Infographic: World’s biggest data breaches

As we turn the page on yet another year, the folks over at Information Is Beautiful have compiled an interactive infographic highlighting the biggest data breaches in recent history. You can scroll around to find out how, when and the magnitude of the each incident.

Whether it was, in fact, the “Year of the Breach” or the “Year of Breach Awareness,” 2014 shed light on IoT insecurities, device vulnerabilities and crippling cyberattacks. Financial institutions, big-box retailers, entertainment corporations and even government agencies all fell victim to an assortment of hackers over the past 12 months. From JPMorgan Chase and Sony Pictures to Home Depot and Staples, we’re taking a look back at some of the most devastating breaches of 2014.

No security? No IoT for you! As we enter an era of constant connectivity, security has never been more paramount. Learn how you can protect your assets and secure your devices with Atmel solutions.

Breach Brief: Staples confirms data breach affected 1.16M payment cards

Staples has revealed that 1.16 million payment cards may have been affected in a series of data breaches that occurred over the summer. The office supply chain joins a growing list of retailers — which includes Target, Home Depot, Kmart and Neiman Marcus — that have had their payment systems breached by hackers in recent months.

What happened? An in-house investigation has detected malware at some point-of-sale systems throughout 115 locations, the company said in a press release. Staples has more than 1,400 U.S. retail stores.

What information was breached? From August 10 through September 16, 2014, the malware allowed access to cardholder names, payment card numbers, expiration dates and card verification codes at the infected stores, the retailer noted. It also enabled the cyber criminals to obtain data from purchases at a pair of stores dating back to July 20.

What they’re saying: Staples is currently offering free identity protection services and a free credit report to customers who used a payment card at any of the affected stores during the relevant time periods.

With the number of breaches on the rise, can you ensure that your network is protected? In the meantime, don’t forget to read up on the latest security trends, topics and more here.

Hardware security is the only real security

I just came across the epic hack that Wired‘s Matt Honan had perpetrated on him. A hacker added a credit card number to his Amazon account. The next day they called Amazon and said they lost the password. “What is the number of the credit card on the account?” asked the helpful Amazon employee. Once they were in the Amazon account they got into his Google accounts, all helpfully linked by Matt himself, and then the Apple accounts. The hacker was some sociopath kid. He was not interested in money; he just wanted to hurt someone, so he wiped out all the pictures and data on Honan’s phone, computer, and yes, the precious precious cloud. Yes, my precious, one cloud to rule them all.

Just like the Ring in The Lord of the Rings, the cloud can be your worst enemy in the hands of a bad person.

Now initially Honan lamented that he lost all the pictures of his new baby and a bunch of other stuff. The next article showed how he got it all back in a couple days. He says he believes in the cloud even more now. Beats me why he thinks that. If he had not inadvertently left his 1Password account password in his Dropbox on his wife’s computer it might have been much more difficult to recover control of his accounts.

As to all the wiped data, well it was lost forever on the precious cloud, but the nice folks at DriveSavers got his SSD (solid-state drive) in his mac mostly recovered at a cost of $1,690. So since the whole thing gave him half a dozen popular articles to write-up, you could argue getting hacked was the best thing that ever happened to his career. It reminds me of when King Louis XIV’s minister Colbert asked a bunch of writers “What can France do for you?” One shouted back—“Throw us in prison.” It would give them something to write about and the time and solitude needed to write it.

DriveSavers have a full cleanroom to save hacked, damaged, or corrupted hard drives. They can also do forensic hardware analysis on solid state drives (SSDs) as in Matt Honan’s case.

What astonishes me is that this hack happened to a technically astute denizen of San Francisco. Maybe he should move to Silicon Valley, we know a lot about security here and Atmel’s group in Colorado knows even more. Not only did Honan misplace his trust in online accounts and the precious cloud, he kept no secure data backup. He courageously accepts the blame, but also tries to deflect some blame onto Apple and Google. Sorry, your data is your responsibility. Apple and Google quickly closed the social-manipulation hacks the sociopath used, but it is not their job to accept responsibility for your data. That is your responsibility.

This is what we keep harping on here at Atmel. Security is a key pillar in the Internet to Things, and the best security, the only real security, is hardware security. You don’t want these malicious hackers changing your thermostat, or running up your electric bill, or stealing your security camera feeds. Atmel has inexpensive tiny chips you can use to secure these gizmos. Some of our chips use symmetrical authentication. The security chip is programmed with your secret key, and you know the secret key. The microcontroller, and it doesn’t have to be an Atmel microcontroller— it can be anyone’s, sends a random number to the Atmel security chip. The Atmel chip does a mathematical operation on the random number using the secret key, and sends that result back to the microcontroller. The host microcontroller has a local Atmel security chip to do the same mathematical operation on the same random number and then it compares the two results. If they don’t match, the code stops executing. That way no-one can put in bogus code and take over your gizmo. It gives you secure boot and secure downloads and upgrades. You can also use Atmel security chips to verify a battery or accessory is genuine and not some knock-off product.

Atmel’s CryptoAuthentication™ system uses hardware and extreme security to protect your system.

Now since the microcontroller is connected to the Atmel security chips by way of a common SPI port, you might fear a hacker could snoop on the communication and learn the random number sent to the Atmel chips or the mathematical result sent from it to the micro. That’s the beautiful part of this. The micro generates a new random number every time. If the host micro is too small and simple to generate a reliable random number, the tiny Atmel security chip has its own true random number generator (TRNG). So the micro can query the Atmel chip for the number, then query for the result, then do the same operation using the same secret key. So snooping on the serial port will only give you the last serial number and the result. You will have no idea of what the operation was that produced the result. Its like snooping and seeing the number 12 transmitted, but you still don’t know if that was based on 2 time 6 or 3 times 4. Now imagine that problem with numbers hundreds of bits long, and you can see how secure this makes your system.

This USB memory stick has a keypad to unlock it. You can store all your passwords or love letters on it and no one can get in without the code.

So it’s great to have services like 1Password, which is a browser extension combined with a remote server that generates and stores different passwords for all your needs. If, however, you need to use two computers, and who doesn’t, now you get to involve Dropbox so that you can store the master password there so you can get your 1Password even if you are at a Kinkos computer. Thing is, I just feel better with hardware security. In this case, it would be using a USB stick with hardware keypad or fingerprint sensor. Those are great since you don’t need a program on the computer of Surface Pro tablet to run it. You swipe your finger or type in a code and the stick unlocks and you can cut-and paste passwords as you need to. Thing is, there I worry about Windows saving some temporary file. I looked into this a few years ago, and sure enough, even a text file seemed to get cloned somewhere once you opened it off a stick. So the real hardware security is two-factor authentication like you get with an RSA dongle or a YubiKey. Once again, the essential element is a real physical piece of hardware that makes the system secure. I love the YubiKey since it emulates a keyboard, so unless someone infected your computer with a keylogger, there is no record that you used it. And, like the RSA SecurID, even if they do keylog it, the same code never works twice. They are just like that Atmel security chip and just as uncrackable.

The YubiKey is a two-factor authentication system accepted by more and more sites for login. The Nano model is as small as the USB contact pins. Pressing a little button on the device makes it send the one-time log-on code as though it was a USB keyboard.

Breach Brief: Iran hackers targeting energy, transport and infrastructure firms

In what seems to be a year of relentless breaches, a new report from cybersecurity firm Cylance has revealed that Iranian hackers have infiltrated some of the world’s top energy, transport and infrastructure firms over the past two years in an effort that could eventually cause physical damage.

What information was breached? The hackers have stolen “highly sensitive materials” from at least 50 firms worldwide, including 10 U.S. companies. Besides the U.S., the intruders have hit other companies and agencies throughout Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

How did it happen? Dubbed Operation Cleaver, the 87-page report claims that the effort has “successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe.”

What are they saying? “As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.”

With the number of breaches continuing the rise, how can we stay secure in our connected world?

FBI warns that ‘destructive’ malware attacks could hit the U.S.

In the wake of the recent Sony Pictures hack, the FBI has issued a confidential report urging businesses to remain vigilant against new malicious software that can be used to launch “destructive” cyberattacks.

According to Reuters, the five-page confidential warning doesn’t specifically list the Sony incident. It does, however, name an attack that cybersecurity experts tell the news agency is a large-scale hack that took down the Hollywood company. While similar attacks have occurred in South Korea and throughout the Middle East, the latest is believed to “mark [the] first major destructive cyber attack waged against a company on U.S. soil.”

The “flash” FBI warning issued to businesses shared some insight and technical details around how malware works, as well as how to respond to  it, encouraging businesses to reach out to the FBI if they identified similar software.

“The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals,’ explained FBI spokesman Joshua Campbell.

Re/code has reported that Sony are probing the incident to see whether those responsible for carrying out the hack are working behalf of North Korea, and perhaps operating in China.

It is evident now more than ever, hardware-based solutions are necessary to protect every system and embedded design. As you can see from recent headlines, like BadUSB, hardware protection beats software protection every time. That’s because software is always subject to bugs, tampering and malware, just as the latest report warns. The protection provided by CryptoAuthentication is built directly into a device, and it is secured in tested hardware. Start safeguarding today!

Breach Brief: Sony Pictures’ computer system hacked

According to reports, the computer system belonging to Sony Pictures has been hacked after a thread surfaced on Reddit claiming all computers at the company were offline due to a breach. The Reddit thread says that an image appeared on all employee’s computers reading “Hacked by #GOP” and demanding their “requests be met” along with links to leaked data.

What information was breached? The Next Web reveals that the ZIP files mentioned in the images contain a list of file names of a number of documents, including financial records along with private keys for access to servers. The “Hacked by #GOP” message warned that the data supposedly obtained from Sony’s systems would be divulged on Monday, November 24 at 11 pm GMT.

What are they saying? Variety reports that Sony employees have been warned not to connect to the company’s corporate networks or access their emails. The incident is still being investigated…

With the number of malicious breaches on the rise, how can you ensure that your networks are protected?

Breach Brief: Security camera footage from homes and businesses leaked online

The UK Information Commissioner’s Office is warning the general public about a website containing thousands of live feeds from stand-alone webcams and CCTV systems to baby monitors.

What information was breached? A Russian website is sneaking a peek into the homes, gyms and offices of innocent people throughout the globe. Not only does the website show these unfiltered images, CBS News reveals that they also provide the exact coordinates of the location, complete with zip codes and links to a map. The hackers note that their site has been created in an effort to highlight the significance of security, urging those with remote-access cameras change their manufacturer’s default passwords.

How many are affected? At the moment, there are more than 4,000 cameras listed in the United States, 600 from the UK and over 10,000 others from 152 countries worldwide. Furthermore, exposed footage ranges from unmade children’s beds and kids watching television in the comfort of their own homes to living rooms and workplace lounges. Heck, snapshots from places like car insurance sales offices and candy stores to tattoo parlors and backyards have been released to the public. With an estimated 350,000 remote-access cameras sold in the UK last year alone, the ICO warned that those without password protection or with weak passwords could be vulnerable to hackers. This doesn’t include those from the 150-plus other countries as well.

What are they saying? “This is a threat that all of us need to be aware of and be taking action to protect against. Remember, if you can access your video footage over the Internet, then what is stopping someone else from doing the same? You may think that having to type in an obscure web address to access the footage provides some level of protection. However, this will not protect you from the remote software that hackers often use to scan the internet for vulnerable devices,” explained Simon Rice, ICO’s Technology Group Manager for the .

This incident represents a perfect model as to why the Internet of Things requires strong security, including encryption and authentication. In fact, we could not have created a demo any better than this to exemplify that point. “The cameras are IoT nodes by default. The website is a hacker. The data is intercepted and misused. Perhaps this notion of hackers posting your data to the net could be called the inadvertent IoT. We are all vulnerable which should drive the realization that built in security is paramount,” explained Atmel’s resident security expert Bill Boldt. “Anyways, this really brings it all home… literally.”

Is someone spying on you through your webcam? It is becoming increasingly clear that embedded system insecurity affects everyone and every company, so how can you ensure that you are indeed protected?

 

Breach Brief: Hackers breach U.S. weather systems and satellite network

Hackers from China were recently able to breach the government computer network at the agency that oversees the National Weather Service,  officials revealed.

What information was breached? According to The Washington Post, NOAA officials also would not say whether the attack removed material or inserted malicious software in its system, which is used by civilian and military forecasters in the United States and also feeds weather models at the main centers for Europe and Canada. NOAA operates a network of weather satellites and websites that distribute crucial information to public and private organizations, including forecasts for airlines and other transportation companies.

When did it happen? The intrusion occurred in late September but officials gave no indication of the problem until October 20, three people familiar with the hack explained.

What are they saying? NOAA spokesman Scott Smullen confirmed in a statement that four websites were “compromised by an Internet-sourced attack,” forcing the agency to perform unscheduled maintenance in recent weeks.

With the number of breaches on the rise, can you be sure you know who’s inside your network?

Breach Brief: 800,000 U.S. Postal Service employees victims of data breach

According to The Washington Post, Chinese hackers are suspected of breaching the computer networks of the U.S. Postal Service, compromising the data of more than 800,000 employees.

What information was breached? The breach is believed to have affected not only letter carriers and employees working in the inspector general’s office including the postmaster general himself. The stolen customer information includes names, email addresses and phone numbers. In addition, the exposed employee data may include personally identifiable information, such as names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact information and other information. No customer credit card information from post offices or online purchases at USPS.com were breached.

How did it happen? Sources said that the attack was carried out by “a sophisticated actor” who apparently was not interested in identity theft or credit card fraud.

When did it happen? Unnamed officials note that the attack was discovered back in mid-September. In its statement, the USPS said that other than employee details, information about customers who called or emailed the agency’s Customer Care Center between January 1st and August 16th of this year were accessed.

What are they saying? “It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity. The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data,” explained Postmaster General Patrick Donahoe.

With the number of breaches, make sure you know who’s inside your network.

Breach Brief: Hackers also stole 53 million email addresses from Home Depot

Not only were 56 million credit card numbers stolen from Home Depot earlier this year, investigators have now revealed that more than 53 million email addresses were exposed as well.

What information was breached? In addition to the previously disclosed payment card data, Home Depot has issued in a statement that separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information.

How did it happen? According to the home improvement retailer, the hackers initially accessed its network back in April using a third-party vendor’s username and password. The hackers were able to acquire “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems throughout both the United States and Canada.

When did it happen? The malicious software was active on Home Depot’s network between April and September of this year. In the wake of recent incidents, the retailer has added more encryption to its credit card payment systems.

With the number of breaches on the rise and security at our core, learn how Atmel has you covered.