Call to Confession: Companies Who Have Been Hacked, But Aren’t Telling

Data breaches are happening every day. Companies worldwide are losing large amounts of sensitive data to hackers, who can turn a pretty penny selling credit card numbers and healthcare information on the black market.

The problem here is, many of these companies are trying to keep their hacks out of the evening news, and this comes with major negative consequences for consumers.

When a company reports on a hack, the gears of remediation begin to turn. Associating banks will reissue credit cards to all those affected, and breach victims will be sent letters warning them to watch for any unusual activity on their accounts.

By not reporting on hacks, companies are basically denying their customers the right to defend themselves from credit card fraud.

Many companies are afraid to report on hacks, because they believe that what comes next is a drop in reputation, and a potential spending millions of dollars in remediation.

On the other hand, though, if they get caught not reporting a breach, it spells even more trouble. The media will drag their names through the mud and shame them publicly. And on top of the usual remediation costs, those companies will have to fork out even more moolah to cover the inevitable onslaught of lawsuits and fines.

Now, you might be thinking that you simply have to avoid getting caught, but staying off the radar isn’t as easy as you might think. Once the banks are able to determine your company was a common denominator for hack victims, a thorough investigation will be conducted, and your mismanagement will be brought to light.

"And I would have gotten away with it too, if it hadn't been for all those meddling banks and individuals noticing unusual activity on credit card spends!

“And I would have gotten away with it too, if it hadn’t been for all those meddling banks and individuals noticing unusual activity on credit card spends!

Simply put: the best solution for everyone involved is for you to notify the authorities as soon as you discover a breach.

Somehow, unfortunately, all of this is not enough to convince many organisations to come clean once they’re hacked, which has lead the US to introduce strict data breach notification laws, stricter than anywhere else in the world.

The US accounts for the most reported data breaches in the entire world.

Coincidence? I think not.

While many countries like Australia and Singapore have guidelines for data breach notifications, they don’t have any concrete laws making it compulsory to do so.

This makes it hard to get a read on just how bad the state of cybersecurity is in those countries. The situation might seem good on the surface, but for all we know, data breaches may be a rampant problem that needs to be addressed urgently.

Don’t Wait, Call Now

One way to think about the whole issue is that getting hacked is just one half of a problem. Many cybersecurity experts believe that all companies are at risk of getting breached, and it’s just a matter of time till yours is too.

The second half of the problem starts when you don’t report on a breach. You’re basically aiding the hackers in selling the data they steal, which will be used by other criminals to commit easy credit card fraud.

Don’t be the person who fails to report a breach. On top of the multitude of business-related reasons listed to report a breach, you owe it to your customers that they be given a head start in securing their sensitive data, before the threat of fraud comes around.

(Image sources: 1, 2)

 

Get Thee Behind Me, Hackers: 6 Consumer Technologies to Keep You Hack Free

It’s no secret that paying with a credit card now comes with the risk of having your card details compromised, but the good ol’ piece of plastic is still a key piece of technology that makes paying for things, and collecting revenue safe and easy. It’s not something we can expect to ever disappear. If there was an easier way to send our cold hard cash through the internet to make payments for online transactions, we would all already be doing so.

So how is an honest every day person supposed to avoid losing their personal information? A large number of consumer technologies have been developed to help you keep your credit card’s magic sixteen digits a secret. How safe are they, though? And are they more trouble than they are worth?

Chip and Pin (EMV)

If you’re doing a “Card Present” transaction which usually means shopping in a retail store, when paying always make sure the transaction is performed using the chip on your card (and if your card doesn’t have a chip – call your bank and demand one!). Chip transactions are secured at the source before any transmission occurs, so even if hacker have broken into the retailers computer network and are listening to every byte of network traffic within the retailers network, your card details will remain safe as only the bank can decrypt the details of the transaction and process it. Never let the retailer swipe your magnetic stripe. This can quickly lead to your details being stored somewhere that’s easy for hackers to steal, as proven countless times by the large number of US retailer hacks that have occurred over the last several years.

Apple Pay (and Other NFC Payment Methods)

NFC (near-field communication) is not a very new technology, but Apple is investing serious effort into trying to make it mainstream. Paying with NFC is as simple as placing an NFC-enabled device near a terminal to make a purchase, and it’s supposedly more secure than paying with a credit card.

After tapping your device on the credit card terminal, you will have to scan your finger or enter a passcode to approve the transaction. NFC payments are designed to be tamper-proof and protected by a unique digital signature.

