Welcome to IdentityWeek’s Threat Thread page. This page, as well as the Twitter hashtag #ThreatThread, examine the key IT security topics making headlines each week. Every Thursday we post a blog looking at a particular topic (hacking, data breaches, privileged identity management, phishing, infosecurity, and various types of cybercrime.) News and opinion items relating to that topic are tweeted throughout the day on the Lieberman Software twitter handle (@liebsoft.com) with the #ThreatThread hashtag. We encourage those of you who track the IT security space to retweet our tweets and post your own tweets relating to the topic, while also using the #ThreatThread hashtag.
_____________________________________________________________
The real costs of Privileged Identity/Data Breaches (4/5/12)
Earlier this week, credit card processing company Global Payments reported that it had been hacked and 1.5 million credit card numbers were stolen. Since the news broke, much speculation has been made over what the eventual fallout will be. Earlier this week Identity Week posted its thoughts on the incident and how human error and privileged identity played roles in the data breach.
Fallout from the announcement continues to trickle down. Visa cut ties with Global Payments over the incident and various industry watchers have predicted fines coming in the near future, as well as big payouts to those affected by the breach.
But what will those big payouts actually mean to Global Payments? Eric Goldman, an associate law professor at Santa Clara University School of Law, recently posted a blog on a similar case involving Heartland Payment Systems. According to Goldman’s blog, after Heartland suffered a data breach in 2007 it agreed to set aside $1 million to settle victim complaints. But, the company wound up paying less than $2,000 each to 11 people that had actual verified claims. However, Heartland spent just under $1.5 million advertising the settlement.
While Global Payments is certainly getting a PR black eye this week and may suffer monetary losses due to dipping earnings and stock price, the Heartland example shows that it may dodge a bullet in terms of victim payouts when the time comes.
What are you seeing out there this week regarding the Global Payments data breach? Do you think this will be a significant financial and identity management issue for the victims? Follow #ThreatThread on Twitter @liebsoft to learn more about this topic and tell us what you are seeing as well. Be sure to include the #ThreatThread tag in your tweets.
_____________________________________________________________
Privileged Identities and Data Breaches: The Human Error (3/29/12)
Two news articles this week illustrate the fact that human error can result in massive data breaches.
According to this article from The Inquirer, social gaming outfit Rockyou was fined $250,000 by the Federal Trade Commission (FTC) for failing to protect the personal data of its users. The result was that hackers stole personal information from 32 million Rockyou users, including nearly 200,000 minors.
The FTC also alleged in its complaint that the gaming developer violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) by collecting information from children. Part of the FTC ruling requires Rockyou to delete all personal information collected from children 13 years old or younger.
According to this article from The Economist, 8,400 British students about to enroll at a university received an e-mail from the Student Loans Company (SLC), a government body, reminding them to complete their application forms. It came with an attachment that listed all 8,400 e-mail addresses. The loan company quickly issued an apology, but the damage was already done. While no legal punishments have been issued yet, hefty fines coming for the SLC are expected.
Both of these examples continue to reinforce that data privacy needs to remain top of mind with those who are in charge of privileged identity information. Simple mistakes in data protection, or just human blunders, can lead to significant fines. They can also lead to the loss of consumer trust and massive customer exodus.
What are you seeing out there this week regarding privileged identity errors that result in data breaches? Follow #ThreatThread on Twitter @liebsoft to learn more about this topic and tell us what you are seeing. Be sure to include the #ThreatThread tag in your tweets.
_____________________________________________________________
Identity Theft through Mobile Devices (3/22/12)
Historically, data breaches and identity theft have mainly been launched from computers. That is until now. Two articles that appeared this week prove that hacking and identity theft through mobile devices are a reality.
In this article from Infosecurity, Matrix Shell – an Indian tech company – demonstrated at an India technology conference that it’s possible to hack into Global System for Mobile Communications (GSM) phones and manipulate the user’s International Mobile Subscriber Identity (IMSI).
According to the Hindu Business Line, “They showed it is possible… to use a subscriber’s IMSI and make calls; to illegally intercept calls; to draw up large bills against a post-paid subscriber’s accounts; and to deplete a prepaid subscriber’s balance…”
The vulnerability seems to lie within the phone network’s GSM encryption networks, which have been proven to be crackable. This type of security hole is especially troubling because it can lead to identity theft and significant monetary damages.
