All posts by mitch tanenbaum

Sony – How Do You Deal With The Personal Threat

The Sony attack is breaking new ground (unfortunately).  Part of what the hacker group GOP is doing in creating fear, uncertainty and doubt.  They sent out an email to all Sony employees that read, in part  (From The Verge):

I am the head of GOP who made you worry.
Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization. And what we have done so far is only a small part of our further plan. It’s your false if you if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictures clings to what is good to nobody from the beginning. It’s silly to expect in Sony Pictures to take off us. Sony Pictures makes only useless efforts. One beside you can be our member.
Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.

Sony is working with the FBI on this, but if I was an employee I would be concerned about what will these hackers do to make Sony employees suffer.

Michael Lynton, the CEO of Sony Pictures sent out an email to employees saying that they are working with the FBI, but given neither Sony nor the FBI were able to stop the attack in the first place nor find the attackers after the attack and also given that the attackers did not give any clue how they were going to make employees suffer, Mr. Lynton’s email does not give me the warm fuzzies that I should feel safe.

This is a whole new level of attack – if you can panic a company’s employees, some will leave and many will be distracted.  That kind of situation can put a company in a downward spiral.

Also, there have been reports that Sony executives received threatening emails prior to the attack starting.

Given that for many executives, their assistants read their emails, this situation brings into question how well trained the executive team is to deal with these type of threats.  I have no idea what happened at Sony.  The response could be anywhere from printing it out and putting on the executive’s reading stack to mashing the big red 911 button and rolling down the steel storm shutters.  How a company deals with this situation is up to the company, but there should be a plan in place that everyone – from the executive team to legal to security to whoever else needs to be in the loop – knows about in advance.  No different than having a plan for dealing with someone phoning in a bomb threat in the physical world.

For all we know, the initial threat could have come in with a link that someone clicked on that launched the attack.  Scary, but possible.

The company also needs to have a plan for how they are going to deal with employee concerns.  i don’t know if Sony had a plan (remember, this is somewhat old hat to them what with previous attacks and bomb threats), but what became public (the CEO saying that they are working with the FBI and thanking people for sticking it out) is kind of weak.

The longer this goes on, the more stressful it becomes for employees – which is how the attackers wear down the company.


Factory Reset On Your Android Phone – What Does It Really Do?

I suspect that many of you have performed a factory reset on your phone thinking that all your data was gone and then either gave away or sold your phone.  I have.

Tech Times wrote an interesting article on the subject and it is not all sunshine in Android land.

Avast, the computer security software firm purchased 20 second hand Android phones on eBay and used a standard forensics tool (FTK imager) on these 20 supposedly factory reset phones.

The results?  They recovered more than 40,000 pictures, some with kids in them.  Some with “personal” selfies.  Along with a bunch of other things like a loan application.  Remember these 40,000 pictures came from only 20 phones.

The issue is that just like in DOS (or Windows), all the factory reset does is change the index to the file so it is not visible.  The data is still out there.

Before you panic too much (sorry, you can’t change history – that phone you sold last year – just forget it), there is an answer.

Google says that if you enable encryption before you do that factory reset, you should be in good shape.  Remember that you have to enable encryption on the external SD card separately from the built in storage (or remove it from the phone and keep it).

Once you have turned on encryption, THEN perform the factory reset.

It still does not delete any of the files, but it DOES delete the encryption key, so when someone retrieves the deleted files, they won’t have the key and therefore won’t be able to decrypt the file they were able to recover.  Not perfect, but a whole lot better than before.

Avast (of course) does offer a freemium product called Avast Anti-Theft that they claim will overwrite deleted files, but unless you are very paranoid, you should not need to do that.

I guess it is what you DON’T know that can bite you.


Sony – The “Nuclear” Option

USA Today is reporting a few more details about the Sony hack-attack.  This is very scary and businesses need to consider if this could happen to them (the answer is yes) and if it does, how would they handle it.  This is the kind of attack that would put many businesses out of business.  Businesses need to review what their business continuity and disaster preparedness plan would do in a case like this.

Because of the sheer destruction these hackers have caused, the security community is referring to this as the nuclear option.  Total destruction.  Destroy as much as you can.  Steal whatever you can.  Make the company sweat.

