Tag Archives: Data Security

What were the worst passwords of 2014?


Watch these people give Jimmy Kimmel their passwords on national TV.


Undoubtedly, cybersecurity stole the headlines of 2014. It seemed every week, there was another high-profile breach, whether the aftermath of Target and Home Depot, attacks against big-box retailers like Michaels and Neiman Marcus, or the massive incidents around JPMorgan Chase and Sony. However, even at its most rudimentary level, we’re finding that a majority of people fail to abide by common login best practices when accessing their personal data.

Worst Passwords of 2014

According to SplashData’s annual list of the worst passwords, compiled from more than 3.3 million leaked codes throughout the web during the past year, many of us aren’t too concerned about our digital security… at least when it comes to sign-in credentials. And apparently, some of us are more than happy to share them national television. Jimmy Kimmel’s producers recently went around the streets of Los Angeles to assess people’s password security.

Surely enough, the Jimmy Kimmel Live cast was able to get those passing by to reveal their “secret” credentials directly into the mic. Don’t believe us? Watch it below! 

So what were some of 2014’s top passwords?

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

 

Hackers for hire are on the rise


Mercenary hacker groups are ushering in a new era of Espionage-as-a-Service.


Although recent cyber attacks have been loud and damaging to companies like Sony, JPMorgan Chase and Home Depot, the much larger threat stems from mercenary hacker crews who are stealing billions of dollars of valuable technology secrets every year from U.S. companies on behalf of paying clients, Taia Global warns.

cyber-espionage

The groups carrying out so-called Espionage-as-a-Service (EaaS) attacks are said to range in size and skill, and can be carried out by anybody from an amateur to an ex-spook. In addition, these hackers have no nation-state affiliation and are well-paid, available for hire whether it’s a Chinese millionaire like Su Bin, a Russian oligarch or a western business competitor of the company being targeted. The aerospace industry is among the hardest hit, but any company who is investing in high value research and development can be a target, the firm explains.

“They are rarely discovered is due in part to their skill level and in part to being mis-identified as a state actor instead of a non-state actor if they are discovered. The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months,” urges Jeffrey Carr, Taia Global President and CEO.

A new website, aptly named Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, the New York Times reveals that over 500 hacking jobs have been put out to bid on the site, with cyber thieves vying for the right to do the dirty work.

16HACKERS-blog480

“In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November,” NYT’s Matthew Goldstein writes. “The rather matter-of-fact nature of the job postings on Hacker’s List shows just how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.”

Data breaches are seemingly more common than ever before. The hackers freelancing for the listing service will have varying skill levels, but, as Mashable‘s Christina Warren put it, everyone should have the expectation that “our privacy and security are finite and will probably be breached.” In fact, the theft of intellectual property is estimated to cost the U.S. $300 billion per year, according to a report by the IP Commission. It’s becoming increasingly clear that IP and data theft is a growing epidemic, but it can be prevented. In the meantime, you can read all about hackers for hire here.

Breach Brief: Chick-fil-A investigating payment card data breach

A new year, a new wave of breaches. Following an eventful 2014, Chick-fil-A may be first latest retailer to face a payment card data breach in 2015.

149447974

What happened? Financial institutions alerted Chick-fil-A to unusual transactions involving nearly 9,000 consumer credit and debit cards, with the fast food restaurant being the common connection.

What information was breached? The restaurant chain says it first learned of the possible breach on December 19 after “limited suspicious payment card activity appearing to originate from payment cards used in a few of our restaurants.”

Who was affected? According to Krebs, possible security breach may be linked to locations in Georgia, Maryland, Pennsylvania, Texas and Virginia,

When did it occur? The report notes that alerts were sent to several U.S. financial institutions about a breach from early December 2013 through September 30, 2014.

What they’re saying:  “We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so. If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”

With the number of breaches on the rise, can you ensure that your network is protected? As we kick off 2015, don’t forget to read up on the latest security trends, topics and more from last year here.

Infographic: World’s biggest data breaches

As we turn the page on yet another year, the folks over at Information Is Beautiful have compiled an interactive infographic highlighting the biggest data breaches in recent history. You can scroll around to find out how, when and the magnitude of the each incident.

