What Will The Next Yahoo Revelation Be?

As if things weren’t bad enough for Marissa Mayer and Yahoo after the announcement of losing 500 million user records and the very negative article in the NY Times last week about how they treated security, now there is a new revelation.  Supposedly, Yahoo wrote custom software to search all emails in real time for specific search terms and feed that data to the NSA.

When the government came to Yahoo, unlike the very public fight that Apple fought with the FBI, Yahoo – specifically Mayer – decided to agree to do that.  She did not tell her head of security who discovered the software within a couple of weeks of it being installed and quit over the incident.  He is currently working for Facebook.

It is likely that Yahoo was served with a secret FISA court order compelling them to do that, but like with the Apple case, Yahoo could have fought it.  Whether they would have been successful or not is unclear.  Courts have sided both for and against Apple in their battles with the feds.  Yahoo has only said that they are a law abiding US Company and complies with US laws.  I would read between the lines to say that they were served with a FISA order and prohibited from telling anyone about it.

Both Google and Microsoft have said that they have never been served with a similar warrant.  Whether this is true or not is unclear.

What appears to have really riled some folks up at Yahoo was that Mayer didn’t fight.  She just rolled over.

Based on an earlier New York Times article it doesn’t appear that Mayer had much concern about security or privacy, so she may have decided that it wasn’t worth spending the money to fight.

What is clear is that right now, on the eve of selling the company to Verizon, this is one more headache that Yahoo does not need.  Of course, Verizon could say that this is the way it is – after all, they were outed as having feed all of their call records to the NSA for years.  However, it could cause more customers to flee from Yahoo, making the property worth even less.  It is unlikely that Verizon could have a clause in the purchase agreement that says that if it is discovered that Yahoo complied with legal US court orders we can change the terms of the deal, but losing customers is certainly not something that Verizon wants to happen.

This is not even something that you could reasonably say could or should be discovered during due diligence.  You could ask certain negative questions like is it accurate that you have never been served with a FISA warrant for x, but even answering that is dicey and it seems like most people at Yahoo would not have known about it so they might have answered the question incorrectly.  Dealing with the blowback from FISA warrants might give some buyers pause if they thought the facts might come out after the purchase.

From a user’s standpoint, this is just one more nail in the coffin of the expectation of privacy.  For users using cloud based services, it is clear that you should not expect your data to be private – either from law enforcement or vendor employees.  You also should not expect to be told when your information is viewed by or given to third parties.

IF that is a concern, then the only workable option is to encrypt the data yourself in a way where only you or your company control the encryption keys.  Some of the large cloud providers such as Amazon offer such services for enterprises.  For other users, there may be add on products that allow you to do that.  For example, BoxCryptor is an addon for Dropbox and other cloud file sharing services that allow you to encrypt your data before it is stored in Dropbox or the other services.  It is your responsibility to manage and distribute the encryption keys for products like this  Security.  Convenience.  Pick one.

May you live in interesting times.  Yes we do.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

What Do Hackers Do With Stolen Healthcare Data

Why do hackers steal medical and health insurance information and what do they do with it?  Why does your personal health information sell for 25 to 50 times what credit card information sells for?

The first answer?  Your credit card information is typically toast within 30 days of the first use, sometimes sooner.  And of course, credit cards expire on their own, even if the owner doesn’t suspect fraud.  What this means is that the useful life of a stolen credit card is relatively short.

On the other hand, healthcare information is likely useful for years.  After all, your blood type doesn’t change very often!  For many people, your health insurance policy probably only changes when you change jobs.

What do they do with your information?  One thing is to apply for durable medical equipment, home health care or hospice care – services that are never delivered but which are billed to the insurance company and paid to cooperating medical practices and ultimately, the hackers.

Another use is to provide medical care to people who don’t have insurance.  When that happens, the healthcare record of the person who’s identity was used to pay for the treatment and the person who was treated are inextricably merged.  The only way the person who’s medical identity was stolen would ever know about it would be if they saw the insurance explanation or if they went to the doctor and now they had a different blood type.

Unlike credit cards, there is no central repository for all your healthcare information.   No requirement for everyone to report information to that central repository.  There are efforts to build central medical information databases, but there is nothing like Experian.  This makes it even more difficult for people to find out about fraudulent usage.

And since the healthcare information is good for a long time, the hackers can wait until the useless but free credit monitoring service that companies offer after a breach expires.  Then they might even be able to use that information to mess with people’s credit.

On top of this, it is often the case that the health care provider doesn’t even know that they have been hacked.  After all, they still have all the information – and so does the hacker.

All in all, this favors the attacker.  In fact, the healthcare industry is operating at a serious disadvantage.  For decades, healthcare information was stored in paper files in your doctor’s office.  A hacker had to be in the same city and break into your doctor’s office to steal them.  Now they can be half way around the globe.  It is way easier for the hacker.  And healthcare providers, operating on shrinking margins and in new territory are losing the battle.

