Tag Archives: Data Breaches

Report: Organizations not doing enough to prevent data breaches


Verizon’s annual Data Breach Investigations Report shows which threats — new and old — to watch. 


Just the other day, Verizon released its annual Data Breach Investigations Report, which analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents. This year’s study offered an in-depth look at the cybersecurity landscape, including a first-time overview of mobile security, Internet of Things (IoT) technologies and the financial impact of intrusions.

150415_DBIR_Graphic_640x400

Upon delving deeper, the report revealed that though cyber attacks are getting a lot more sophisticated, decades-old tactics like phishing and hacking haven’t lost much ground either. According to Verizon, the majority of the cyber attacks (70%) used a combination of these techniques and involved a secondary victim, adding complexity to a breach.

Another troubling area singled out in the analysis is that many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of those flaws go back almost eight years.

As in prior reports, this year’s findings again pointed out what Verizon researchers call the “detection deficit,” which refers to the time that elapses between a breach occurring until it’s discovered. Sadly, in 60% of breaches, attackers are able to compromise an organization within minutes. On the bright side, the study does note that a number of cyber attacks could be prevented through a more vigilant approach to security.

“We continue to see sizable gaps in how organizations defend themselves,” explained Mike Denning, VP of Global Security for Verizon Enterprise Solutions. “While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. This continues to be a main theme, based on more than 10 years of data from our ‘Data Breach Investigations Report’ series.”

As expected, a hot topic that was added to this year’s report centered around security issues related to the burgeoning IoT. Verizon examined several security incidents in which connected devices were used as entry points to compromise other systems, with some IoT devices were co-opted into botnets that were infected with malicious software for denial-of-service attacks. The findings on connected devices “reaffirms the need for organizations to make security a high priority when rolling out next-generation intelligent devices.”

B290-VES.com_GraphicsDBIR2015-150417-06-01

Verizon security researchers also discovered that nearly all (96%) of the 80,000 security incidents analyzed this year can be traced to one of nine basic attack patterns that vary across industries. As identified in the 2014 report, the nine threat patterns include miscellaneous errors, malware aimed at gaining control of systems, insider/privilege misuse, physical theft or loss, web app attacks, cyber espionage, as well as point-of-sale intrusions and payment card skimmers.

This year’s report found that 83% of security incidents by industry involve the top three threat patterns — up from 76% in 2014. Needless to say, the longer it takes for organizations to discover breaches, the more time attackers have to penetrate defenses and cause damage, the report points out. More than a quarter of all breaches take an organization weeks, and sometimes months, to unearth and contain.

Want to continue reading? You can download Verizon’s entire report here. As if you needed any additional proof, it has becoming increasingly clear that embedded system insecurity affects everyone and every company. What’s worse, the effects of insecurity can be very personal like theft of sensitive financial and medical data. For a company the impact can be quite profound. Products can be cloned, software copied, systems tampered with and spied on, and many other things that can lead to revenue loss, increased liability, and diminished brand equity. Explore the SMARTER choice of embedded hardware-based security into your next design here.

Report: 29 million patient records compromised in healthcare breaches


In 2013, two-thirds of healthcare data breaches involved electronic data, almost 60% theft and nearly 10% hacking.


Amid our latest bout with malicious hackers and network intrusions, even more data has emerged that will certainly put any doubts, if any remained, around the insignificance of proper security to rest — particularly in healthcare. According to a new study published in the Journal of the American Medical Association, researchers have revealed that approximately 29 million health records in the U.S. alone were affected by breaches between 2010 and 2013 — 67% of which were stored electronically.

Breaches

In order to conduct their investigation, the researchers sifted through a government database containing information about data breaches involving unencrypted health information reported by clinicians and health plans. What they found was that a majority of incidents (58%) were exposed through theft, while the rest came as a combination of hacks and carelessness, such as loss or improper disposal of data and unauthorized access of information. And, most of the time, these breaches were connected to laptops and mobile devices.

In 2013, the frequency of breaches that occurred through hacking, unauthorized access or unprivileged disclosure increased to 27%, up from 12% just three years prior. The researchers warn that this number will only continue to rise.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services… the frequency and scope of electronic healthcare data breaches are likely to increase,” the researchers note. “These security breaches could involve everything from health sensors and gene sequencing technology, to predictive analytics and personal health records.”

