Russian Hacker Caught

Alleged Russian hacker Validimir Drinkman, 34, was arraigned yesterday on hacking into 16 companies including The NASDAQ stock exchange, 7-11, J.C. Penney, Dow Jones, Heartland Payment Systems and others and stealing 160 million credit card numbers (see article).  The attacks go as far back as 2005.   Brian Krebs provides an inventory of some of the companies he is charged with attacking (see article).

The attack occurred several years ago and some of their companies were attacked again after this attack, but what is interesting is that Drinkman is sitting in a cell in New Jersey.

He, along with 4 conspirators, was indicted in the U.S. in 2009.  The indictment was unsealed in 2013.  He and one of his co-conspirators was arrested in the Netherlands,  Drinkman was just extradited last week;  The other conspirator who was arrested with him is already in Federal custody.

So how did they catch him and how did they get him to New Jersey?  Forbes had a piece that said he used encryption.  If you ask the police, that makes it impossible for them.  Apparently not always because they have chat logs of him bragging with his friends.

Bragging usually gets you in trouble.

His bigger mistake was setting foot on Dutch soil.  None of the articles I found explained why he was there, but the U.S. and The Netherlands are mostly friendly, so getting him charged, arrested and extradited from there was bureaucratic, but relatively simple.  If he had stayed in Moscow, he would still be a free person.

While capturing these guys is still the exception, there have been a few high profile wins for the feds lately, which indicates to me that they are applying more resources to going after these guys.  Similar to the early 20th century, when the U.S. Marshall Service and later the FBI started going after bank robbers and more of them were apprehended, the feds are finally going after hackers.  Hopefully this is the start of a good trend.

He is scheduled to go on trial this spring assuming there are no delays.  He says he is innocent and wants to go home to Moscow.  I wouldn’t bet on that happening any time soon.  If convicted, he faces up to 70 years in the pokey.  Stay tuned.



Facebooktwitterredditlinkedinmailby feather

Why Cybersecurity Is An Imperative

I often quote the statistic that Experian promotes that 60 percent of small and medium businesses that suffer a cyber security breach go out of business within 6 months.  That is a pretty sobering number.

However, First Data reports two amazing statistics –

First, they say that 90 percent of the data breaches impact small merchants and second, that 70% of small business owners go out of business within 6 months (see article).   The quote, reporting from a convention for independent grocery stores goes on to say that these businesses need to take action now.

Whether either number is exact or not, the number is very high and the risk to the business owner and investors is also very high.

The first step to addressing the problem is to do a risk assessment and see where the biggest exposure is.  And, it is likely you will need to hire a professional to deal with the situation,



Facebooktwitterredditlinkedinmailby feather

10 States Going After Anthem After Data Breach

Reuters is reporting that 10 states, led by Connecticut, have sent a letter to Anthem complaining that the company is moving too slowly in notifying consumers of the data breach that affected up to 80 million customers and employees (see article).  The states are assuming that Anthem know precisely who’s data was taken and they may not know that yet.

I hadn’t really thought about it, but this breach is really quite different than having your credit card stolen in the Target breach.

In the Target case, under federal law, your maximum liability for fraudulent charges is $50 and many credit cards waive even that.

It is a bit of a pain, you call the credit card company, maybe you sign a form, they close the card, issue you a new one, remove the charge and you are done.

One advantage of using credit cards over debit cards if you can is that in the case of a credit card, you are arguing over a bill.  In the case of a debit card, the money is no longer in your bank account.

However, in the case of Anthem, you may have a right to sue Anthem if that data is used to say open a fake account in your name, but you would have to prove that you were damaged and prove that it was Anthem’s fault.  Even if you are successful, it could take years to go through the courts.

The states are saying that Anthem must commit to reimbursing people for any losses associated with the breach between the time of the breach and the time that the company provides access to credit monitoring services.

Ignoring that those services are far from bullet proof and ignoring the fact that there is a delay between when they make that service available to you and when you actually sign up for it and it becomes active, the states are not saying that Anthem should assume responsibility for what happens to you after you sign up for credit monitoring services.

And, as I said before, since the effects of this kind of fraud can last for years, unlike credit card fraud which can be shut off by issuing a new card, people will be dealing with this for years.

And, apparently, legally, Anthem may have to pay a fine, but if you are damaged, you are going to have to sue them to try and be made whole.