Whether it was, in fact, the “Year of the Breach” or the “Year of Breach Awareness,” 2014 shed light on IoT insecurities, device vulnerabilities and crippling cyberattacks. Financial institutions, big-box retailers, entertainment corporations and even government agencies all fell victim to an assortment of hackers over the past 12 months. From JPMorgan Chase and Sony Pictures to Home Depot and Staples, we’re taking a look back at some of the most devastating breaches of 2014.

1276_worlds-biggest-data-breaches_Jun143

No security? No IoT for you! As we enter an era of constant connectivity, security has never been more paramount. Learn how you can protect your assets and secure your devices with Atmel solutions.

Breach Brief: 800,000 U.S. Postal Service employees victims of data breach

According to The Washington Post, Chinese hackers are suspected of breaching the computer networks of the U.S. Postal Service, compromising the data of more than 800,000 employees.

US Postal Service mail trucks_reuters_660

What information was breached? The breach is believed to have affected not only letter carriers and employees working in the inspector general’s office including the postmaster general himself. The stolen customer information includes names, email addresses and phone numbers. In addition, the exposed employee data may include personally identifiable information, such as names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact information and other information. No customer credit card information from post offices or online purchases at USPS.com were breached.

How did it happen? Sources said that the attack was carried out by “a sophisticated actor” who apparently was not interested in identity theft or credit card fraud.

When did it happen? Unnamed officials note that the attack was discovered back in mid-September. In its statement, the USPS said that other than employee details, information about customers who called or emailed the agency’s Customer Care Center between January 1st and August 16th of this year were accessed.

What are they saying? “It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity. The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data,” explained Postmaster General Patrick Donahoe.

With the number of breaches, make sure you know who’s inside your network.

Breach Brief: Hackers also stole 53 million email addresses from Home Depot

Not only were 56 million credit card numbers stolen from Home Depot earlier this year, investigators have now revealed that more than 53 million email addresses were exposed as well.

2009-04-12_The_Home_Depot_in_Knightdale

What information was breached? In addition to the previously disclosed payment card data, Home Depot has issued in a statement that separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information.

How did it happen? According to the home improvement retailer, the hackers initially accessed its network back in April using a third-party vendor’s username and password. The hackers were able to acquire “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems throughout both the United States and Canada.

When did it happen? The malicious software was active on Home Depot’s network between April and September of this year. In the wake of recent incidents, the retailer has added more encryption to its credit card payment systems.

With the number of breaches on the rise and security at our core, learn how Atmel has you covered.

TPM: The heavy artillery of cryptography

Data security is becoming a virtual battleground — evident by the number of major data breaches that have broken out at retailers such as Target, Staples, Dairy Queen, Home Depot and EBay, at major banks such as JP Morgan, and at many other institutions worldwide. The recent spate of security viruses such as Heartbleed, Shellshock, Poodle, and BadUSB (and who knows what’s next) have been creating serious angst and concern. And, rightfully so. The question is what exactly should you bring to the cyber battleground to protect your assets? This question matters because everyone who is using software to store cryptographic keys is vulnerable to losing sensitive personal data, and today that is just about everybody. So, choose your weapons carefully.

Artilerry

Fortunately, there are weapons now available that are very powerful while still being cost-effective. The strongest data protection available comes from hardware key storage, which beats software key storage every time. Keys are what make cryptography possible, and keeping secret keys secret is the secret to cryptography. Atmel’s portfolio contains a range of innovative and robust hardware-based security products, with the heavy artillery being the Trusted Platform Module (TPM).

TPM

The TPM is a cryptographic device with heavy cryptographic firepower, such as Platform Configuration Registers, protected user configurable non-volatile storage, an enforced key hierarchy, and the ability to both seal and bind data to a TPM. It doesn’t stop there. Atmel’s TPM has a variety of Federal Information Processing Standards (FIPS) 140-2 certified cryptographic algorithms (such as RSA, SHA1, AES, RNG, and HMAC) and various sophisticated physical security counter-measures. The TPM can be used right out-of-the-box with standards-based commands defined by the Trusted Computing Group, along with a set of Atmel-specific commands, which are tested and ready to counter real world attacks.