Bjoern Rupp, CEO of GSMK CryptoPhone, said he believes the only way to secure these networks is with end-to-end encryption. But that appears to be no easy solution as it would require the one company that develops the encryption to be seen by all parties as “trustworthy”.
GSM mobile phones aren’t the only portable devices to suffer a crack in their security armor this week. This report from Simple Security says that Apple mobile devices, such as the hugely popular iPhone and iPad, are “data privacy minefields”. In the article the writer claims that developer Arun Thampi discovered that photo-sharing application Path was uploading the full contents of his iPhone’s address book to its servers without requesting user permission to do so.
Venture Beat writer Jennifer Van Grove described this potentially illegal practice as nothing new and said it has become an unspoken industry standard. Van Grove writes that uploading of user contacts is frequently done by other famous social media platforms such as Facebook, Twitter, Instagram, Foursquare and Yelp. Both these reports highlight the fact that mobile device users must remain vigilant about data privacy and should not just rely on preset default settings.
Follow #ThreatThread on Twitter @liebsoft to learn more about mobile device security issues and get involved by telling us what you are seeing out there as well. Be sure to include the #ThreatThread tag in your tweets.
_____________________________________________________________
The Importance of Protecting Healthcare Data (3/15/12)
Data breaches in any industry are difficult to manage if you are the unfortunate organization that suffered the breach. There are several ways data breaches can occur, from a full on hack attack to a careless worker who left a laptop on a train, organizations are being asked or even forced to take more responsibility when they fail to protect their data.
The healthcare industry is a frequent victim of data breaches and the data most often stolen is sensitive patient information. According to this article from FierceHealthFinance, the costs of those breaches are adding up. The article describes just how much a data breach can cost a healthcare provider.
Factored in to the costs are loss of patients, the estimated average revenue loss for each patient, determination of how many would switch to a competitor and a “viral factor” – which looks at how word-of-mouth would affect other patient defections. Also included is the estimated loss of potential new customers, new business partners and staff as well as the costs of stock price drops, productivity loss and even the cost of a public relations campaign to repair the healthcare organization’s reputation.
Larry Ponemon, founder of the Ponemon Institute, said healthcare organizations today don’t currently have sufficient security and privacy budgets, including adequate processes and resources to protect sensitive patient data. In order to tackle this problem effectively, healthcare providers must learn to look at data protection as an enterprise-wide issue, not just a departmental issue. Due to the potentially huge costs associated with breaches and the resulting potential for identity theft, executive management needs to take a more active role in supporting the organization’s IT staff so that they can deploy stronger data security measures.
Follow #ThreatThread on Twitter @liebsoft to learn more about data breaches impacting the healthcare industry and get involved by telling us what you’re seeing out there. Be sure to include the #ThreatThread tag in your tweets.
_____________________________________________________________
The War Against Anonymous (3/8/12)
Anonymous, the global hacker group that has been making headlines nearly daily by launching cyber-attacks against corporate, government and law enforcement agencies seems to be on the defense as of late.
This week, Lulz Security (LulzSec for short), an offshoot of Anonymous, was reportedly dealt a major blow when one of its leaders, a hacker that goes by the name Sabu, turned informant, leading to the arrest of five fellow hackers involved in several high profile cyber-attacks.
One of those arrested, Jeremy Hammond, aka “Anarchaos” of Chicago, is believed to be the main culprit behind the hacking of Stratfor in December that resulted in the breach of more than 5 million company e-mails, customer credit card numbers and other confidential information. The stolen credit card data was reportedly used to make at least $700,000 worth of unauthorized charges that Anonymous said was donated to charity.
The LulzSec arrests come on the heels of the arrests of 25 alleged Anonymous members in a number of Latin American countries and Spain as part of an Interpol sting called “Operation Unmask”.
In response to these arrests, Anonymous launched a cyber-attack against two dozen web sites owned by Panda Security, and a Vatican web site. Despite these retaliatory strikes, the Wall Street Journal reported that comments in online Anonymous chat rooms speculated that other members of their group could also be FBI informants. It all begs the question: who is winning this battle between Anonymous and law enforcement? At this stage, it doesn’t appear either side will give up.