Want to delve deeper into the topic? You can find the entire report here. Meanwhile, as attack platforms increase in size and threats become more sophisticated in nature, how can you ensure that your network and its connected devices are indeed protected? Fortunately, you can take comfort in knowing that there are solutions already available to keep those digital systems not only smart, but robustly secured all at the same time.

Breach Brief: Mandarin Oriental hotels hit with massive data breach


Credit card hackers are at it again, this time stealing information from Mandarin Oriental hotel guests.


Luxury hotel chain Mandarin Oriental has confirmed that a number of its hotels were subject to a major security breach, and hackers have made off with guests’ credit card information.

singapore-lobby-1

What happened? A number of fraudulent charges began appearing on credit card accounts, and cybersecurity blog Krebs on Security reported that banking industry sources said the hotel was the common factor for many. The cybersecurity news website revealed that point-of-sale terminals were infected with malware capable of stealing card details from restaurants and other businesses located within the hospitality establishments, not so much the front desk.

Who was affected? A majority of Mandarin Oriental’s 24 locations worldwide, ranging from Shanghai to Barcelona, may have been subject to the cyberattack, but the report claims most, if not all, of the chain’s U.S. establishments — including New York, Washington, D.C., Boston and Las Vegas — were likely impacted.

When did it occur? The company didn’t say which locations were affected exactly, or when cybercriminals made off with the data. However, sources told the blog that the attack may have started sometime around December 2014.

What they’re saying: “Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern,” the company told Krebs.

Given the chain’s upscale clientele, it wouldn’t be too surprising for the credit card numbers fetch a couple of big bucks if they end up on the black market. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network and its devices are protected?

Hackers for hire are on the rise


Mercenary hacker groups are ushering in a new era of Espionage-as-a-Service.


Although recent cyber attacks have been loud and damaging to companies like Sony, JPMorgan Chase and Home Depot, the much larger threat stems from mercenary hacker crews who are stealing billions of dollars of valuable technology secrets every year from U.S. companies on behalf of paying clients, Taia Global warns.

cyber-espionage

The groups carrying out so-called Espionage-as-a-Service (EaaS) attacks are said to range in size and skill, and can be carried out by anybody from an amateur to an ex-spook. In addition, these hackers have no nation-state affiliation and are well-paid, available for hire whether it’s a Chinese millionaire like Su Bin, a Russian oligarch or a western business competitor of the company being targeted. The aerospace industry is among the hardest hit, but any company who is investing in high value research and development can be a target, the firm explains.

“They are rarely discovered is due in part to their skill level and in part to being mis-identified as a state actor instead of a non-state actor if they are discovered. The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months,” urges Jeffrey Carr, Taia Global President and CEO.

A new website, aptly named Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, the New York Times reveals that over 500 hacking jobs have been put out to bid on the site, with cyber thieves vying for the right to do the dirty work.

16HACKERS-blog480

“In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November,” NYT’s Matthew Goldstein writes. “The rather matter-of-fact nature of the job postings on Hacker’s List shows just how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.”

Data breaches are seemingly more common than ever before. The hackers freelancing for the listing service will have varying skill levels, but, as Mashable‘s Christina Warren put it, everyone should have the expectation that “our privacy and security are finite and will probably be breached.” In fact, the theft of intellectual property is estimated to cost the U.S. $300 billion per year, according to a report by the IP Commission. It’s becoming increasingly clear that IP and data theft is a growing epidemic, but it can be prevented. In the meantime, you can read all about hackers for hire here.

Infographic: World’s biggest data breaches

As we turn the page on yet another year, the folks over at Information Is Beautiful have compiled an interactive infographic highlighting the biggest data breaches in recent history. You can scroll around to find out how, when and the magnitude of the each incident.

Whether it was, in fact, the “Year of the Breach” or the “Year of Breach Awareness,” 2014 shed light on IoT insecurities, device vulnerabilities and crippling cyberattacks. Financial institutions, big-box retailers, entertainment corporations and even government agencies all fell victim to an assortment of hackers over the past 12 months. From JPMorgan Chase and Sony Pictures to Home Depot and Staples, we’re taking a look back at some of the most devastating breaches of 2014.

1276_worlds-biggest-data-breaches_Jun143

No security? No IoT for you! As we enter an era of constant connectivity, security has never been more paramount. Learn how you can protect your assets and secure your devices with Atmel solutions.