The details:

  • This is different from the Home Depot or Target attacks where the attackers were after credit cards to use or sell.
  • AS FAR AS WE KNOW, the attackers in the Sony case have not asked for a ransom and other than the vague comments about treating people well, they have made no demands.
  • The attackers did not launch a denial of service attack to try and make Sony’s web site unavailable to customers

These three facts make this very different than most attacks.

What we do know about the Sony hack/attack:

  • The malware  was not detectable by normal anti-virus software according to a statement released by the FBI.  In fact, they issued an FLASH bulletin to businesses to be alert to some of the symptoms of the attack.
  • Kevin Mandia, CEO of the Mandiant security firm said that it was “an unparalleled and well planned crime, carried out by an organized group, for which SPE [Sony] nor other companies could have been fully prepared”
  • The attackers stole a huge amount of data (different reports say hundreds of gigabytes to terabytes).
  • In my opinion, the only way to really know that you have the attackers out of there is to rebuild your entire infrastructure from scratch.  For a company the size of Sony, this is a HUGE undertaking.  Then you  have to figure out how to keep the bad  guys out.
  • The attackers have been dribbling out (if that is the right word for releasing gigabytes of data every day) embarrassing private data belonging to Sony and other companies (Deloitte).  The result of this leaking will likely be a number of lawsuits that will cost Sony a lot of time and likely, a lot of money.
  • The attackers crippled and erased hard drives of computers at Sony.  Even now, two weeks into this, employees are being told not to open their laptops for fear of the data on them being destroyed.
  • The GOP, the hacker group behind the attack said “the data to be released next week will excite you more.”  What the bleep are they going to release next?  If they have terabytes of data, this could go on for a while.
  • The attackers are also directly threatening employees and their families.  They said: “make your company behave wisely.”  if they did not, “not only you but your family will be in danger.”  What exactly this means is unclear, but if I was an employee, I would be nervous.

All in all, this is a huge leap from what attackers have traditionally been doing and unfortunately, this means that companies will have to up their game – including, probably, spending more money – as well.   Most companies do not have the financial resources of a Sony and if they were the victim of an attack like this, they would have to shut the doors.

This saga is far from over.



Today’s Breach News

Too many breaches … too little time 🙂

First a new breach – Bebe Stores ( confirmed that they had been breached, but  not much else.  They said it covered the US, Puerto Rico and the Virgin Islands. They did say that it did not affect their online store (no POS terminal to compromise, I suspect), nor did it impact Canada or R.O.W. (the rest of the world).  The store is offering free credit monitoring, although, as Brian Krebs pointed out, that has zero effect on your existing credit cards being used by miscreants.

There is one bit of good news – and maybe a sign that the retail industry is improving it’s detection capability.  They said the breach period was only 18 days.  Given that many of these breaches have gone on for months and a few for years, this is an improvement.

Hopefully, they will release more details soon.

On to Target.  Ars Technica and other sources are reporting that the judge in the Target lawsuit case told Target that their creative legal maneuver didn’t work and the lawsuit by the banks can move forward.  For those of you who did not see my earlier post, Target’s lawyers tried to claim that because Target and the banks suing them did not have a “special relationship”, the banks could not sue them.  The judge said yes, they can.  This has the potential to push more of the cost of breaches onto the retailers which would tend to move security up the food priority chain if it does (if you had to reimburse the banks for tens or hundreds of millions of dollars for fraudulent purchases, I suspect you would begin to pay more attention too).

Next, Sony.  Apparently an HR employee at Sony pilfered some data from his or her former employer, Deloitte, and that data got outed in the Sony hack-attack.  The data that got published because of this was payroll data on thousands of Deloitte employees.  Besides the fact that it showed a huge pay gap between male and female Deloitte employees, which could wind up as the basis of a lawsuit for Deloitte, I would assume that this employee signed an agreement not to steal proprietary information.  If I were Deloitte, I would be at least considering whether I should sue this ex-employee who is now at Sony.  It is possible that Deloitte gave this ex-employee or Sony their payroll data, in which case, the employee is in the clear, but I doubt it.  Can this thing get any weirder?

