As we turn the page on yet another year, the folks over at Information Is Beautiful have compiled an interactive infographic highlighting the biggest data breaches in recent history. You can scroll around to find out how, when and the magnitude of the each incident.
Whether it was, in fact, the “Year of the Breach” or the “Year of Breach Awareness,” 2014 shed light on IoT insecurities, device vulnerabilities and crippling cyberattacks. Financial institutions, big-box retailers, entertainment corporations and even government agencies all fell victim to an assortment of hackers over the past 12 months. From JPMorgan Chase and Sony Pictures to Home Depot and Staples, we’re taking a look back at some of the most devastating breaches of 2014.
According to The Washington Post, Chinese hackers are suspected of breaching the computer networks of the U.S. Postal Service, compromising the data of more than 800,000 employees.
What information was breached? The breach is believed to have affected not only letter carriers and employees working in the inspector general’s office including the postmaster general himself. The stolen customer information includes names, email addresses and phone numbers. In addition, the exposed employee data may include personally identifiable information, such as names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact information and other information. No customer credit card information from post offices or online purchases at USPS.com were breached.
How did it happen? Sources said that the attack was carried out by “a sophisticated actor” who apparently was not interested in identity theft or credit card fraud.
When did it happen? Unnamed officials note that the attack was discovered back in mid-September. In its statement, the USPS said that other than employee details, information about customers who called or emailed the agency’s Customer Care Center between January 1st and August 16th of this year were accessed.
What are they saying? “It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity. The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data,” explained Postmaster General Patrick Donahoe.
Not only were 56 million credit card numbers stolen from Home Depot earlier this year, investigators have now revealed that more than 53 million email addresses were exposed as well.
What information was breached? In addition to the previously disclosed payment card data, Home Depot has issued in a statement that separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information.
How did it happen? According to the home improvement retailer, the hackers initially accessed its network back in April using a third-party vendor’s username and password. The hackers were able to acquire “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems throughout both the United States and Canada.
When did it happen? The malicious software was active on Home Depot’s network between April and September of this year. In the wake of recent incidents, the retailer has added more encryption to its credit card payment systems.
Data security is becoming a virtual battleground — evident by the number of major data breaches that have broken out at retailers such as Target, Staples, Dairy Queen, Home Depot and EBay, at major banks such as JP Morgan, and at many other institutions worldwide. The recent spate of security viruses such as Heartbleed, Shellshock, Poodle, and BadUSB (and who knows what’s next) have been creating serious angst and concern. And, rightfully so. The question is what exactly should you bring to the cyber battleground to protect your assets? This question matters because everyone who is using software to store cryptographic keys is vulnerable to losing sensitive personal data, and today that is just about everybody. So, choose your weapons carefully.
Fortunately, there are weapons now available that are very powerful while still being cost-effective. The strongest data protection available comes from hardware key storage, which beats software key storage every time. Keys are what make cryptography possible, and keeping secret keys secret is the secret to cryptography. Atmel’s portfolio contains a range of innovative and robust hardware-based security products, with the heavy artillery being the Trusted Platform Module (TPM).
TPM
The TPM is a cryptographic device with heavy cryptographic firepower, such as Platform Configuration Registers, protected user configurable non-volatile storage, an enforced key hierarchy, and the ability to both seal and bind data to a TPM. It doesn’t stop there. Atmel’s TPM has a variety of Federal Information Processing Standards (FIPS) 140-2 certified cryptographic algorithms (such as RSA, SHA1, AES, RNG, and HMAC) and various sophisticated physical security counter-measures. The TPM can be used right out-of-the-box with standards-based commands defined by the Trusted Computing Group, along with a set of Atmel-specific commands, which are tested and ready to counter real world attacks.
The Arsenal
Platform Configuration Registers and Secure Boot
One of the important weapons contained in the TPM is a bank of Platform Configuration Registers (PCRs), which use cryptographic hashing functions. These registers can be used to ensure that only trusted code gets loaded at boot time of the system. This is done by using the existing data in a PCR as one input to a hashing function with the other input being new data. The result of that hashing function becomes the new PCR value that will be used as the input to the next hashing function with the next round of new data. This process provides security by continuously changing the value of the PCR.