The Arsenal

Platform Configuration Registers and Secure Boot

One of the important weapons contained in the TPM is a bank of Platform Configuration Registers (PCRs), which use cryptographic hashing functions. These registers can be used to ensure that only trusted code gets loaded at boot time of the system. This is done by using the existing data in a PCR as one input to a hashing function with the other input being new data. The result of that hashing function becomes the new PCR value that will be used as the input to the next hashing function with the next round of new data. This process provides security by continuously changing the value of the PCR.

Flor

As the PCR value gets updated, the updated values can then be compared with known hash values stored in the system. If the reference values previously stored in the TPM compare correctly with the newly generated PCR values, then the inputs to the hashing function (new data in the diagram) are proven to have been exactly the same as the reference inputs whose hash is stored on the TPM. Such matching of the hash values verifies the inputs as being authentic.

The PCR flow just described is very useful when enforcing secure boot of the system. Unless the hashes match showing that the code is, indeed, what it is supposed to be, the code will not be loaded. Even if a byte is added, deleted, changed, or if a bit is modified, the system will not boot. For secure boot, the data input to the hashing function is a piece of the BIOS (or operating system).

User Configurable Non-Volatile Storage

Another weapon is user-configurable, non-volatile storage with multiple configuration options. What this means is that the user is presented with several ways to restrict the access and use of the memory space, such as by password, physical presence of the user, and PCR states. Additionally, the memory space can be set up so that it can be written only once, not read until the next write or startup of the TPM, not written to until the next startup of the TPM, and others.

Enforced Key Hierarchy

The TPM also incorporates an enforced key hierarchy, meaning that the keys must have another key acting as a parent key (i.e. a key higher in a hierarchy) for that key to get loaded into the TPM. The authorization information for the parent key needs to be known before the child key can be used, thereby adding another layer of security.

Binding and Sealing Data

Another part of the TPM’s arsenal is the ability to bind and/or seal data to the TPM. A seal operation keeps the data contained (i.e. “sealed”) so that it can only be accessed if a particular pre-defined configuration of the system has been reached. This pre-defined configuration is held within the PCRs on the TPM. The TPM will not unseal the data until the platform configuration matches the configuration stored within the PCRs.

A bind operation creates encrypted data blobs (i.e. binary large objects) that are bound to a private key that is held within the TPM. The data within the blob can only be decrypted with the private key in the TPM. Thus, the data is said to be “bound” to that key — such keys can be reused for different sets of data.

The Armor 

So the Atmel TPM has some pretty cool weapons in its arsenal, but does it have any armor? The answer is yes it does!

FIPS 140-2 Certified 

Atmel has dozens of FIPS 140-2 full module-level certified devices with various I/O’s including LPC, SPI, and I2C. The TPM uses a number of FIPS certified algorithms to perform its operations. These standards were developed, tested, and certified by the United States federal government for use in computer systems. The TPM’s FIPS certified algorithms include RSA, SHA1, HMAC, AES, RNG and CVL (find out more details on Atmel’s TPM FIPS certifications here).

1024px-MET_Armures

Active Metal Shield

The TPM has built-in physical armor of its own. A serpentine active metal shield with tamper detection covers the entire device. If someone attempts to penetrate this shield to see the structures beneath it, the TPM can detect this and go into a fault condition that prevents further actions on the TPM.

Why TPM?

You might be asking, “Why can’t all those functions just be done in software?” While some of the protections can be provided in software, software alone is not nearly as robust as a hardware-based system. That is because software has bugs, despite how hard the developers try to eliminate them, and hackers can exploit those bugs to gain access to supposedly secure systems. TPM, on the other hand,stores secret keys in protected hardware that hackers cannot get access to, and they cannot attack what they cannot see.

The TPM embeds intelligence via an on-board microcontroller to manage and process cryptographic functions. The commands used by the Atmel TPM have been defined and vetted by the Trusted Computing Group (TCG), which is a global consortium of companies established to define robust standards for hardware security. Furthermore, the Atmel TPM has been successfully tested against TCG’s Compliance Test Suite to ensure conformance. Security is also enhanced because secrets never leave the TPM unless they have been encrypted.

With the battle for your data being an on-going reality, it simply makes sense to fight back with the heaviest artillery available. Combining all the weaponry and armor in one small, strong, cost effective, standards-based and certified package makes the Atmel TPM cryptographic the ideal choice for your arsenal.

This blog was contributed by Tom Moulton, Atmel Firmware Validation Engineer.