It can.  The NY Times is reporting that the GOP dumped “tens of terabytes” of Sony hacked data including passwords, social security numbers, salaries and performance reviews into pastebin.  That is way more than the 100 gigabytes that was reported earlier.  From a sheer bandwidth standpoint, either the hackers were walking out the door with disk drives in hand or they were streaming the hacked data for a while.

And lastly, for today, according to the LA Times, the payroll company that processes payments for SAG (Screen Actors Guild) members was breached.  The company says that the hacker only had access to the system for two hours, but they also said  “The information accessed included Social Security numbers, private accounts and addresses”.


Home Depot Breach Update

Home Depot reported today that it spent $43 million in it’s third quarter dealing with the fallout of it’s security breach earlier this year.  Of the $43 million, $15 million will be paid for out of its $100 million cyber liability policy.

From the press release:

  • The retailer warned that it expects “to incur significant legal and other professional services expenses associated with the data breach in future periods.”
  • Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders.
  • Payment card networks may make claims seeking to recover incremental counterfeit fraud losses and costs for reissuing cards, Home Depot wrote. Its liability will depend on whether it was noncompliant with data security standards, which contributed to the breach.
  • Home Depot did pass a PCI audit in the fall of 2013 and was working on its 2014 audit at the time of the breach.
  • “The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the data breach,”

This last bullet is the bombshell in this release.  What have they discovered that would lead them to believe they were not compliant at the time of the breach.  If this turns out to be true, it could subject the company to fines from the credit card issuers and give the folks suing them some powerful ammunition in their lawsuits. They must have found something very significant to be releasing that statement at this time.





Why Medical Identity Theft Is Such A Big Deal

The insurance trade rag Property And Casualty 360 wrote about medical identity theft and the impact is staggering.

First just one example breach – A physician office’s server, which contained unencrypted information on 2,500 patients, was hacked and encrypted. The hackers demanded $50,000 to unencrypt the information and return control of the server.

That obviously, is pretty traumatic to the physician’s group, but why is medical ID theft important to you.  Here are a couple of reasons the article pointed out:

  • your credit rating can be damaged
  • Your health insurance policy could be cancelled
  • Your health insurance premiums could go up
  • Your health could be at risk

According to PhishLabs, a cybercrime protection services vendor, medical ID information is worth 10 to 20 times what credit card information is worth.

Why is that?  The answer is simple.  If your credit card is stolen, you get a new one and they shut off the old one.

How do you shut off your medical ID information and get new information?  Like a new social security number?  You don’t!  Which means the life expectancy of the stolen information is very long.  You could perpetrate ongoing crimes for years.

And, unlike credit card fraud where you are likely to review your bank or credit card statement when it comes in the mail, that is much less likely for medical ID fraud.  And the fraudsters could hide in the weeds for a year and then pop up, go into hiding again and rinse and repeat.

One question many people ask is where is the value in medical ID fraud.  One value is bogus insurance claims which translates to dollars.  An example might be that the bad guys say you now have diabetes.  Then they submit claims for all kinds of care.  Care you never knew about or got, but your insurance company will pay for.  Done cleverly, it would not throw up any flags.

But now, according to your insurance company, you now have diabetes and your electronic medical record says so (so it MUST be right).  If Congress repeals Obamacare next year like they have tried to do 40+ times so far, your insurance gets cancelled or your premiums go up.  Now you have to PROVE you don’t have diabetes.  And with all the interchange of electronic medical records, you are playing the whack-a-mole game.  You get your diabetes removed from one database but now provider A (where it still says your are a diabetic) sends an update to Insurance Company B (where you are not) and bam!, you are a diabetic again.

Worse yet, you have no way of knowing every place where your medical information lives (unlike credit, where if you correct the 3 main credit databases, you are pretty well covered).  Under federal law, the 3 credit reporting companies have to talk to each other if you even whisper fraud.  Not true for insurance and provider databases.  No particular laws cover this and that is not likely to happen any time soon.

For the consumer who gets sucked into this, it is a real mess.  How do you clean up a mess that you can’t even see (tell me every place your medical info lives – I dare you).