Anthem Agrees To Pay $115 Million To Settle Lawsuits From Breach

Anthem Blue Cross, you likely remember, was one of the first “Blues” to admit that they had lost control of the data on their subscribers to the tune of around 79 million people.  After Anthem admitted that, a number of other insurance companies – both Blues and others – admitted that they, too, had been hacked.

Judge Lucy Koh


Judge Lucy Koh, a U.S. District Court Judge who has presided over a number of very famous (Yahoo, for example) breach cases consolidated over 100 lawsuits into one in her court.

If approved by Judge Koh, it would be the largest single settlement for a breach.

The money will be used to pay for an additional two years of credit monitoring.  Alternatively, victims can get fifty bucks instead.

That is not much consolation, if you ask me.

Still, for Anthem, it is a large check for them and/or their insurance company to write.  It is likely that they have used up most or all of their breach insurance coverage already, so my speculation is that the cost is coming out of their pocket.

Compared to Target’s $18 million settlement and Home Depot’s $19 million settlement, this is a big number.

Anthem will have to allocate a certain amount of money to security enhancements and make certain specific changes to its security program – on top of writing that rather large check.

It is important to understand that for victims of medical information theft, credit monitoring is about as useful as a screen door on a submarine.   Usually the stolen information is used for insurance fraud (AKA medical care fraud) and to a lesser extent to compromise existing credit accounts using the stolen information.  Neither of these will show up on a credit report.

It is not clear how that money will be split up between lawyers, victims and credit monitoring, but that will likely come out after the settlement is approved.

Information for this post came from NBC and MedCityNews.

An Actual IoT Horror Story

I have been standing on my IoT soapbox for a while, saying that IoT is dangerous and people don’t know it.  As a result, people aren’t doing anything about it.

Well, today I received a dose of reality.

We recently completed a vulnerability scan for a client of ours and one of the findings was a “HIGH” vulnerability.  The client called me to discuss this and as I dug into it, I went, oh, #$%^.

Without giving away too much, this IoT device is a security device.

As is the case with many IoT devices, this device, of which the client has more than one in different offices, has an embedded web server that allows you to manage the device.

What are the manufacturer’s requirements for this embedded web server?

Number one requirement is that it is cheap.  Free is best, but if you can’t get to free, maybe then a royalty of a buck or two per unit.

Number two requirement is that it is small and “light weight”.  Light weight means it doesn’t use much memory or CPU since IoT devices are generally underpowered from a memory and CPU standpoint.  An underpowered processor – one that barely gets the job done – costs less per unit (do you detect a theme here?).

Getting back to this client, what did this manufacturer do?  They selected an open source web server.  Open source, for the most part means free.

With respect to this “HIGH” vulnerability, the client wants to eliminate the risk, of course, so I do some research.

It turns out this open source project was abandoned in 2005.  That is not unusual with open source.  Often a developer will build something for a project and put it out there.  When they get reassigned or the company decides to use a different solution, the open source project gets abandoned.

What is annoying here, of course, is when the client bought this IoT device the vendor didn’t say “by the way, we used this open source web server and we have no idea if it will be maintained”.

In addition, the vendor could have replaced the web server sometime in the last 12 years, but that would have cost the vendor money.

At this point, besides taking these devices out in the parking lot, running them over with my truck and making the client buy new ones (which is not going to happen, of course), the best we can do is work to mitigate the risk.  ARGH!

There are a couple of takeaways from this –

  1. Before you buy an IoT device, ask the vendor about support.  Do they plan to patch i?  Do they have a history of patching their IoT devices?  FOR HOW LONG?  IoT devices might have a useful life of 10 years or more.  If the vendor commits to patching it for one year, that is not too helpful.
  2. Always isolate IoT devices, both from any trusted network and also, if possible, from other IoT devices.  That will help mitigate risk.  It won’t eliminate it, but it will mitigate it for sure.

Users – both consumers and businesses – need to increase their understanding of the risks and their demands of their vendors to make secure products and support those products.  We saw the risk in real time a couple of months ago when the Mirai botnet, using hijacked IoT devices took out parts of Amazon, Netflix, Twitter and other high profile web services.  Hopefully, it won’t take an incident that takes down the power grid, for example, to get people’s attention.