And who pays for this – you do – in higher insurance rates, healthcare fraud and problems caused by all of that.  Score one for the hackers.


Information for this post came from Health Data Management.

Facebooktwitterredditlinkedinmailby feather

Learning About Ransomware – The Hard Way

A small New England retailer learned about ransomware the hard way.  After an employee clicked on a link, that system was infected with Cryptowall.

The malware encrypted, among other files, the company’s accounting software.

The accounting software did not live on that user’s computer;  it lived on the network, but since that user had access to that network drive,  so the malware was able to encrypt the accounting files.  This is a very common situation with ransomware.  It will attempt to encrypt any files that it can get write access to .

The attackers asked for $500 in bitcoin, which is pretty typical.  It is a number which is low enough that many people will decide it is easier to pay up than to deal with it.

The best protections for ransomware is good backups.  More than one copy and not directly accessible from the system under attack, otherwise the ransomware could encrypt the backups also.

Unfortunately for this company, their backup software had not worked for over two years – and they did not know it.

Believe it or not, we see this a lot.  Either backups don’t work, they do not back up all of the critical data or they are out of date.  In many cases, no one has EVER tried to restore from the backup, so how they find out that the backups don’t work is when they try to restore from them.  If systems are backed up individually, then each and every backup needs to be tested.

So in this case, the business owner paid the ransom.

Unfortunately, ransomware, like most software, has bugs in it so when they attempted to decrypt the files after the ransom was paid, the decryption did not work.

The hackers, concerned that their business model would fail if the victims paid the ransom and did not get their data back, even offered to try and decrypt the files – if the business owner sent the files to the hacker.  The owner declined.

At this point the business owner doesn’t think he can trust his systems, but he doesn’t want to spend $10,00 to rebuild them.

And all because an employee clicked on the wrong link.

Information for this post came from True Viral News.

Facebooktwitterredditlinkedinmailby feather

DarkOverlord Moves From Healthcare To Financial Services

The DarkOverlord is a hacking group that came to light midyear when it announced it was selling 9+ million patient records on the dark web for around a half million dollars in Bitcoin.   That breach apparently includes Socials, dates of birth and other information.

Now they have moved on to financial services with a slight modification of their strategy.

Their mark this time is a relatively small investment bank, Westpark Capital.   Westpark says they are a full service investment banking and securities brokerage firm with offices in California, New York, Florida, Arizona and several international locations.

The hackers claim to have stolen documents from Westpark and attempted to extort their CEO, Richard Rappaport.  After Mr. Rappaport apparently declined their “offer” to keep the documents secret, they posted a handful of them on Pastepin.  Those documents included NDAs, contracts, stock offerings and presentations and include a handful of customer Social Security Numbers.

Whether they have more documents or not is unclear.  If they do, and the company does not pay the ransom, the hackers may choose to release more documents.  Whether that is 10 documents or a thousand documents is unknown.

For you geeks in the crowd, it appears that the attack vector was a publicly exposed RDP (remote desktop protocol) connection.  We have told clients that public RDP is really dangerous and this is just an example of that.  If your company publicly exposes RDP, we recommend that you change that immediately, because it sounds like there is an unknown vulnerability that they are exploiting.

The challenge for Westpark now is first to attempt to determine what the hackers actually have.  If it is their entire document store, and it may be, then the next question is do they pay them off and HOPE they don’t release the rest of them or call the hacker’s bluff and see what happens.

For Westpark, this kind of seems like a lose-lose scenario.  No matter what they do, some documents are out there and clients should be very nervous about any other documents that they have shared with Westpark.  They could pay the ransom and the documents still get published or not pay the ransom and the documents get published.

For the hackers, this seems like a win-win scenario.  If Westpark pays up, they get the money.  If they don’t and they release more documents, likely the next financial services company that they go after will be less likely blow them off.

For smaller organizations in the financial services industry – and that means anyone smaller than, say Chase – this should be a shot across the bow to get their security in order.  You may remember that Jamie Dimon of Chase said, after they got hacked last year, that they currently spend $250 million on cyber security and after the hack they plan to raise that to $500 million.  Per year.  Even I have to admit that this is a lot of money.

While no solution is bullet proof, what you do want to do is make yourself bullet resistant.  That way, if the hackers don’t have a grudge against you, they will likely move on to an easier target.  I don’t know, but I suspect that the hackers were not specifically targeting Westpark – they were just an easy mark for the hackers.

In looking at Westpark’s web site, there is no notice of a breach that I can find, so the news media is spreading the word for them.  This may indicate a weakness in their incident response plan, because you never want the LA Times to be telling your customers that you have been hacked before you tell them.

Westpark’s web site can be found here.

Information for this post came from Info-Security and Hackread.



Facebooktwitterredditlinkedinmailby feather