As the PCR value gets updated, the updated values can then be compared with known hash values stored in the system. If the reference values previously stored in the TPM compare correctly with the newly generated PCR values, then the inputs to the hashing function (new data in the diagram) are proven to have been exactly the same as the reference inputs whose hash is stored on the TPM. Such matching of the hash values verifies the inputs as being authentic.
The PCR flow just described is very useful when enforcing secure boot of the system. Unless the hashes match showing that the code is, indeed, what it is supposed to be, the code will not be loaded. Even if a byte is added, deleted, changed, or if a bit is modified, the system will not boot. For secure boot, the data input to the hashing function is a piece of the BIOS (or operating system).
User Configurable Non-Volatile Storage
Another weapon is user-configurable, non-volatile storage with multiple configuration options. What this means is that the user is presented with several ways to restrict the access and use of the memory space, such as by password, physical presence of the user, and PCR states. Additionally, the memory space can be set up so that it can be written only once, not read until the next write or startup of the TPM, not written to until the next startup of the TPM, and others.
Enforced Key Hierarchy
The TPM also incorporates an enforced key hierarchy, meaning that the keys must have another key acting as a parent key (i.e. a key higher in a hierarchy) for that key to get loaded into the TPM. The authorization information for the parent key needs to be known before the child key can be used, thereby adding another layer of security.
Binding and Sealing Data
Another part of the TPM’s arsenal is the ability to bind and/or seal data to the TPM. A seal operation keeps the data contained (i.e. “sealed”) so that it can only be accessed if a particular pre-defined configuration of the system has been reached. This pre-defined configuration is held within the PCRs on the TPM. The TPM will not unseal the data until the platform configuration matches the configuration stored within the PCRs.
A bind operation creates encrypted data blobs (i.e. binary large objects) that are bound to a private key that is held within the TPM. The data within the blob can only be decrypted with the private key in the TPM. Thus, the data is said to be “bound” to that key — such keys can be reused for different sets of data.
The Armor
So the Atmel TPM has some pretty cool weapons in its arsenal, but does it have any armor? The answer is yes it does!
FIPS 140-2 Certified
Atmel has dozens of FIPS 140-2 full module-level certified devices with various I/O’s including LPC, SPI, and I2C. The TPM uses a number of FIPS certified algorithms to perform its operations. These standards were developed, tested, and certified by the United States federal government for use in computer systems. The TPM’s FIPS certified algorithms include RSA, SHA1, HMAC, AES, RNG and CVL (find out more details on Atmel’s TPM FIPS certifications here).
Active Metal Shield
The TPM has built-in physical armor of its own. A serpentine active metal shield with tamper detection covers the entire device. If someone attempts to penetrate this shield to see the structures beneath it, the TPM can detect this and go into a fault condition that prevents further actions on the TPM.
Why TPM?
You might be asking, “Why can’t all those functions just be done in software?” While some of the protections can be provided in software, software alone is not nearly as robust as a hardware-based system. That is because software has bugs, despite how hard the developers try to eliminate them, and hackers can exploit those bugs to gain access to supposedly secure systems. TPM, on the other hand,stores secret keys in protected hardware that hackers cannot get access to, and they cannot attack what they cannot see.
The TPM embeds intelligence via an on-board microcontroller to manage and process cryptographic functions. The commands used by the Atmel TPM have been defined and vetted by the Trusted Computing Group (TCG), which is a global consortium of companies established to define robust standards for hardware security. Furthermore, the Atmel TPM has been successfully tested against TCG’s Compliance Test Suite to ensure conformance. Security is also enhanced because secrets never leave the TPM unless they have been encrypted.
With the battle for your data being an on-going reality, it simply makes sense to fight back with the heaviest artillery available. Combining all the weaponry and armor in one small, strong, cost effective, standards-based and certified package makes the Atmel TPM cryptographic the ideal choice for your arsenal.
