All posts by Buster5252

“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk

BE PREPARED!

Information for this post came from Motherboard.

 

 

Facebooktwitterredditlinkedinmailby feather

The Cost of Cyber Breaches

In case you were of those who thought that there was no real cost to cyber breaches, you might want to ask Yahoo CEO Marissa Mayer and GC Ron Bell about that.

The Yahoo Board has decided not to award Mayer, CEO of Yahoo during all of the recent breaches and renegotiated Verizon deal, any cash bonus at all.  Exactly how much that is was not disclosed, but surely it was in the millions.

In addition to that, the Board voted not to give her an equity bonus (AKA stock or options).  The minimum value of that, according to CNN, was $12,000,000.00 .

Granted Mayer’s net worth is estimated to around $300 million according to Google, but no one wants to walk away from $10-$20 million.

In addition, Yahoo General Counsel Ron Bell has “resigned”.   According to the company, Yahoo did not make any “payments” to him in exchange for his leaving.

Yahoo’s Board said that the GC had sufficient information to warrant substantial further inquiry in 2014 – two years before the breaches were publicly announced.

In other Yahoo news, Yahoo released it’s 10-K and said that it recorded a charge of $16 million in 2016 related to the breach.  Given that the announcement of the breaches came late in the year (mid December for the big breach), maybe a number that small makes sense.  It will be much more interesting to hear how much they will spend in 2017, 2018 and 2019.

In addition, in that same 10-K, Yahoo said that it did not have any cyber breach insurance.  Seriously?  You’ve GOT to be kidding.

In many cases of a breach, the stock price dives and then rebounds for the most part so investors are not hurt, but in this case, the investors, too, were hurt.

First, the sale price was reduced by $350 million and the sale has been delayed for a year.  Second, Yahoo gets to pay 50% of most of the breach costs and lastly, Yahoo gets to foot the entire bill for the SEC investigation and fines and any shareholder suits.

How many other people at Yahoo were also sacrificial lambs will likely never be known.

Information for this post came from Venture Beat and  Variety.

Facebooktwitterredditlinkedinmailby feather

Expect Dramatic Fraud IncreaseThis Year in Virtual World

If the US is anything like Europe, you can expect that “Card Not Present” or CNP fraud will increase significantly in 2016.

We will have to wait and see, but some things are likely.

  1. Chip and signature – the alternative to chip and PIN that most US banks and almost no international banks chose – will do nothing to protect against stolen credit cards.  Of course, you cannot steal a credit card from half way around the world, so this type of attack only works if you are near the victim.  AND, the victim is much more likely to notice that their wallet has been stolen and cancel the card, so my guess is that this is not going to be a significant source of fraud in 2016.
  2. Service providers (anything from Uber to Etsy to Amazon) who match buyers and sellers are likely to see a significant rise in fraud.  Online marketplaces such as Uber never see the customer and the representative (like the Uber driver) never see the credit card.  Even service providers like AirBnB, where someone may talk to you, doesn’t have any information about the credit card used and likely does not ask you for ID.  Even if they do, that ID could easily be fake.
  3. Even online product providers like Amazon are likely to see increases in attempted fraud.  The fraudsters hire mules to provide their addresses and then get the products from the mules some other way, including via reshipping.  If the mule gets caught, they don’t know very much about the fraudsters operation.

Merchants not only lose the amount of the fraudulent transaction, but also the cost of dealing with the fraud.  According to Lexis-Nexis, merchants spend over $3.00 for every $1.00 in fraudulent transactions.

According to Lexis-Nexis, fraud as a percentage of revenue for all merchants, increased from 0.51% to 0.68% between 2013 and 2014.  For merchants accepting payments via mobile (phones) the fraud rate went up from 0.8% to 1.36% – more than a 50% increase.  I guess we know one place where fraudsters are going.

A couple more interesting stats from Lexis-Nexis.  Merchants say that the number of prevented fraudulent transactions is up by more than 60% – meaning that the card services are doing a good job of detecting fraud, but the number of successful fraudulent transactions is also up – by around 45%.  Merchants say that the dollar value of fraudulent transactions that are caught is equal to fraudulent transactions that are successful.  Said a different way, by dollar value, only 50% of the credit card fraud is caught.