How the CIA – Or Others – Can Hack Your Internet Router

When was the last time you patched your Internet router?  Probably never.  That is what the CIA is counting on.  As well as foreign governments and just plain hackers.

But when it comes to the CIA, they are probably not interested in you.  That may not be the case when it comes to the other categories of folks mentioned above.  Hackers want valuables;  foreign governments may want your intellectual property.

In this case Wikileaks continued its steady flow of stolen CIA documents called Vault 7.  The documents talk about vulnerabilities in certain brands of routers and and WiFi access points.

Apparently the CIA likes hacking routers because it is highly unlikely that you would detect it since there are no indications that it has been compromised.  After all, other than a couple of blinking lights, most routers have no user interface at all.

According to the leak, the CIA tool is called Claymore and it figures out what model router you have and then runs a suite of attacks against it – tailored to that router.  If it succeeds, it now owns your router and can make it do whatever they want.

For example, once the CIA hacks the router it can install its own software which might route all of your traffic through one of their monitoring points.  If they are replacing the software in the router, they could do anything they want.

I hear you – I don’t have anything the CIA wants.

That could be true.  Likely it is.

But do you have anything that an average-bear hacker might be interested in?  Does your business?

While the CIA folks are sharp, this attack ain’t rocket science.  In fact it is sort of junior high.  The particular tools that they are using might be sophisticated, but the are leveraging the fact that most people do not patch their routers.  Ever!

So what should you do?

  1. Change the default password.  PLEASE!  That is the first thing that hackers are going to try and do.
  2. Find out how to upgrade your router and do that monthly, if not more often.
  3. Better yet, pick a router that automatically looks for and installs its patches.  Then you don’t have to deal with it.

While this is not going to stop everyone, at least the hacker will have to be out of elementary school to break in.

Information for this post came from Wired.

GOP Contractor Exposes Profiles of 198 Million Voters

In what has to be one of the largest disclosures of personal data ever, it appears that a Republican National Committee vendor exposed their collection of data on 198 million U.S. voters in the cloud for anyone to trip over.

Unlike other cases where hackers broke in or used zero day exploits to compromise systems, in this case the Republican contractor didn’t bother to put a password on the data.

Granted there is a huge amount of data stored in the Amazon cloud, but that didn’t stop researchers from Upguard from finding it.  And maybe other people too.

The primary vendor, Deep Root Analytics, made a statement taking responsibility for the screw up.

The data, about 1.1 terabytes of it, gives a very detailed picture of almost all of America’s 200 million voters.

The data includes

  • Name
  • Date of birth
  • Home address
  • Phone number
  • Voter registration details
  • ‘Modeled’ ethnicity
  • ‘Modeled’ religion
  • and hundreds other fields

In addition to the 1 terabyte of data that was exposed, there was another 24 terabytes of data that was password protected.  The data in the unprotected database alone represents about 10 billion pages of text.

It took 2 days just to download the data.

More than likely there is nothing remotely illegal about amassing this type of data.  Depending on who downloaded it while it was exposed, it would certainly be extremely helpful to other politicians who might want to replicate this data for the next election.  The data goes back to the 2008 election, which is very useful in predicting future outcomes.  The RNC spent about a million dollars amassing this data.  Now, potentially, it is in the wild – or up for sale.  It is questionable whether, given that it was not protected in any way, if downloading and using it is illegal.

The Hill says that the data was exposed between June 1 and June 14.  While that is a short time, it was certainly long enough to download the data.

We also don’t know if the data is or was stored elsewhere in the cloud, but I suspect RNC – and probably the DNC – are looking far and wide to make sure.

As more and more data moves to the cloud, the risk of that data being accidentally left exposed.

This is just another example of the risk of outsourcing.  That doesn’t mean that if the RNC collected the data themselves that it would not have been exposed.

It is a pretty painful reminder that you have to manage the data protection practices of all of your vendors.  In this case, for the Republicans, it could be a million dollar reminder if someone else uses the data that they paid to collect – possibly against them.

Also remember that this technically is not a breach.  Since it was not protected by even a password – never mind being encrypted – it was kind of like putting your stuff out by the curb for people to pick through.

I suspect that the RNC and its vendors will be more careful next time.

Information for this post came from  The Hill and Upguard.



