Translate

Monday, 29 December 2014

Corporate Hacks, After The Massive Security Breaches in 2013, was 2014 any better?





Corporate Hacks, after all the disasters in 2013 why are they still happening?

2013 was an eye watering smorgasbord of cyber villainy, led perhaps by the monster sized Adobe hack. 152 million user’s details including credit cards, expiration dates and personal details where lifted from the Adobe servers.  The Target hack was a close second when 70 Million user’s credit card details were stolen directly from point of sale equipment.
So!  Did the corporate world learn from the 2013 tsunami of digital criminality?  Have companies rushed to install BlackBerry BES Servers to secure emails; were cyber risk assessments commissioned on legacy software? Were password protocols updated to include double authentication and monthly password changes? Was the practice of allowing personal, unmanaged computer equipment access to Company servers abolished?  Was third party access to corporate servers risk assessed? Has there been a widespread adaption of staff cyber security training Etc. etc…
Judging by the increasing level of reported cybercrime, NO it wasn’t. We have to ask why the hell not!
(Warning Anecdote)I recently had a conversation with a friend while helping her connect her new shiny consumer smart phone to a work email account.  I mentioned while doing the small amount of work necessary that the email server was unsecured.  She was unconcerned and asked why anyone would be interested in reading her emails.  It is a fair question I suppose.  I asked her if she sends (multi million pound) contracts by email, she said yes, of course.  I asked what would happen if she lost her phone.  She said that could never happen.  Unfortunately it happens quite a lot, there were 15,000 phones reported lost on the UK London underground alone last year, some from theft but most just left lying on seats.  I suggested that if she lost her phone then the finder/thief could put the financial stability of her company at risk, it’s a very simple fact!
The above anecdote is just that, an anecdote, but it helps paints a rather clear picture of the attitude of senior management in the corporate world.  The stock answer of “Who Knew” when the next big hack arrives is getting tedious.  The evidence seems to imply that senior managers appear to believe that data theft is an inconvenient truth to be covered up rather that a business threat

Is there a cost to cybercrime?

What is the cost of cybercrime? Is security important or is it just about a hygiene challenged kid in a basement getting his thrills by tweaking “The Man”? 
The actual figure is hard to pin down.  The purveyors of digital security would say over a trillion dollars per year.  I never believe people who judge their own case so I turned to the boring but diligent UK Government for an answer.  Apparently in the UK the cost of cybercrime is around £27Bn or $42Bn per year in the UK ALONE! The 2013 Target hack in the US will cost the company $127 Million and that’s before the court cases begin.
Since data moved from paper ledgers in the office to digital connected storage it has become far less secure.  Twenty five years ago we would put paperwork in a safe or a locked office and know that unless a guy with a crowbar broke in to the building information was safe.  No one except senior management was allowed to sign out paperwork (read data).  Now everyone with a smartphone or a laptop is a risk to business data.  The entire customer list of a business can be held on a smartphone.  Supply agreements can be held on a device, location history is stored so who went where to do business is easily found.  The loss of one smartphone containing a list of customers could destroy a company


What Is the Cybercrime State of Play 2014

So! What have businesses learned from 2013?  It appears nothing.  Below, in no particular order is a list of some of the bigger hacks that featured this year.

1.    SONY PICTURES

The attack on the film studio was so severe employees switched to pen and paper.  Sony also re-activated legacy BlackBerry BES and phones in order to send and receive emails through their own servers.

What was leaked?

Hackers obtained over 100 terabytes of data ranging from movies, employee passwords and credit card details to medical histories and executive salary details.

Who did it and how?

A group known as ‘Guardians of Peace’ or ‘GOP’ claimed responsibility for the attack. Fingers bizarrely have been pointed at North Korea, Sam Glines, who runs the cybersecurity company Norse. Said "It's clear to us, based on both forensic and other evidence we've collected, that unequivocally they (North Korea) are not responsible for orchestrating or initiating the attack on Sony.  Experts now say the likely attackers were helped by a Sony insider.  Alternate theories say the attack originated in the Russian federation.

The fallout

Ongoing

2.    APPLE iCLOUD

This one gained a lot of attention due to the sensitivity of the content that was released at the end of August.

What was leaked?

Hundreds of nude images of female celebrities obtained from Apple’s iCloud service and released on 4Chan.

Who did it and how?

A 4Chan user who referred to himself as “a collector” tried to sell the images privately before they were released.  Reddit became a primary source of distribution through the ‘TheFappening’ sub-reddit, which was subsequently banned by admins. Images were also shared on Twitter. Celebrity iCloud accounts are believed to have been accessed by using a combination of simple brute force password attacks and by answering basic security questions.

The fallout

Although Apple has tried to reinvent the word Hack (unauthorised access to a computer system) and steadfastly maintained it wasn’t hacked, there is no denying that the private content was obtained from its iCloud service. After the leaks, the firm did increase security.  So, we can take from Apples response that the iCloud is safe, but the content isn’t… hum! Okay
Apple now sends out notifications when requests are made to access the iCloud through a web browser or restore data to a device.

3.    JP MORGAN CHASE & CO.

America’s biggest bank was hacked.

What was leaked?

Details of 76 million US households and 7 million SMBs were compromised. Stolen data included names, addresses, phone numbers and email addresses.

Who did it and how?

Sources told Bloomberg that the origins of the hack could be traced back to cybercriminals located in Russia, and even pointed to a possible state co-ordinated attack. However, the perpetrators remain unknown.
The hackers are believed to have accessed an employee’s account and used flaws in one of the bank’s servers to use zero-day malware and gain access to the network and manipulate records.

The fallout

Ongoing

4.    THE GREAT CREEPY WEBCAM HACK
One of the creepiest hacks of 2014 came to light last month when it was revealed that live feeds from ordinary people’s webcams were being broadcast online.

What was leaked?

A Russian website called Insecam was found to be streaming live video from thousands of webcams (excluding laptops) in a huge invasion of privacy.
In the UK, around 584 webcams were originally available to view, (135 as of writing) including feeds from offices, factories and even a pub in Egham. At one point, children and babies could be seen sleeping.

Who did it and how?

According to Technical analyst Jaime Pepper "This hack was against webcams primarily from a company called Foscam that makes IP-based video cameras and there are several knockoff brands as well. The hack was from people not changing the default password of this and other major brands of IP cameras."

The fallout

The website is still up and running and provides a warning about networked cameras. Users of such devices are urged to make sure they use a secure password.

5.    EBAY

Ebay had one of the biggest breaches of all time, when data of all its users was stolen.

What was leaked?

Personal details including addresses, phone number and dates of birth belonging to all 145 million customers were stolen.

Who did it and how?

Cyber criminals are believed to have compromised a small number of employee log-in credentials. These were then used to gain unauthorised access to eBay's corporate network.

The fallout

eBay was criticised for telling users about the hack two weeks after it found out. However, despite sitting on news of the breach, the firm claiming there was no evidence of increased fraudulent activity.
All users were advised to change their passwords after the breach was made public.
The US states of Connecticut, Florida and Illinois joined forces to investigate the company’s security policies, along with the country’s Federal Trade Commission.
The UK data protection watchdog, the Information Commissioner’s Office (ICO), initially said it would launch a probe into the breach. However, after establishing eBay was registered as a data controller in Luxembourg, it told IT Pro no further action would be taken.
In other words possibly the biggest hack of all time had a fallout for eBay that is equal to NOTHING! 

6.    HOME DEPOT

The biggest retail breach to-date.

What was leaked?

The DIY super store group had 53 million email addresses and 56 million payment details stolen from its servers.

Who did it and how?

Unknown
The cybercriminals are believed to have one of Home Depot’s supplier’s credentials to access Home Depot’s network.  This was the same Modus Operandi used in the Target Breach last year.
Zero-day malware was then deployed on Home Depot's self-checkout systems in the US and Canada, which gathered customer payment details.

The fallout

Since the hack, Home Depot enhanced encryption of payment data in all US stores and pushed out EMV chip-and-PIN technology, which has been used in the UK since 2004.

What is the answer?

Businesses are being hacked daily, it’s a fact.  What should we do?
1.    Install BES12, the EMM gold standard to manage emails and devices.
2.    Train employees to recognise security issues, create appropriate sanctions for non-compliance. (Take control)
3.    Risk assess all systems rigorously, assume they will be hacked and take action to PREVENT.
4.    Spend money doing the above. 

  It's not pretty but it has the advantage of being relatively simple