released 4 days ago.

According to Apple, 14% of iPhones run iOS 8 or earlier.  Likely these are older phones that might not be able to run iOS 9 for some reason.  Those phones will never be patched unless the upgrade to iOS 9.  Talk about a ‘target rich environment’.  That represents close to a hundred million phones that may never be patched – like older Android phones.

How many of the more than 1 billion iPhones are running a version of iOS older than 4 days ago?  Likely a large number.  Probably several hundred million.

This just reinforces the fact that we really need to figure out, with the billions of phones and tablets out there, how to get people to upgrade to the MOST CURRENT version of the OS.  That means that old phones need to crushed and melted.  I know people don’t want to spend the money to replace phones that still function, but the alternative is to use a phone with bugs that allow attackers to, in this case, steal your passwords.  I guess you could sell your old unsupported phone on eBay and make it someone else’s problem 🙂

Information for this post came from Forbes and Quartz.