TPM: The heavy artillery of cryptography

Data security is becoming a virtual battleground — evident by the number of major data breaches that have broken out at retailers such as Target, Staples, Dairy Queen, Home Depot and EBay, at major banks such as JP Morgan, and at many other institutions worldwide. The recent spate of security viruses such as Heartbleed, Shellshock, Poodle, and BadUSB (and who knows what’s next) have been creating serious angst and concern. And, rightfully so. The question is what exactly should you bring to the cyber battleground to protect your assets? This question matters because everyone who is using software to store cryptographic keys is vulnerable to losing sensitive personal data, and today that is just about everybody. So, choose your weapons carefully.

Artilerry

Fortunately, there are weapons now available that are very powerful while still being cost-effective. The strongest data protection available comes from hardware key storage, which beats software key storage every time. Keys are what make cryptography possible, and keeping secret keys secret is the secret to cryptography. Atmel’s portfolio contains a range of innovative and robust hardware-based security products, with the heavy artillery being the Trusted Platform Module (TPM).

TPM

The TPM is a cryptographic device with heavy cryptographic firepower, such as Platform Configuration Registers, protected user configurable non-volatile storage, an enforced key hierarchy, and the ability to both seal and bind data to a TPM. It doesn’t stop there. Atmel’s TPM has a variety of Federal Information Processing Standards (FIPS) 140-2 certified cryptographic algorithms (such as RSA, SHA1, AES, RNG, and HMAC) and various sophisticated physical security counter-measures. The TPM can be used right out-of-the-box with standards-based commands defined by the Trusted Computing Group, along with a set of Atmel-specific commands, which are tested and ready to counter real world attacks.

The Arsenal

Platform Configuration Registers and Secure Boot

One of the important weapons contained in the TPM is a bank of Platform Configuration Registers (PCRs), which use cryptographic hashing functions. These registers can be used to ensure that only trusted code gets loaded at boot time of the system. This is done by using the existing data in a PCR as one input to a hashing function with the other input being new data. The result of that hashing function becomes the new PCR value that will be used as the input to the next hashing function with the next round of new data. This process provides security by continuously changing the value of the PCR.

Flor

As the PCR value gets updated, the updated values can then be compared with known hash values stored in the system. If the reference values previously stored in the TPM compare correctly with the newly generated PCR values, then the inputs to the hashing function (new data in the diagram) are proven to have been exactly the same as the reference inputs whose hash is stored on the TPM. Such matching of the hash values verifies the inputs as being authentic.

The PCR flow just described is very useful when enforcing secure boot of the system. Unless the hashes match showing that the code is, indeed, what it is supposed to be, the code will not be loaded. Even if a byte is added, deleted, changed, or if a bit is modified, the system will not boot. For secure boot, the data input to the hashing function is a piece of the BIOS (or operating system).

User Configurable Non-Volatile Storage

Another weapon is user-configurable, non-volatile storage with multiple configuration options. What this means is that the user is presented with several ways to restrict the access and use of the memory space, such as by password, physical presence of the user, and PCR states. Additionally, the memory space can be set up so that it can be written only once, not read until the next write or startup of the TPM, not written to until the next startup of the TPM, and others.

Enforced Key Hierarchy

The TPM also incorporates an enforced key hierarchy, meaning that the keys must have another key acting as a parent key (i.e. a key higher in a hierarchy) for that key to get loaded into the TPM. The authorization information for the parent key needs to be known before the child key can be used, thereby adding another layer of security.

Binding and Sealing Data

Another part of the TPM’s arsenal is the ability to bind and/or seal data to the TPM. A seal operation keeps the data contained (i.e. “sealed”) so that it can only be accessed if a particular pre-defined configuration of the system has been reached. This pre-defined configuration is held within the PCRs on the TPM. The TPM will not unseal the data until the platform configuration matches the configuration stored within the PCRs.

A bind operation creates encrypted data blobs (i.e. binary large objects) that are bound to a private key that is held within the TPM. The data within the blob can only be decrypted with the private key in the TPM. Thus, the data is said to be “bound” to that key — such keys can be reused for different sets of data.

The Armor 

So the Atmel TPM has some pretty cool weapons in its arsenal, but does it have any armor? The answer is yes it does!

FIPS 140-2 Certified 

Atmel has dozens of FIPS 140-2 full module-level certified devices with various I/O’s including LPC, SPI, and I2C. The TPM uses a number of FIPS certified algorithms to perform its operations. These standards were developed, tested, and certified by the United States federal government for use in computer systems. The TPM’s FIPS certified algorithms include RSA, SHA1, HMAC, AES, RNG and CVL (find out more details on Atmel’s TPM FIPS certifications here).