That means, if you are a current or former Anthem customer or employee,  that you should be checking your credit report frequently for any bogus accounts that might be set up



Facebooktwitterredditlinkedinmailby feather

Verizon Customers Hit With Bogus Phone Orders

A Denver TV station is reporting that they have received over 70 reports of Verizon customers who have been targeted by hackers who have masqueraded as them and ordered new iPhones shipped to out of state addresses.

Verizon claims that they have not been breached and that could be true.  It could be as simple as people guessing these customer’s passwords or resetting the passwords and then ordering phones.

For the customers, it is a very time consuming task to undo the damage and some of the customers reported that their phone plans were changed and they are having problems getting their plans restored to the old plans because they were grandfathered in.

If you are a Verizon customer, I recommend you watch your account for unauthorized changes.


Facebooktwitterredditlinkedinmailby feather

NSA Hacking Of Disk Drives Revealed

It’s not been a great year for the NSA.  First Snowden and all press they have gotten as a result of the leaked documents that seem to come out every month.

Now a Russian security researcher, Gene Kaspersky, that I wrote about recently (see post) revealed that they have detected malware in the firmware of disk drives from Seagate, Western Digital, Toshiba and other top manufacturers (see article).

Kaspersky found the malware in PCs in 30 countries including Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets, they say, include banks, energy companies, nuclear research, media and activists.

Whether some hackers are aware of and taking advantage of this malware also is unknown.

While Kaspersky did not name the U.S. as the source, they said it was closely related to Stuxnet and a former NSA employee confirmed to Reuters that Kaspersky was correct in his attribution.

Because this runs in the firmware of the disk drive, it is difficult to see, difficult to remove and likely could see whatever it wanted.  It would get loaded every time the computer boots, so defeating it would be impossible short of crushing the disk.  Depending on how the software works, it likely would defeat disk encryption.

Like some other spying programs, the NSA, assuming it actually was the NSA, used it judiciously – only activating it on high value targets.

Kaspersky said that it would have been almost impossible to engineer this malware without access to the source code, which all of the manufacturers claim they did not provide to the NSA.

All of the manufacturers said that they have really good security. Since the malware is there and has been there since around 2000, either the manufacturers are fooling themselves or ……, you decide.

Sometimes the government asks to review source code for products they plan to buy to look for security bugs.  If this happened, it is a very small step that this code got to the NSA.  Alternatively, they could get hired as a developer and steal the code.

These risks would be identified in an enterprise risk assessment engagement and then the company would need to make some decisions regarding mitigation.

Assuming this is all accurate, I am sure that the NSA is not very happy tonight, although the Russians, Chinese and others are likely very happy.

Here is likely another problem for U.S. Tech Vendors.  China is rapidly discarding all Cisco networking gear in the country because they fear U.S. spying.  Now countries will work to remove all U.S. Computers and disk drives for the same reason.  Between cloud services, network equipment and now PCs, this could potentially cost U.S. tech companies tens of billions of dollars a year.  Of course it would be foolish to think that other countries are not doing the same thing, which is why China, for example, is manufacturing it’s own network equipment to replace the Cisco gear it is throwing away.


Facebooktwitterredditlinkedinmailby feather

Lawmaker says assume the bad guys are going to get in and focus on detection, mitigation and damage control

Representative Will Hurd (R-TX), is the head of the House  Information Technology Subcommittee and a former CIA Agent who spent 9 years in Afghanistan, Pakistan and India, working on counter terrorism and cyber security before working for the cyber security firm FusionX.

He has a somewhat depressing but very accurate view of cyber security.

In an interview with Baseline (see here), Rep. Hurd said that it is almost impossible to keep people out.  It is possible to protect systems and data but it requires a higher level of vigilance.

Hurd says you should start with the presumption of a breach and focus on three things:

  • How quickly can you detect a breach
  • How effectively can you box in the attacker (to mitigate the damage)
  • How quickly can you figure out what the hackers got access to.

If you think that keeping the bad guys out is hard, handling the three bullets above is a whole bunch harder.

He makes several recommendations for companies –

  • Conduct an enterprise risk assessment.  Figure out what is most valuable and most vulnerable. (Note: this should be done at least annually – things change – a lot!)
  • For BYOD and computers outside your control – you need to make sure that you have the right controls in place.
  • The C-Suite needs to be more engaged in cyber security
  • Your network needs to be examined on a frequent basis by a qualified third party.  They bring a different perspective.
  • Finally, if you are using cloud services (email, web services, file storage, etc.) you really need to understand where the data goes, where it is being stored and how it is being managed.

None of his suggestions are simple, but they are all valid and worthy of consideration.


Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed