Report: Cyber breaches put 18.5 million Californians’ data at risk

The recent string of major data breaches — including the likes of Target, Home Depot, P.F. Chang’s and Nieman Marcus — have spurred a 600% increase in the number of California residents’ records compromised by cyber criminals over the last year, the latest California Data Breach Report revealed.

According to the study, a total of 167 breaches were reported in 2013 – where 18.5 million personal records were compromised – an increase of 28% from 2012 where just 2.5 million records were stolen. To put things in perspective, that’s nearly half of the state’s population (38 million).

These figures experienced a large uptick following recent incidents involving Target and LivingSocial, which together accounted for 7.5 million of the breached records. Out of the incidents reported in 2013, over half (53%) of them are attributed to malware and hacking.

“Malware and hacking breaches made up 93% of all compromised records (over 17 million records). The LivingSocial and Target breaches accounted for the bulk of those records . In April, the online marketplace LivingSocial reported a cyber attack on their systems that compromised the names, email addresses, some birth dates and passwords of over 50 million customers, including 7.5 million Californians. In December, Target reported a hacking and malware insertion into its network that resulted in the theft of the names and payment card data of 41 million customers, including 7.5 million Californians,” the report noted.

Even by factoring out both Target and LivingSocial, the amount of Californian records illegally accessed last year rose 35% to 3.5 million.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers. The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” California Attorney General Kamala Harris said in a statement.

While California residents aren’t any more susceptible to data hijacking than others, the state law requires businesses and agencies to notify customers of any breach involving more than 500 accounts. This law led to the creation of the California Data Breach Report.

The last 12 months weren’t a fluke either. In fact, “These data breaches are going to continue and will probably get worse with the short term,” emphasized Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.

Aside from payment cards, which the Attorney General urged companies to adopter stronger encrypting and safeguard technologies, one of the most vulnerable sectors is the healthcare industry. Not only are a number of medical devices coming under siege by hackers, stolen health records are also plaguing the industry. Moreover, cyber thieves accessing unprivileged information can even be more harmful than other stolen data as it can be used for identity theft and fraud over a longer duration.

In 2012-2013, the majority of breaches in the healthcare sector (70%) were caused by lost or stolen hardware or portable media containing unencrypted data, in contrast to just 19% of such breaches in other sectors.

“By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed,” explained Bill Boldt, Atmel’s resident security expert.

To safeguard information and devices, authentication is increasingly coming paramount. As the latest incidents highlight, thinking about forgoing security in a design simply because that device isn’t connected to a network or possesses a wireless interface? Think again. The days of truly isolated systems are long gone and every design requires security. As a result, the first step in implementing a secure system is to store the system secret keys in a place that malware and bugs can’t get to them – a hardware security device like CryptoAuthentication. If a secret key is not secret, then there is no such thing as security.

Want to read more? Download the entire report here.

You can’t spell “cryptography” without a “why”

When considering adding cryptography to an embedded system (or any other information system) manufacturers always ask: “Why do I need cryptography?” That is, unless they have already been burned by a security breach. The answer is quite simple: “Because you have a lot to lose and the dangers are multiplying every day.”

Perhaps some of the closest analogies are driving without auto insurance, owning a house without fire and casualty insurance, living without health insurance…well, you get the picture. The point is, intentionally leaving an embedded system exposed to hacking, malware and cloning to save cost is simply not prudent from a financial perspective. Of course, safety, liability and brand equity also matter – a lot.

Cutting to the chase, dangerous exposure is directly linked to how exposed the cryptography key is to being accessed by unintended parties such as hackers and cyber-criminals. This has to do with how the key is stored. However, before we explore this topic, let’s look at the bigger picture.

The answer to “why” for product manufacturers? They need to protect their development investment, brand image and revenue in an increasingly hostile cyber-world replete with bad actors. As we noted in a previous article, the number of active Internet threat groups being tracked has risen to over 300, which is more than 400% higher than in 2011.  Nation-states have become hyper-active in cyber-espionage and cyber-attacks. This is because it is now possible to literally upload damage to a target, which is kind of a science fiction scenario come true.

In the same vein, secret information is easily downloaded. More than 95% of networks have become compromised in some way, and directed attacks will only get worse as mobile platforms continue to expand worldwide.

Vulnerable systems placed on the Internet are currently being compromised in less than 15 minutes. Frankly, these statistics aren’t really a surprise given the wildly disproportionate cost / ”benefit” of cyber meddling, which is devilishly tempting to malicious operators.

It is clear from the above statistics that hostilities have already broken out and cryptography is the best available shield—perhaps the only one.

Now that we have looked at the “why” in cryptography, what about the “what?” What is cryptography? Let’s focus on the two pillars of cryptography, which are described below:

      1. Authentication  

•   Making sure the data source is what it is supposed to be.

      2.  Encryption/decryption

•   Scrambling and descrambling data so only an intended receiver can see it.

Both encryption and authentication are contingent upon keeping secret keys secret. This is the key point.

However, there are many different encryption algorithms, types of authentication schemes, architectures and applications. There is also the choice of how to store the encryption keys. The last point – key storage – is probably the most significant consideration manufacturers can make regarding security.

In essence, cryptographic security is a function of three critical factors:

1. The length of the key used by the cryptographic algorithms,
2. The mathematical operations of the cryptographic algorithms, and
3. How securely the keys are stored (i.e. how vulnerable the keys are to attack).

Since the strength of security depends upon the key size and the specific mathematical properties of the algorithms, various combinations of key sizes and algorithms can potentially be stronger or weaker than any other combination. Meaning, manufacturers have to select one and the other according to their requirements. However, if the keys are not securely stored, well, then none of it matters all that much.

If the keys are not kept secret, then the information can be obtained by unintended outside parties, which defeats the entire purpose. Right? As such, the memory where the key is stored must be able to withstand attacks that try to read the key(s). Such attacks are always underway somewhere, which is a sad but true fact. Fortunately, hardware security devices, like Atmel CryptoAuthentication products, offer a proven method of protecting secret keys that not only restricts access, but also provides key generation and management.

Similarly, storing keys in general purpose (i.e. unsecured) memory in any system leaves the keys open to theft or authorized use via multiple paths. By definition, any system’s software must have access to memory, so any type of bug in the software can inadvertently reveal the key. Just look at the Heartbleed bug as an example. Specialty hardware devices, like CryptoAutentication products are designed for the express purpose of securely storing hardware keys. They do this by utilizing special defense mechanisms that only hardware can provide to repel attacks of various types.

As we’ve previously discussed on Bits & Pieces, secure storage in hardware beats general purpose storage every time. So, the “why” and “what” of cryptography boils down to this: Adding secure key storage is an inexpensive, easy, and ultra-secure way to protect firmware, software and hardware products from cloning, counterfeiting, hacking and other malicious threats.

The key to security is protecting the key. Plus, hard protection beats soft protection. It is that simple. This is precisely why Atmel’s ATSHA204A, ATECC108A and ATAES132 are all designed for secure authentication by providing a hardware-based storage location with a range of proven physical defense mechanisms, as well as secure cryptographic algorithms and processes. They represent over three generation of hardware security know-how, and experience matters when dealing with real world attacks.

Future Bits & Pieces posts will examine authentication schemes such as asymmetric and symmetric, and how Atmel key storage devices operate in the real world.