Yet Another Outsourcer Hacked

Aptos, an outsource point of sale vendor for many businesses, announced that they were breached.  Sort of announced, but not really.

The breach was active from February 2016 thru November 2016, but they didn’t notify their merchants until February of this year.  Now the vendors are slowly notifying their customers.  Potentially, customers are not going to be notified for a year after their card was compromised.  Aptos is not notifying the compromised customers at all – they are leaving that up to their customers.

If you are being proactive and watching the activity on your cards, you would have been aware of the fraud long before you found out about it from them.

When contacted, Aptos said that they were not going to say who was breached and leave it up to the vendors.  According to a blurb of a WSJ article, Aptos apparently told at least some of their merchants that they didn’t have to disclose the breach, but attorneys are disagreeing with that.  Some of the merchants affected are:

  • Abbott
  • Liberty
  • Mrs
  • Affy
  • Alpha
  • Atlantic
  • Blue
  • Movie
  • Pegasus
  • Plow and
  • Vapor
  • West
  • Percussion
  • and a number of others

For an updated list of affected vendors, visit the Data Breaches link below.

Information taken includes name, address, email, phone number and credit card information.

Some of the merchants are offering credit monitoring.  Hopefully if you bought anything from these merchants, they have already reached out to you.

Besides the hassle if your card was compromised, this is yet another example of outsourcing things that are not core to your business to make your life easier and it winding up making your life harder and costing you money.

Most of these merchants are small, which means that they are less able to deal with the reputation hit.  Remember that cyber insurance will not pay for your damaged reputation – to deal with that, you would have to sue the outsource vendor.

Some thoughts –

  • Make sure that you do your due diligence before you sign up with an outsourcer to run your point of sale system.
  • Make sure that you have cyber risk insurance and it covers that kind of situation.
  • Make sure that your agreement with the outsource vendor specifies who is liable, exactly WHAT they are liable for and how you are going to get paid for the damage.
  • Make sure that the outsource vendor has cyber risk insurance as well.

So while you cant eliminate risk, at least you can work on reducing that risk.  The due diligence and insurance are critical.

Information for this post came from Data Breaches and The Register.

‘Crash Override’ Might Take Down US Power Grid

What if the attack on the Kiev power station last Christmas which killed power to a goodly chunk for the city was just a dry run?  For what?

Security researchers at ESET and Dragos analyzed the malware used in the attack and say it represents a dangerous advancement in attacks on critical infrastructure.

Like Stuxnet before it, it was purpose built to damage industrial control systems.

The system, called Crash Override or Industroyer, is modular with the ability to swap in and out modules, depending on the particulars of the system they are attacking.

This version of the software knows how to directly talk to the hardware that controls the power grid, rather than attacking the workstations that manage the grid.  Given that it is modular, the attackers could configure it with particular attacks based on the control systems a particular plant uses.

By damaging the hardware, the attack would be much more difficult to recover from.  If the controls don’t respond, then engineers would need to go directly to the substations to try and recover.  Assuming there is a way to do that.  At some stations, there are no manual overrides, just automation.  Damage could mean that you have to reboot the hardware.  OR, it might mean that you have to replace the hardware.  That is what we saw in Ukraine.  Depending on how much damage it does it could take time to recover.

The North American Electric Reliability Corporation or NERC has been working very actively with the utility industry to make it more resilient to attacks, but as the industry gets better, so do the attackers, so it is not a simple problem to solve.

This malware is also more automated than the software used in the 2015 Ukraine attack.  That attack took 20 people to attack 3 companies.  Experts say that with this new software that same team could attack ten or fifteen targets  – or more.

Unlike Stuxnet, which is believed to be the work of Israel and the United States, this malware is thought to have come from Russian hackers.

The researchers note that this does not spell the end of humanity – although grid operators should be concerned.  They say that the malware is very “noisy”, meaning that it is not subtle as it tries to map out the network it is attacking.  If operators are watching their network, they will see the attack early, hopefully before it can do much damage.  Stay tuned.   Could Russia attempt to launch an attack in the U.S.?  Sure, its possible.  Could they try to attack more than one part of the grid at once?  Also possible.  Would they succeed?  That is the real question.  One that we don’t know the answer to.

Information for this post came from Wired.