What is clear to me is that trying to get solid data is very hard.  For example, in the Lexis-Nexis report, it says that merchants say that credit card fraud is down, but Lexis-Nexis says this is because merchants are accepting more payment types and that this is not a real decline – the fraud is spread across more channels.

This means that merchants need to continue to up their game in fraud detection.  The Dark Reading article has several suggestions of things that merchants can do.  The goal, of course,  is to do as much as you can without scaring off the consumer.  Jumio uses the camera in your phone to compare ID documents against a live image of the buyer to reduce fraud.  While this is NOT an example of something that happens behind the scenes, companies like AirBnB are using it with minimal customer pushback.  This is likely true because the average AirBnB customer only does a couple of transactions a year.   But, I am sure, the crooks will also learn to improve their techniques.  For example, if you compare a buyer’s actual face to a drivers license, how do you know that the picture on the drivers license is real.  Still, you do have a picture of the fraudster and that can’t be all bad.

Businesses that accept credit cards will be fighting a cat and mouse game with fraudsters for the foreseeable future – they just need to make sure they don’t let their guard down.

Information for this post came from Dark Reading and Lexis-Nexis.

Facebooktwitterredditlinkedinmailby feather

The Law Of Expected Consequences – China Reacts To CISA

In the last weeks of the year, Congress did what Congress does and took a controversial bill, CISA, which experts say expands government spying on citizens in the name of protecting them, and stuck it inside a must pass bill – in this case the omnibus spending bill – at the last minute.

Since Congress has been unable to muster the votes to pass this bill as a standalone bill for several years, this seemed like an expedient way for Congress to get it passed.  And, while it worked, as many people predicted, it has already had unintended consequences.

China has announced that since it is now OK for the U.S. government to increase the level of spying on Internet traffic, China will do the same.

The draft legislation would require companies to install “back doors” or hand over encryption keys to the Chinese government.  Not only that, but they would be required to hand over user information to the Chinese government as well.  In the name of countering terrorism.

This includes Financial institutions and manufacturing companies.

China actually said that they looked at U.S. law, along with other countries, when drafting this legislation.

Of course the recent announcement that the NSA may have been bugging Juniper routers for years likely did not make the Chinese any happier.

Apparently, things move a little quicker in China than in the U.S. – China, on the same day that the draft legislation was proposed, passed that legislation into law.  Among other things, that law requires “ISPs and telecomm providers “shall provide technical interfaces, decryption and other technical support and assistance to public security and state security agencies”.

Now we have to see what China actually demands.

The challenge is that for many companies, China is a significant market and walking away from China will cost them money.  On the other hand, if they do not turn over their encryption keys, they could see their sites blocked by The Great Firewall.

It looks like the Cold War is heating up – this time in cyber space.  Other countries, such as France and England, are considering similar laws.  Will every country now demand the encryption keys from every company?

If so, I give it about a week before those keys are leaked to the hacker community.

Companies will be forced to make hard decisions.  Do we allow governments across the globe to paw through our users’ traffic or do we stop doing business in certain countries.

And, from the user’s standpoint, they now have total plausible deniability for any cyber crime that they are charged with.  “Your Honor, as you already know, the French, English, Chinese, U.S. and other governments all have my encryption keys.  Given that,  and the fact that, at least, the U.S. Government has a bad track record for keeping keys secret – after all, we just have to look as far as the TSA and OPM to see that – it is likely that hackers have my keys as well.  Since I have no ability to control who has my keys, it is just as likely that a hacker in China committed this crime.  While I don’t have the resources to prove this, you cannot deny this is possible.  I submit that the government cannot, beyond a reasonable doubt, prove that it was me who did this.  I request that the charges against me be dropped.”  This may seem far fetched, but it isn’t.

This has certainly NOT played out yet – stay tuned.

Information for this post came from SC Magazine .

There is another article in SC Magazine with an update.

Facebooktwitterredditlinkedinmailby feather

Senate Passes Information Sharing Bill

The Senate, on Tuesday, passed their version of CISA, the Cybersecurity Information Sharing Act.  The House passed their own version of it months ago.

The stated purpose of the act is to allow private companies to share “threat” information with the government and have immunity from being sued by their users for doing this.