This blog was contributed by Tom Moulton, Atmel Firmware Validation Engineer.
The recent string of major data breaches — including the likes of Target, Home Depot, P.F. Chang’s and Nieman Marcus — have spurred a 600% increase in the number of California residents’ records compromised by cyber criminals over the last year, the latest California Data Breach Report revealed.
According to the study, a total of 167 breaches were reported in 2013 – where 18.5 million personal records were compromised – an increase of 28% from 2012 where just 2.5 million records were stolen. To put things in perspective, that’s nearly half of the state’s population (38 million).
These figures experienced a large uptick following recent incidents involving Target and LivingSocial, which together accounted for 7.5 million of the breached records. Out of the incidents reported in 2013, over half (53%) of them are attributed to malware and hacking.
“Malware and hacking breaches made up 93% of all compromised records (over 17 million records). The LivingSocial and Target breaches accounted for the bulk of those records . In April, the online marketplace LivingSocial reported a cyber attack on their systems that compromised the names, email addresses, some birth dates and passwords of over 50 million customers, including 7.5 million Californians. In December, Target reported a hacking and malware insertion into its network that resulted in the theft of the names and payment card data of 41 million customers, including 7.5 million Californians,” the report noted.
Even by factoring out both Target and LivingSocial, the amount of Californian records illegally accessed last year rose 35% to 3.5 million.
“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers. The fight against these kind of cyber crimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” California Attorney General Kamala Harris said in a statement.
While California residents aren’t any more susceptible to data hijacking than others, the state law requires businesses and agencies to notify customers of any breach involving more than 500 accounts. This law led to the creation of the California Data Breach Report.
The last 12 months weren’t a fluke either. In fact, “These data breaches are going to continue and will probably get worse with the short term,” emphasized Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency.
Aside from payment cards, which the Attorney General urged companies to adopter stronger encrypting and safeguard technologies, one of the most vulnerable sectors is the healthcare industry. Not only are a number of medical devices coming under siege by hackers, stolen health records are also plaguing the industry. Moreover, cyber thieves accessing unprivileged information can even be more harmful than other stolen data as it can be used for identity theft and fraud over a longer duration.
In 2012-2013, the majority of breaches in the healthcare sector (70%) were caused by lost or stolen hardware or portable media containing unencrypted data, in contrast to just 19% of such breaches in other sectors.
“By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed,” explained Bill Boldt, Atmel’s resident security expert.
To safeguard information and devices, authentication is increasingly coming paramount. As the latest incidents highlight, thinking about forgoing security in a design simply because that device isn’t connected to a network or possesses a wireless interface? Think again. The days of truly isolated systems are long gone and every design requires security. As a result, the first step in implementing a secure system is to store the system secret keys in a place that malware and bugs can’t get to them – a hardware security device like CryptoAuthentication. If a secret key is not secret, then there is no such thing as security.
Dating back to last December, a string of major data breaches have affected nearly every sector, including a number of today’s most notable brands. This infographic from DataBreachToday highlights some of the most significant breaches, based on what each publicly disclosed around the incident.
Evident by the surge in cyber crime, the world has become a serious hackathon with real consequences; and, unfortunately, it is likely that it’ll only get worse with the rise of mobile communications, cloud computing, and the growth of autonomous computing devices and the Internet of Things.
And, it appears that the general public is now cognizant of these threats, casting its doubts on the security of their data. With the growing number of breaches and vulnerabilities, a recent Gallup poll has revealed that Americans are more likely to worry about hackers accessing and stealing their personal information than any other crime, including burglary and murder. Specifically, 69% of these respondents claimed they frequently or occasionally fret over the notion of having their credit card information stolen by cyber criminals. These worries are justified, too. Over 25% of all Americans have experienced some form of card information theft, making it the most frequently cited crime on the infographic from Forbes below.