What’s your opinion on the current news involving Anonymous’ fight with law enforcement? Let us know and post your own Anonymous news using the #ThreatThread hash tag in your response.
_____________________________________________________________
Hot Topics from RSA Conference 2012 (3/1/12)
Hello, and welcome again to the Threat Thread blog. This week, we continue our coverage of the RSA Conference, taking place this week in San Francisco.
Some of the biggest themes and news coming out of the RSA event involve supply chain security, IT security and network security, default password protection, and the greatest Internet security dangers.
Art Coviello, executive vice president of RSA, presented a keynote speech on the need for intelligence-driven security. He prescribed a multi-source, intelligence-driven security system. This system, according to Coviello, would be based on an infrastructure that analyzes security data and is enhanced by information sharing and cooperation within the security industry. That system must be risk-based, agile and contextual.
Perhaps it is poetic justice that during the conference this week Interpol has arrested 25 alleged Anonymous members in Argentina, Chile, Colombia and Spain as a result of a sting operation known as “Operation Unmask.” The members were targeted after they launched denial of service attacks on the Colombian Ministry of Defense, presidential Web sites and an electric company in Chile, as well as an attack on the Web site of Chile’s National Library.
If you are attending RSA Conference, what are the most important and interesting things you learned from the event? Let us know on Twitter by using the #ThreatThread hash tag in your response.
_____________________________________________________________
The RSA Conference 2012: Learn How to Win Passes to the Show (2/23/12)
The annual RSA Conference is finally here. Starting Monday, February 27 the conference will get underway in San Francisco where attendees will learn about the latest technology, insights, techniques and trends in the information security industry. Many top technology companies will attend, with executives from EMC, Microsoft, Symantec, Cisco, Intel, McAfee and HP all presenting, as well as government agencies, such as the FBI and even a speech from former British Prime Minister, Tony Blair.
RSA Conference 2012 will feature 220 expert-led sessions across 17 tracks that promote its four themes: Knowledge, Strength, Collaboration and Triumph.
Lieberman Software (@liebsoft) will be at the event (booth 341) showing off its latest product offerings and will be giving away free passes to the event.
- The free pass allows attendees to access keynote addresses and technical demonstrations from the world’s foremost security professionals.
- To obtain a free pass just send a tweet or direct message to @liebsoft requesting a pass and using the #ThreatThread hash tag.
Over the next several days @liebsoft will be tweeting out news about the event. If you are attending and would like to share news and views, tweet at us and be sure to use the #ThreatThread hashtag.
_____________________________________________________________
Hackers and Protecting Your Data (2/16/12)
Governments and business institutions are keepers of vast amounts of personal information of individuals. Being the keepers of this information can be a terrific burden especially (and most likely) if that information is kept electronically. A quick scan of daily news headlines will turn up a number of data breach articles attributed to hackers. While some hackers might publicly reveal their data security attacks to gain notoriety and point out their victim’s security flaws, others have more sinister plans to use the stolen data to steal money directly from the individuals or use their information to defraud business out of goods and services or prevent them from conducting business.
Governments, business and individuals need to be ever vigilant to protect their private information from falling into the wrong hands.
For the latest hacking news, follow #ThreatThread on Twitter @liebsoft and tell us what you are seeing out there as well. Be sure to include the #ThreatThread tag in your tweets.
_____________________________________________________________
Data Breaches (2/9/12)
With this being the inaugural Thursday, we’d like to kick off with the topic of data breaches. Data breaches seem to happen daily to a number of different companies and organizations ranging from large conglomerates to healthcare companies and government agencies. The reasons for data breaches can vary widely as well. While most headlines grabbers are coordinated attacks by criminals and hacker groups, such as Anonymous, a great deal of data breaches occur due to accidental incidents involving privileged users releasing information online. The latter is commonly referred to as data leaks. The end result is companies need to look at multiple sources for potential data breaches and develop defensive strategies to prevent the breaches, both internally and externally, and also contingency plans to mitigate the damage once a breach has happened. Please check out @liebsoft for more news on this topic and let us know what you are finding out there as well.