1024px-MET_Armures

Active Metal Shield

The TPM has built-in physical armor of its own. A serpentine active metal shield with tamper detection covers the entire device. If someone attempts to penetrate this shield to see the structures beneath it, the TPM can detect this and go into a fault condition that prevents further actions on the TPM.

Why TPM?

You might be asking, “Why can’t all those functions just be done in software?” While some of the protections can be provided in software, software alone is not nearly as robust as a hardware-based system. That is because software has bugs, despite how hard the developers try to eliminate them, and hackers can exploit those bugs to gain access to supposedly secure systems. TPM, on the other hand,stores secret keys in protected hardware that hackers cannot get access to, and they cannot attack what they cannot see.

The TPM embeds intelligence via an on-board microcontroller to manage and process cryptographic functions. The commands used by the Atmel TPM have been defined and vetted by the Trusted Computing Group (TCG), which is a global consortium of companies established to define robust standards for hardware security. Furthermore, the Atmel TPM has been successfully tested against TCG’s Compliance Test Suite to ensure conformance. Security is also enhanced because secrets never leave the TPM unless they have been encrypted.

With the battle for your data being an on-going reality, it simply makes sense to fight back with the heaviest artillery available. Combining all the weaponry and armor in one small, strong, cost effective, standards-based and certified package makes the Atmel TPM cryptographic the ideal choice for your arsenal.

This blog was contributed by Tom Moulton, Atmel Firmware Validation Engineer.

Report: Cyber breaches put 18.5 million Californians’ data at risk

The recent string of major data breaches — including the likes of Target, Home Depot, P.F. Chang’s and Nieman Marcus — have spurred a 600% increase in the number of California residents’ records compromised by cyber criminals over the last year, the latest California Data Breach Report revealed.

Breach

According to the study, a total of 167 breaches were reported in 2013 – where 18.5 million personal records were compromised – an increase of 28% from 2012 where just 2.5 million records were stolen. To put things in perspective, that’s nearly half of the state’s population (38 million).

These figures experienced a large uptick following recent incidents involving Target and LivingSocial, which together accounted for 7.5 million of the breached records. Out of the incidents reported in 2013, over half (53%) of them are attributed to malware and hacking.

“Malware and hacking breaches made up 93% of all compromised records (over 17 million records). The LivingSocial and Target breaches accounted for the bulk of those records . In April, the online marketplace LivingSocial reported a cyber attack on their systems that compromised the names, email addresses, some birth dates and passwords of over 50 million customers, including 7.5 million Californians. In December, Target reported a hacking and malware insertion into its network that resulted in the theft of the names and payment card data of 41 million customers, including 7.5 million Californians,” the report noted.

BReach

Even by factoring out both Target and LivingSocial, the amount of Californian records illegally accessed last year rose 35% to 3.5 million.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers. The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” California Attorney General Kamala Harris said in a statement.

While California residents aren’t any more susceptible to data hijacking than others, the state law requires businesses and agencies to notify customers of any breach involving more than 500 accounts. This law led to the creation of the California Data Breach Report.

The last 12 months weren’t a fluke either. In fact, “These data breaches are going to continue and will probably get worse with the short term,” emphasized Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.

Aside from payment cards, which the Attorney General urged companies to adopter stronger encrypting and safeguard technologies, one of the most vulnerable sectors is the healthcare industry. Not only are a number of medical devices coming under siege by hackers, stolen health records are also plaguing the industry. Moreover, cyber thieves accessing unprivileged information can even be more harmful than other stolen data as it can be used for identity theft and fraud over a longer duration.

In 2012-2013, the majority of breaches in the healthcare sector (70%) were caused by lost or stolen hardware or portable media containing unencrypted data, in contrast to just 19% of such breaches in other sectors.

1573355_the-illuminati_jpeg890495712403ec5fef85b53b0a65a1ab

“By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed,” explained Bill Boldt, Atmel’s resident security expert.

To safeguard information and devices, authentication is increasingly coming paramount. As the latest incidents highlight, thinking about forgoing security in a design simply because that device isn’t connected to a network or possesses a wireless interface? Think again. The days of truly isolated systems are long gone and every design requires security. As a result, the first step in implementing a secure system is to store the system secret keys in a place that malware and bugs can’t get to them – a hardware security device like CryptoAuthentication. If a secret key is not secret, then there is no such thing as security.

Want to read more? Download the entire report here.