Security matters now more than ever, so why isn’t security a standard feature in all digital systems? Luckily, there is a standard for security and it is literally standards-based. It is called TPM. TPM, which stands for Trusted Platform Module, can be thought of as a microcontroller that can take a punch, and come back for more.
“You guys give up, or are you thirsty for more?”
The TPM is a small integrated circuit with an on-board microcontroller, secure hardware-based private key generation and storage, and other cryptographic functions (e.g. digital signatures, key exchange, etc.), and is a superb way to secure email, secure web access, and protect local data. It is becoming very clear just how damaging loss of personal data can be. Just ask Target stores, Home Depot, Brazilian banks, Healthcare.gov, JP Morgan, and the estimated billions of victims of the Russian “CyberVor” gang of hackers. (What the hack! You can also follow along with the latest breaches here.) The world has become a serious hackathon with real consequences; and, unfortunately, it will just get worse with the increase of mobile communications, cloud computing, and the growth of autonomous computing devices and the Internet of Things.
What can be done about growing threats against secure data?
The TPM is a perfect fit for overall security. So, just how does the TPM increase security? There are four main capabilities:
Furnish platform integrity
Perform authentication (asymmetric)
Implement secure communication
Ensure IP protection
These capabilities have been designed into TPM devices according to the guidance of an industry consortium called the Trusted Computing Group (TCG), whose members include many of the 800-pound gorillas of the computing, networking, software, semiconductor, security, automotive, and consumer industries. These companies include Intel, Dell, Microsoft, among many others. The heft of these entities is one of the vectors that is driving the strength of TPM’s protections, creation of TPM devices, and ultimately accelerating TPM’s adoption. The TPM provides security in hardware, which beats software based security every time. And that matters, a lot.
TPM Functions
Atmel TPM devices come complete with cryptographic algorithms for RSA (with 512, 1024, and 2048 bit keys), SHA-1, HMAC, AES, and Random Number Generator (RNG). We won’t go into the mathematical details here, but note that Atmel’s TPM has been Federal Information Processing Standards (FIPS) 140-2 certified, which attests to its high level of robustness. And, that is a big deal. These algorithms are built right into Atmel TPMs together with supporting software serve to accomplish multiple security functions in a single device.
Each TPM comes with a unique key called an endorsement key that can also be used as part of a certificate chain to prevent counterfeiting. With over 100 commands, the Atmel TPM can execute a variety of actions such as key generation and authorization checks. It also provides data encryption, storage, signing, and binding just to name a few.
An important way that TPMs protect against physical attacks is by a shielded area that securely stores private keys and data, and is not vulnerable to the types of attacks to which software key storage is subjected.
But the question really is, “What can the TPM do for you?” The TPM is instrumental in systems that implement “Root of Trust” (i.e. data integrity and authentication) schemes.
Root of trust schemes use hashing functions as the BIOS boots to ensure that there have been no unwanted changes to the BIOS code since the previous boot. The hashing can continue up the chain into the OS. If the hash (i.e. digest) does not match the expected result, then the system can limit access, or even shut down to prevent malicious code from executing. This is the method used in Microsoft’s Bitlocker approach on PCs, for example. The TPM can help to easily encrypt an entire hard drive and that can only be unlocked for decryption by the key that is present on the TPM or a backup key held in a secure location.
Additionally, the TPM is a great resource in the embedded world where home automation, access points, consumer, medical, and automotive systems are required. As technology continues to grow to a wide spectrum of powerful and varying platforms, the TPM’s role will also increase to provide the necessary security to protect these applications.
Dairy Queen is the latest company to get hit by a security breach, confirming that nearly 400 locations (and one Orange Julius location) were compromised by Backoff malware in August.
How many victims? The credit and debit card systems of 395 Dairy Queen locations were infected with the infamous Backoff malware that has targeted retailers around the country, Dairy Queen said in a news release.
What information was breached? The affected systems contained payment card customer names, numbers and expiration dates. The company has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of this malware infection.
When did it happen? While the time period for each store affected varies by location, some breaches began as early as August 1, 2014 and ended as late as October 6, 2014.
Atmel | Bits & Pieces 