So how secure is NFC payment? One mobile payment system known as CurrentC, which is backed by a large number of retailers like K-mart, Walmart and Target, was hacked while still in the beta testing phase. While Apple Pay and Google Wallet haven’t had any vulnerability issues to date, they’re not exactly seeing frequent use. But if history has taught us anything, hackers see terms like “tamper-proof” as more of a challenge than a restriction, and they aren’t the type to give up easily.

UPDATE: Fraud is already rampant on Apple Pay, although it’s technically not Apple’s fault. Still: not foolproof.

eWallets

What of online payments? How are we to stay breach-free when purchasing pants two sizes too small on the internet?

Just like how the only way to bend a spoon in the Matrix is to realize that there is no spoon, perhaps the only way to avoid your credit card being hacked is to have no credit card.

One solution is eWallets like Ecopayz and Matchmove which allows you to purchase prepaid pseudo-credit cards you can use to buy stuff online. All you have to do is sign up for a virtual card, top it up via online banking or at an ATM machine, and you’re good to go.

The downsides are that you don’t earn any perks or reward points for using these cards, and that they are pretty much limited to making purchases online. While you only stand to lose the amount you have topped up inside your prepaid card, we figure that these cards are more likely to be used by youths without credit cards looking to make online purchases than paranoid adults in tinfoil hats trying to stave off getting hacked.

Wallets with Data Safe Lining

As mentioned in this previous blog post, a very specific scenario was published where hackers could trick your chip-n-PIN card into approving transactions amounting to a million dollars, and the best part is your card never has to leave your wallet. Now, cards with RFID (Radio Frequency IDentification) can be scanned by hackers in a similar manner, where they can procure your personal information.

To combat this threat, wallets with Data Safe lining have been developed, one example being this stylish Dolcevita classic wallet. The lining blocks radio waves, much like how Magneto’s helmet protects him from all forms of psychic attacks.

Another alternative is using an Altoids mints tin, which accomplishes the same thing but at a fraction of the price. The downside is, well, you’re using a mints tin as a wallet- all the obvious drawbacks apply, like the sound of metal jingling with every step you take, or looking like you might be homeless.

Virtual Credit Card Numbers

Some banks, including CitiBank and the Bank of America, are offering virtual credit card number services for their customers. How this works is that you generate a new virtual credit card number which is tied to your actual credit card account, which you may use to shop online as-per-normal. You can even set a spending limit on the dummy card, which means that even if hackers manage to get your details they won’t be able to make any purchases that go beyond your spending limit.

However, this technology has not caught on. While it does sound like an ideal solution, there are some drawbacks. The biggest one is that you can’t use your virtual card for purchases like hotel room bookings or rental cars, because those companies will request to see your credit card upon arrival, and if the virtual number you used doesn’t match your real credit card number, it’s not going to end well for you.

Another problem with virtual card numbers is that using them makes returning purchases difficult, and when you top that off with the hassle of having to generate a new number every time you buy something online, it’s easy to see why many consider using this service a royal pain in the behind.

Pre-paid cards


Pre-paid cards are built along a similar concept to virtual credit cards and eWallet solutions. You may set up a rechargeable pre-paid card and charge it up periodically with just enough of a limit to cover your regular online spending activities. In a worst case scenario, you’ll be losing only a limited amount of capital. No need to worry about the adverse effects of having a large credit card limit.


The same limitations and hassles apply- No points/rewards system, and the frequent need to continuously top-up your card.

Many newfangled security methods seem to be catered for the data security equivalent of hypochondriacs. Research has shown that consumers are becoming increasingly jaded regarding data breaches (as shown in this blog post), leading us to believe that the average person probably isn’t all too worried about being the victim of a hack. Since your associated bank will (hopefully) pay you back for whatever you lose in a data breach, it almost seems like more hassle to stay secure than it is to simply lose your personal information and deal with the aftermath as it comes. In short, in this case, cure seems to be easier than prevention. Although, why not both?

Good consumer data security habits will never let you down. Keeping a vigilant eye on your credit card statements is something everyone should be doing, regardless of whether your wallet blocks radio waves or not.

Consumers aren’t the only ones with brand new tools to play with- keep an eye out for a follow-up blog post on what new toys hackers are playing with coming soon.

(Image sources: 1, 2, 3, 4, 5)

Cold-Blooded Hackers Take On Malaysian Airlines

Cold-blooded being a reference not only to the cruel nature of the attack, but the fact that the hacking group responsible for the attack go by the moniker ‘Lizard Squad’.

Jetsetters looking to buy tickets on the Malaysian Airlines website today won’t notice anything out of the ordinary, this is what the website looked like just 2 days ago:

The hacking group involved, Lizard Squad, has been responsible for other notable hacks of late, including taking down the XBox Live and Playstation Network online gaming platforms.

Most recently, they have even used their reptilian claws to compromise the 4th largest Twitter account in the world, belonging to Taylor Swift.

The attack on Malaysia Airlines is the textbook definition of what it means to kick someone when he’s down- the ‘404- Plane Not Found’ message being a very painful salt rub into the fresh wound that is the recent MH17 & MH370 tragedies.

While Malaysia Airlines claims that no data has been compromised, and BBC News reporting that the hack was nothing more than a simple DNS-switcheroo, Lizard Squad says otherwise, posting the following messages on their Twitter:

Why Malaysia Airlines?

Lizard Squad has claimed in the past that their hacks were done in order to spotlight security weaknesses in the XBox Live and Playstation Network platforms. Was the attack on Malaysia Airlines carried out with the same noble goal? Or was the attack orchestrated to garner attention for the group, attention they need to help sell their DDOS service ‘Lizard Stresser’? Or was it done simply, as the kids say, “for the lulz”?

Perhaps the only reason that matters is this- because they could. In a previous interview, a Lizard Squad member spoke out against companies which fell prey to their attacks, saying: “Not having people take down your business-critical systems like this should be one of your top security priorities. Which it clearly isn’t.”

There is a lot of evidence that supports the statement that many companies do not place data security as a priority. A Ponemon Institute study shows that only 22 percent of IT practitioners and end users believe their companies are placing a very high priority on data security.

And even companies that do attain certification for data security are quick to backslide- a separate study by Verizon shows that less than one-third of organizations had remained fully PCI compliant less than a year after being validated. Its a stark reminder that compliance does not equal security.

Hackers are renowned for going after low-hanging fruit, and will not hesitate to exploit security vulnerabilities in unsecured networks. It often matters very little who you are- if they can find an easy way in, they’re going to take it, and look around for anything worth taking.

Malaysia Airlines is just one of many companies to have fallen prey to one of many hacker groups out there, and they most certainly won’t be the last. But this breach serves as a grim reminder that no one is off limits to hackers, and that every company should make data security a top priority. Because in cases like these, you stand to lose a lot more than just money- your reputation is just as much at stake.

(Image sources: 1, 2, 3)

3 New Year Resolutions for Security You Can Actually Keep

New year resolutions are infamous for being hard to stick to, but that’s because people usually pick things that require changes way too drastic. Here’s 3 new year’s resolutions for Data security that you all can easily follow (and more importantly, stick to) that will immediately put you in a stronger posture to defend against a wide range of attack methods.

1. Lets fix passwords once and for all.

It’s an old movie and yet so easy to fix. Stop making excuses and download a password manager immediately.

Your master password doesn’t h@v3 t0 b3 s0 d1Ff1cU1t that you need to write it down. Simply take 4 random words you can remember and put them in sequence, e.g. “cupboard beagle pathway painting”. Why? Let this simple comic explain:

2. Lets actually install those software patches!

Zero day threats are real, but they aren’t the main reason why data breaches happen. Often it’s much older vulnerabilities going unpatched for months (or longer!) that contributed to a breach occurring.

Malware is one of the most common ways being used right now to steal data. Malware preys on unpatched software. Yet, many of us continue to use software that’s several patches behind. No wonder Malware is so effective.

So, when you’re asked to install a security update from a reputable vendor, do it straight away.

And if you’re a larger environment, setup a central notification mailbox for all vendor security alerts (or purchase a specialised platform to filter what’s relevant to your business) and assign responsibility to review vendor notifications every day with deployment follow-through and signoff. The key is for a skilled team member to take responsibility for each escalation to ensure it gets done right.

3. Let’s finally understand our data.

Most hackers don’t care who you are or what you do. What they’re interested in is what you’re storing and how they can profit from it.

It’s a quote we heard at every data security conference we attend, whether its Visa, Mastercard or the PCI Councils own events – Find out what you have that could pose a risk, where it all is, and who wants it.

A list of American credit card details up for sale on the black market

Are you inadvertently storing your customer’s credit card information? Is one of your employees storing unencrypted company passwords in a plain text file on his/her computer? Or maybe you have emails going back and forth with sensitive information that hackers might be interested in acquiring.

A simple risk assessment is not as difficult as you might imagine. Once you’ve found the problem, only then can you actually decide what action to take – delete it, encrypt it or redact it and start minimizing your risk.


While of course the deluxe suite of security requires a lot more effort and resources to ensure you’re as safe as you possibly can get, laying down the basic groundwork with these 3 steps should provide you with a good foundation on which to remove your organisation from the top 50% of likely victims.

As far as new years resolutions go, these are well within reach, and well worth the effort. In fact, why don’t you start right now?

This is by no means a definitive guide to data security – for clearer guidance on securing sensitive data, read the PCI DSS 3.0 and treat it as the minimum baseline.

2014 the Year of the Data Breach? Buckle up for 2015!

When 2013 came to a close, many referred to it as the ‘Year of the Data Breach’, a title which has since been passed down to 2014, in recognition of the even greater number of data loss incidents and records lost this past year.

For a quick summary, here are some of the largest and most noteworthy hacks of 2014:

Home Depot

A hack that went unnoticed for over five months cost Home Depot 56 million payment card numbers and 53 million email addresses. The hack played out in almost the exact same fashion as 2013’s infamous Target breach, whereby malware was installed on POS terminals to steal data when a payment card was swiped.

While consumer backlash has been significantly less than with Target (See: Another Major Retailer Hit By Data Breach: Does Anyone Care?), it has recently been reported that the DIY retailer now has to face down 44 lawsuits relating to the hack.

JPMorgan Chase

In September, one of the largest banks in America revealed to the public that the personal information of 76 million households and 7 million businesses had been compromised . The hack, which affected more than 50% of all households in the United States, was reportedly made possible due to lack of two-factor authentication on a server.

You may read more about the compromise here.

iCloud

Jennifer Lawrence, the most Googled celebrity of 2014, was one of the celebrities affected by the leak.

While not one of the biggest hacks of 2014, it was one of the most sensational. In August, hackers leaked nude images of many famous celebrities on the popular image board 4chan. Some of the celebrities affected include Jennifer Lawrence and Kate Upton, and the images have been circulating the internet since.

The images were taken from Apple’s iCloud storage, and further investigation revealed that the images were not taken due to a vulnerability in Apple’s systems, but rather that hackers conducted brute force attacks on the celebrity accounts to gain access to their private data.

The hack highlighted the risk of storing sensitive data on cloud storage sites, which many did not consider to be an issue prior to the hack. You may find out more about the hack here, or read more about the real-life dangers of cloud storage here.

Sony Pictures

This hack is still making waves as we speak, with nations and heads of state getting involved. Hackers stole unreleased movies, emails and personal information from the computer network of Sony Pictures Entertainment. GOP, the hacking group behind the attacks, seems more focussed on wreaking havoc within Sony than turning a profit. They have released sensitive email conversations between employees, put unreleased movies up for viewing on Bittorrent, and made threats to public safety if The Interview, a movie depicting an assassination attempt on Kim Jong Un, were to be screened in America. That didn’t stop the Canadians or 300 independent cinemas however.

A promotional image for The Interview, a movie which seems to have garnered even more attention for getting pulled from cinemas.

Data breaches will continue to increase

There was a 42% increase in targeted attacks from 2011 to 2012, and a 62% increase the following year. While there is not yet any data available on the increase in attacks over the past year, given the large number of hacks and the magnitude of records lost, it’s not going to be good news. While new technologies like the US adoption of EMV chip-and-pin may be positive steps towards better security for card-present retail transactions, many experts warn that no single technology is a silver bullet to stopping data breaches.

Plus, just as new data security solutions are created, new vulnerabilities are also being discovered; it’s an endless cat and mouse game between data security experts and hackers (See: Bash Exploit “Shellshock” Puts the Entire World at Risk).

Will it ever end?

Is it conceivable that every individual and business having personal information stolen from them is as likely as the common cold?

How many people actually think about the potential repercussions of downloading an app on the Google Play store? We’re not delusionally running around in tinfoil hats- the repercussions are real. Snoopwall recently revealed that all of the top 10 Android Flashlight Apps available on the Google Play Store contain some form of malware, allowing the creators to do anything from taking your pictures and videos to tracking your location.

The seemingly harmless Google Play listing for one of the flashlight apps alleged to contain malware.

In a corporate network environment, phishing email attacks will continue to be a very real threat in 2015, achieving a high success rate for harvesting data from inside a seemingly secure network. According to many of our partners who offer penetration testing services, a common victim during a pen test is a CEO or CFO clicking on malicious links within a test phishing email. (and these are people with privileged access to data)

And on a entirely different level, just think of the dangers many new wearable technologies pose- Google Glass. Smart contacts. Microchip implants. And perhaps scariest of all, Nick Percoco gave a great TED talk 2 years ago about the idea of hacking people’s thoughts using EEG devices. Hackers might soon be able to literally get under our skin and into our heads.

But back to the data security challenges of 2015, technology will continue to evolve and hackers are constantly finding ways to find and exploit vulnerabilities whilst the good guys continue to lag behind. Unless this changes (and we’re not holding our breath), 2015 is going to be another windfall year for the hacking community.

We’re only 5 days into the new year, and there’s a high likelihood that 2015’s early data compromises have already happened over the weekend just past. Unfortunately the victims probably don’t know it yet and will only come to find out weeks or months from now.

Your new years resolution: Do something – It’s better than nothing.

Your biggest IT security threat: Not doing anything.

So what needs to be done to cancel the data apocalypse? The solution is not a groundbreaking one- it all boils down to developers incorporating security into their software design from day #1, system administrators having a real understanding what sensitive data is stored or handled, and consumers being aware of potential risks, and taking necessary precautions.

If you’re interested in finding out more about what you can do to avoid contributing to the next data breach of 2015, check out this other blog post on 3 new year resolutions for security you can actually keep.

Have a secure 2015!

UK Retailers Clueless About Cybersecurity

UK retailers, you’ve all been misbehaving and should be placed on Santas naughty list this year.

According to a survey by Sophos, while 87 percent of retailers are confident that they have adequate security in place to protect customer data, 72 percent have failed to implement even the most fundamental of data security measures.

Here is a the whole list of statistics, which we’re sure some hackers are looking at while rubbing their hands and laughing maniacally:

  • 87 per cent of UK retailers are confident that they have adequate cyber security in place to prevent malicious data breaches

  • 72 per cent of UK retailers admit they have not implemented basic encryption security to safeguard business and consumer data

  • 14 per cent of UK retailers admit to not having the expertise necessary to implement basic cyber security measures

  • 40 per cent of UK retailers acknowledge they don’t know why they haven’t implemented basic cyber security measures

  • Only 2 per cent have a comprehensive unified threat management capability in place

  • 77 per cent rely only on perimeter-based protection such as firewalls and 33 per cent on anti-virus

  • Only 67 per cent of those who have fallen victim in the past have plans in place to further secure their IT system in the future

Some of you may be thinking along these lines: if everyone is equally insecure, then obviously hackers are going to go for bigger companies than mine. I’m not even on their radar.

There are two problems with that line of thinking. The first being, hackers do not always operate with a specific target in mind. Often they are simply scanning for vulnerabilities, looking for companies with weak defenses. If they find your network has an open door into it, they’re going to walk through and take a closer look for any sensitive data that’s easy to steal.

There are programs available that allow hackers to scan for systems vulnerable to the heartbleed exploit.

Secondly, are you really willing to gamble on that chance you won’t get hacked? What we I told you that, in the UK, the average cost you’ll have to pay when hacked is about £100 per record stolen?

While the costs for building and maintaining a secure network aren’t pennies, they are a fraction of what you’ll have to foot out in the event you suffer a data breach. A small business suffering a data compromise probably can’t afford the £50,000 – 100,000 in costs and fines for a small amount of data loss, and would struggle to stay in business. Add that with the loss of reputation you’ll suffer if the public ever finds out, and it’s easy to see how a larger data breach can easily cripple or destroy a company entirely.

We’re not really surprised to hear that UK retailers are nowhere near as safe as they think they are, though- we’ve seen the exact same behavior through our many years working in the data security industry and dealing with a wide range of clients of all sizes.

Often times, a client will almost dare us to find sensitive data on their systems, confident that we’ll find nothing that a hacker would want to steal. Unfortunately, it always ends the same way- we find hoards of data on their systems, and the IT manager or business owner is at a loss to explain how or why the data is there in the first place.

Ground Labs’ software has found 100 million records of cardholder data such clients before (multiple times actually), and often these are clients who were previously declared themselves PCI compliant.

The point is, it’s very possible that you are storing large amounts of sensitive data that would be a goldmine for hackers to find. Hackers can install malware very quickly, with experts now seeing 50,000 servers becoming infected in just a matter of hours. If you have no way of detecting them, they can simply take their time to find the jackpot they’re looking for. Alternatively, their malware could reside on your servers undetected for months, waiting for something more interesting and valuable appear.

Data discovery tools help greatly in this respect, because they not only give you a detailed report on what sensitive data you’re storing and where the data can be found, but also allow you to remove or safeguard the data to prevent hackers from having anything to steal. (If you’re interested to find out more, check out groundlabs.com for more information on our data discovery solutions.)

Don’t be one of the many unfortunate companies who think they are secure, but are actually far from it. Understand how safe you really are, and then start taking simple steps to increasing your security level. Don’t wait to get hacked before taking data security seriously, because by then it’ll already be too late.

What can we Learn from Sony’s Repeated Data Breaches?

By now, anyone with an internet connection or access to a newspaper knows that hackers are bringing the rain down on Sony. Multiple hacker groups are making wild threats to Sony’s management, and they have the bargaining chips to back up their demands.

The details aren’t important here- there are a million other articles out there which give very detailed play-by-plays of this data breach. What we are going to cover in this post is ways you can ensure that your company doesn’t have to suffer the way Sony is now.

One common saying in regards to data security is that getting hacked is inevitable- it’s going to happen to every organisation eventually, it’s simply a matter of when. What you do have control over is whether you can fix the vulnerabilities you had to prevent future hacks, and how much data you lose in the breach. Sony has suffered on both counts, and have found themselves falling victim to hacking multiple times.

A big IT security budget isn’t the solution.

Executives apologising publicly for the data breaches

Gizmodo reports that Sony was hacked repeatedly with the exact same attack methods in different divisions and network sectors. Hackers love going for easy targets, and as demonstrated multiple times, if the same organisation has multiple entry points, Hackers will gladly take a second and third bite of the apple if there is more to gain. However the alarming issue to consider here is, if Sony – a large global company with over 60 billion USD in annual revenue, 40,000 employees and a sizable IT security budget still suffered a breach: what does that mean for the rest of us?

The common theme were seeing across all breaches whether publicly reported or those known only within closed forensics industry circles is that spending large sums of budget on the latest and greatest technologies doesn’t prevent a data breach. Far more can be gained by getting the basics right first.

Its a case of understanding where to focus your efforts, and where you’re simply wasting your time, and you’re (often limited) budget.

Reducing Data Loss

nothing to steal

Breaking into a system is only half of a hacker’s job- they still need to be able to find the data they are looking to steal, assuming there is any. The Sony breach was reported to be incredibly easy for hackers to find the sensitive data they were looking for – apparently thousands of passwords were kept in a folder named “password”.

So what can we all learn from this? Well for starters, having an inventory of all the data you have that hackers might want to get their hands on is a big step in the right direction. This includes employee data, credit card numbers, and any other kind of sensitive data. After which, take measures to ensure that unnecessary data is properly disposed of, and sensitive data is encrypted. It sounds very troublesome, but we can assure you that it’s a lot less troublesome than dealing with a large-scale cleanup in the event you suffer a data breach.

It’s a hard knock life- Sony Pictures movies like Annie were leaked by hackers after yet another data breach

In this regard, Ground Labs’ Data Discovery Tools offer an easy and rapid way of reducing the likelihood of a data breach should intruders breach your defenses. For larger environments, Enterprise Recon helps prevent data loss by searching across your entire network for stored sensitive data including emails, databases and many more locations.

The entire process is quick, thorough, and not labor-intensive, leaving you time to run the many other important facets of your business.

Don’t just take our word for it- try out Enterprise Recon for free, and see for yourself how easy it can be to find and safeguard sensitive data on your own network.

Password Managers Now Hackable: Is Anything Sacred?

Passwords- what a hassle.

All the things that make a great password also make them a chore to type in- lots of characters, a mix of upper and lower-cases, strange symbols, and barely legible codes that are impossible to remember- plus I’m not supposed to use the same password across multiple sites? What?

Of course, just like how cup holders in cars were invented to meet a very real first world problem of drivers having nowhere to place their coffee or sodas while driving, password managers were created to take all of the fuss out of entering your password. But do they take all the safety out of it, too?

According to IBM Trusteer Researchers, a new configuration of the classic Citadel malware allows hackers to bypass your password manager’s defenses using a targeted approach.

When the malware detects the system is running password manager programs, it immediately begins keylogging. It does this in order to acquire master passwords which are required to view all the passwords stored in the programs. And the rest- including you- are history.

The new malware strain is designed to target password managers like Keepass.

As we like to say, safety and convenience are on entirely different poles. Easy (yet the most commonly used) passwords like abc123 are the least safe, and storing important files on the cloud is convenient but risky. Similarly, there’s no way that hackers wouldn’t notice that users are putting all their passwords in a single location, ripe for the picking.

This poses a huge security risk for organizations. Hackers could potentially send phishing emails to company employees, and by infecting their systems with the malware, acquire passwords used to access all kinds of databases, including the cloud, where companies are storing 33% of their data.

This really highlights the potent threat spear phishing continues to pose to organizations around the world. It doesn’t matter how many millions of dollars you spend on building a strong defense- spear phishing slips hackers right past those defenses. And it’s not even difficult to do so- on average, only 20-30 malware-infected emails have to be sent to a achieve a successful phish.

It’s easy to get caught up in trying to stay breach-free, what with the constant flow of news about the latest data security threats, and the frequent reminder that suffering a data breach is inevitable. However, it’s important to remember that you have other business priorities, and that there is a very basic step that you can take to defend against these threats: understanding your risk.

It’s about knowing what you have that hackers want, where it is, and who wants it. It sounds simple enough, but it really isn’t- shadow IT is becoming a large problem in many organizations, where employees are handling data in the most unsafe of ways.

The staff of a modern office in 2014 require data security awareness, and we’re not just talking about ground level staff, either- board members should be part of this too. 75% of companies surveyed had not trained their board members, which is a big problem. Now more than ever, board members must have a strong understanding of the importance of data security in order to be capable of asking the tough questions to C level executives about their corporate security initiatives.

Another effective measure recommended in the Verizon Data Breach Report 2014 is the implementation of two-factor authentication. 2FA stops this type of attack dead in its tracks, because a password without an accompanying OTP isn’t much good. A password attached to an account with 2FA is also worth nothing on the black market.

As for knowing what you have that hackers want and where to find it, that’s where Ground Labs fits into the picture. Our data discovery tools are designed to find the same things hackers want, with a slice of the effort required.

Data Recon can find over 95 types of sensitive data, including credit card numbers, health care records and personal information. It searches for all of that in a wide range of storage spaces, so you can efficiently cover all bases and know exactly what you have that hackers want, and where it all is.

Don’t just take our word for it: take Data Recon for a free trial and start understanding your risk.

Cloud Storage Forecast: Overcast, With Dark Days Ahead

Cloud storage is so convenient it’s not even funny. You have the potential to access all your files wherever there is an internet connection, and to people who were working with file-sharing and vast amounts of data 10 years ago, it might have sounded like some kind of mild superpower.

However, as a famous fictional character with superpowers often says, “with great power comes great responsibility”. But what if we told you that businesses around the globe are currently enjoying all of the power of the cloud, while bearing none of the responsibility?

The Ponemon Institute is back with another alarming study, this time focusing on the extreme vulnerabilities surrounding Cloud storage. For starters, IT professionals who took part in the global study estimate that 33% of their organizations IT and data processing needs are met by cloud resources, but 70% of them believe more has to be done to protect sensitive information on the cloud.

(See: Naked Celebrites Highlight Cloud Storage Risks)

Views are mixed on who is actually responsible for protecting sensitive data on the cloud; it’s an almost perfect 3-way split between the cloud provider, the cloud user, and shared responsibility.

We’ve had a personal encounter with a popular cloud service provider that further confirms the fact. Around 18 months ago, one of our team members had a conversation with a senior engineer at a popular cloud support provider. We asked them what they were doing about PCI compliance and who bears the responsibility of storing files that contain sensitive data. Their response was simple – “we’ve outlined in our terms and conditions that you shouldn’t be using our service to store sensitive information.” The problem with this is- how many people actually read their terms and conditions, and are aware of the risks?

This position from cloud providers is common, however it’s one that won’t hold up in the event of a compromise – the cloud provider’s brand and legal people will ultimately be pulled into the mess, regardless of what terms and conditions are stated on their website.

The Ponemon study also covers the threat shadow IT poses to cloud security. For the uninitiated, shadow IT is a term for IT systems and solutions built and used inside organizations without organizational approval. Currently, an average of 44% of corporate data is reportedly being stored this way, which is a big problem.

To further drive home the fact of how big a deal this is, 55% of IT professionals surveyed revealed that they are not confident they know all the cloud services used within their companies. How are IT security experts supposed to protect a company’s data if they don’t even know where all of it is?

You may read up on the full study here, but if you’re just looking for the highlights, here are the headliners:

  • 71% of respondents say it is more difficult to protect sensitive data in cloud computing environments using conventional security.

  • Only 38% said their organizations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud.

  • Only about 30% of companies actually use encryption to secure sensitive data in the cloud.

So let’s do a roundup- A third of all data is on the cloud, but it’s all mostly unencrypted, assuming they even know where all of the data is.

Sigh.

We had a round table discussion on how this whole mess can be rectified, and came to the conclusion that the key phrase here is structure. Because cloud technology is relatively new, many companies have yet to implement regulations for the safe storage of data on the cloud. Such regulations can include what can and can’t be stored, what requires encryption, and the accurate logging of where information is being stored.

But as French people from the 1700s probably know best, revolution does not come easy. While IT security departments have the technical know-how, they are helpless without the backing of company CEOs, who have the power and the responsibility to implement tighter guidelines for cloud storage usage. For the CEOs reading this who are still on the fence over whether to start a cloud security revolution, remember this: if any heads are going to roll for a data breach, the guillotine chops from top-down.

Morbid jokes aside, some proper encryption guidance and acceptable use cases for cloud data storage is something every organisation should take seriously. The most difficult aspect of the whole procedure is, of course, training staff to comply, and making sure that they actually do. This survey reveals that 93 percent of employees surveyed knowingly violate policies designed to prevent data breaches. Again, the burden of responsibility falls on company CEOs, who must make known how important it is that every aspect of data security, not just cloud storage, must be taken seriously by every single company staff member.

Back on the topic of safe cloud storage, Ground Labs’ Card Recon and Data Recon software tools can currently scan on Google and Amazon cloud storage locations, and will shortly offer capabilities for Dropbox, OneDrive (Office 365 online storage), Box and Azure. These tools offer a truth-revealing approach for IT security experts looking to find sensitive data on cloud platforms that are typically used by non-IT staff, and find data that the staff themselves might not even be aware they are storing illegally.

Both products are available to try for free and it takes less than a minute to activate. You can find more information about them on the Ground Labs website, including the vast number of storage locations they can search for over 95 types of sensitive data, such as health records and credit card numbers.

At any rate, a free scan of your cloud storage facilities is bound to be a better start to revealing your cloud risks vs searching each file on every cloud storage location manually.

Download your free cloud scanning software today.

Are Data Breaches Really a Global Problem, or Just America’s?

Google Alerts are awesome. You can easily set up notifications for keywords relevant to your interests, which are delivered straight to your email inbox. At Ground Labs, we are constantly monitoring a small handful of keywords relevant to data security, to stay on top of the latest news and trends.

However, we soon found ourselves being flooded with tens of emails daily for each alert, to the point where we had to change the alert settings to only receive email notifications once a day, instead of whenever data security news was broken. It comes as no surprise that even in the year 2014 (what year did we all start working on PCI?), companies all around the world are still not adequately protecting sensitive customer data.

But is data security really a worldwide epidemic, or is it only a prevalent problem in America?

Lets dive into this rabbit hole some more. Below is a screenshot of a Google Alert for the keyword ‘data breach’. We’ve marked every article with a country flag, based on which country the news revolves around. In the event that articles were not targeting any country specifically, we looked at the country audience the article was written for.

As you can see, within a 24-hour period, there were notifications for 1 Australian, 1 Canadian, 1 South Korean, and a whopping 30 American data breach stories. How about that.

It’s no surprise that American consumers are losing interest in data breach incidents in general, as covered in our previous blog post titled ‘Another Major Retailer Hit By a Data Breach: Does Anyone Care?’. Anyone would get bored reading 30 stories a day about how everyone from retailers to the Government are failing to safeguard sensitive data.

We think that America deserves a fair trial before we lay blame for being lax on data security, though. The verdict is really up to you to decide. Here are some prosecution points:

1. The Symantec Internet Security Threat Report 2014 states that in 2013, the United States was responsible for the loss of nearly 547 million records, making up 66.5% of all exposed records for the year. This year America has outdone itself though, with multiple large retail data breaches affecting Home Depot, Dairy Queen, JPMorgan Chase and more.

2. America is behind its global counterparts for card-present security – Obama only just ordered chip-and-pin technology in Government credit cards, when the technology has been available to over 100 countries, including all across Europe, since 2005.

And in their defense:

1. America has strict data breach notification laws in place that demand breached companies report the incidents publicly. Australia and Europe have data breach notification guidelines, but no concrete rule. Asia has strict notification laws, but does anyone know they exist? Companies in other countries might be facing the largest data breaches imaginable, but we would be none the wiser.

2. America might be winning by scale, but South Korea is worse off in ratio. While 50% of all American adults have had their data breached in the last 12 months (More about that here), the BBC just reported that over 80% of all South Koreans have had their personal data stolen, resulting in the country being forced to issue new identity cards to its citizens, an effort which will cost billions of dollars.

While we understand that Google Alerts may not be the most accurate measurement point (We only receive notifications in English, which skews the results a bit), it certainly can feel that America is always front and center whenever systems gets breached. More has to be done, and soon.

While the rolling out of chip-and-pin technology should greatly help in reducing storefront credit card information theft (the same year it was implemented in France, credit card data fraud went down 80%), that technology is still a little far away from being implemented across all across America until all terminals are changed over which is going to collectively cost merchants more than 2.5 billion dollars. In the meantime, companies are still required to secure any sensitive customer data being handled and should consider a simple yet effective approach – focus your efforts on finding and securing or eliminating customer data on your systems. It won’t matter how secure your system is, hackers can’t steal data if its no longer there.

Ground Labs’ Data Recon does just that, by searching systems for over 95 types of sensitive data, including healthcare information and personal identification and credit card numbers. Once found, you may simply mask, encrypt, quarantine or permanently delete unwanted sensitive data in a matter of seconds, leaving nothing for hackers to steal. It’s an essential layer of security that comes at an affordable price.

Take Data Recon for a free trial today by visiting our website here.

(Image source)