Because of the poorly defined terms – like what threat information is- and the broad array of government agencies that the information can be shared with – like the FBI and NSA, along with the pretty weak protections against using this information against American citizens, many cyber security experts are calling this bill an intelligence gathering bill disguised as a bill to improve security.

In reality, this bill, in whatever form the House and Senate conference committees make it become, will do almost nothing to improve either the average citizen’s security or the government’s security.   It would, for example, do nothing to stop the OPM breach because that was a unique attack – there were no indicators of that attack in the wild because the only place it existed was at OPM.  Same for Anthem.  Same for Home Depot.

Ignoring that, post Snowden, tech companies are extremely wary of sharing anything with the government – it is, to be honest, not good for business.  To be seen as voluntarily sharing your and my data with the government is the kiss of death from a reputation standpoint.

In fact, Microsoft and the Justice Department are locked in mortal combat.  The FBI wants Microsoft to bring data from Ireland back to the United States and give it to them.  Microsoft says that doing that, absent an Irish court order would subject them to criminal charges in Ireland, so if you want the data, get an Irish court to tell us to do so.  In Ireland.  They have been fighting over this for almost two years (see article).   Microsoft is fighting this because (a) it is good for PR and (b) they do not want to set a precedent that would likely get them sued in Europe.  And, given the sentiment inside the EU after the Max Schrems/ECJ Safe Harbor decision, I don’t blame Microsoft.

More importantly, this will do little to nothing to improve security.

There has been an FBI-private industry relationship for over 10 years now called FBI-Infragard.  This is a very simple way to share information with the government.  Sharing data is not a problem.

There are dozens of ISACs or Information Sharing and Analysis Centers and ISAOs or Information Sharing and Analysis Organizations (there really isn’t much difference between the two.  ISACs were originally focused on critical infrastructure, but many of them allow anyone in their particular vertical, like finance, to join).  Companies that want to share data with their ISAC or ISAO can already do that.

At least for industry leaders, they are already sharing all the data they need.  Sometimes informally, sometimes formally.  They do not need CISA to do that because threat indicators rarely require the sharing of personally identifiable information.

So why is Congress pushing so hard for this new law.

Two reasons, in my opinion – other people may not want to be quite as cynical as me – but they might be.

Voter approval of Congress is in the single digits.  It is worse than the approval rating of used car salespeople or debt collectors.  With a Presidential, Congress and Senate election coming up next year, incumbents want to be able to pretend that they did something useful to reduce the number of cyber breaches when they go out and campaign.  They are counting on people being too ill-informed to know that this law is next to useless.

More useful would be to provide oversight (which is their job) and provide funding.  Just this week Congress refused to give OPM $38 million dollars to deal with their hundreds of millions of dollars in budget shortfall to improve their computer systems security.  This is the agency that is still running at least one core system built in the 1960s.

The people who built that system likely have all died of old age by now, but the system is still running.  Do you think that some threat information shared by, say, Facebook (who appears to be the only tech company in favor of CISA – even though that is political suicide – unlike Google, Microsoft and others, Facebook refuses to say that they oppose CISA) will help OPM protect against a mainframe based, COBOL system written in the 1960s?  I didn’t think so.

Will sharing threat information solve the problem of tech executives who say that they won’t spend $10 million to avoid a possible $1 million loss – I will accept the risk (that would be Jason Spaltro, SVP of Information Security at Sony)?  Sony accepted the risk and look what happened to them.  The problem of course is that while you may guess that the $10 million number is right, you have no idea if the $1 million number is correct or is really $100 million, as Sony found out.

Will sharing some threat information stop 25% of a government agency’s employees from clicking on phishing emails? And almost none of them reporting it to their security team – 7% reported it.  (That would be the USPS, by the way).  I don’t think so.

So, as is often the case, Congress is taking the easy way out with CISA, rather than actually dealing with the real problem inside government – which is their responsibility to fix.  Private industry is way ahead of the government, for the most part, even though private industry knows that they have a lot more work to do.

Sorry, I know this is mostly a rant, but it is important for people to understand that CISA will not make a difference no matter what some politician tells you in a sound bite.

Read the article below for more experts takes on the issue.

 

Information for this post came from Net-Security.

Facebooktwitterredditlinkedinmailby feather