The Hacker Diaries

Written by Ben Miller, CEH

Sony announced, Wednesday April 20, they were aware of their network services being down.  Little did they know this would turn into one of the largest data breach fiascos in history.  On May 14, Sony began bringing their network back online for customers in North America.  News stories have been concerned all along with the amount of credit card numbers stolen but, there is more at stake than just credit card numbers.

On April 26, Sony released a statement clarifying what had been breached on their blog.  Their statement included this:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

This constitutes a gold mine of information to use in any number of secondary thefts, such as credit card fraud and other forms of identity theft.  All of this information together can be aggregated and analyzed to form connections across many systems and used to provide entry ways into more breaches.

The real world data, personal identifier used for impersonation and fraud, is frightening enough to be handed out amongst criminals, this is the sort of data that would be used for more personal grudge type hacks.  Seventy-eight million accounts worth of this real data is something that could be used for legitimate advertising and demographic usages, the types of endeavors that Sony uses it for.  From a hacking stand point it might give me the information needed to pull off a high stakes theft against a handful of users.  There is a secondary market for this data, corners of the Internet where names, social security numbers and addresses are posted by hackers, most likely it has already been sold.

The data that I would go after is the online identifiers: your email address, your PSN network name, password, security questions. From this you can glean a significant understanding of how a person sets up their online accounts.  If you are like most people, you use one or maybe two standard usernames and passwords to keep everything connected.  It is human nature to make things simple so that we are not burdened with extra “work” every time we log on to play a game, check a forum we read, or even view our bank statement.  However, not being willing to do the “work” of separating our different levels of sensitive info is exactly what a hacker counts on.  If you happened to be one of the seventy eight million accounts compromised in these breaches, and if you used the same password for your PSN account and your email account you registered, then the hackers now have access to that email as well.  From that email they would be able see that have other websites in them, such as your bank, your retirement fund, maybe your work log ins.  If you used the same email for two accounts, why not three or four?  Not everyone will be affected in this manner, but the possibility is there for everyone who reuses a password.

Imagine this:  an average PlayStation owner Darren uses his PlayStation network account to play Call of Duty: Black Ops multiplayer.  He also uses their network to watch Hulu and rent Netflix movies.  To keep everything simple he uses his work email to access his account and to use if he forgets his password.  His PSN handle is MedicDarren, in our hypothetical situation he works at Hypothetical Hospital.  Now, we have a data breach and the hackers have a pile of data to work with.  Using MedicDarren’s information they put it into a database of instances of medical words and group all the email addresses and username data together that might be used to commit medical fraud of any kind.  This data could be sold to a secondary market of individuals who target these types of people and businesses.  These other hackers then isolate Darren’s email account as one that could be used to break into one of the systems at the local hospital.  Darren uses a different password for work email, as he has gone through security awareness training.  However, the hackers also have access to Darren’s password recovery questions and answers, so they know his mother’s maiden name, his first pet’s name, and what city he was born in.  If Hypothetical Hospital uses an automated password recovery system, the hackers would be able to use these answers to change his password, getting access to a completely separate protected system.  Once they have that, depending on the Electronic Medical Systems in use at Hypothetical Hospital, they could reset his password again and be able to harvest whatever patient information Darren normally has access to in his normal course of work.  The medical identity fraud begins, unrelated, but aided by a breach into the PlayStation gaming network.

This scenario isn’t far -fetched, and could be happening and going unnoticed since the end of April.  The “gamer” demographic is broad and can reach into every other industry.  We’ve had a little more than a month to figure out how we as customers will react.  We have had time look at our own habits (or accounts if we are PSN customers) and verify that we’re still safe.  We all have to remember that when it comes to security, even multinational corporations are not going to one hundred percent of the time protect us.  When it comes to Security – U R IT!

No Comments »

Written by Renee Chronister, CEO

Everywhere you turn you hear of more victims affected by the Epsilon breach. Best Buy, Target, 1-800-FLOWERS and the list continues to grow. While Epsilon claims only names and email addresses were accessed, not financial information or anything profoundly compromising, you still can be victimized with the data that was leaked.

How? Well, names and email addresses offer hackers a nucleus from which to launch targeted phishing attacks. Those with malicious intent now have names and active email addresses to create a clever phishing attack by copying a legitimate U.S. Bank email and sending it to a U.S. Bank customer, addressed by their name, together with requests for account information. And guaranteed, some will be fooled and give their sensitive data over to hackers.

So how can you protect even the simplest of information? Well, when people ask me about security I have one answer: SECURITY. Let me break it down for you. When it comes to SECURITY: U R IT.

By taking the bull by the horns, you can mitigate risk on your end, understanding that after a certain point it truly is out of your hands. However, you can make an impact on the security of your data by conducting due diligence when it comes to your email marketing firm, insurance provider or other vendor with whom you do business. Here’s how:

Research: You can do this in a number of ways but let’s start with what’s at your fingertips: Google. Find as much info (good and bad) about the vendor to assist you in making an educated decision. Have they been victim of a breach before? In this case, did you even know you were doing business with Epsilon? Apparently, they have a parent company that many were under the impression of doing business with called Allied Data Systems. Look at their past track record. Have they been subject to a security breach before or careless use of customer data? If so, how did they respond?

Check Company Website: Look for press releases and statements made regarding “mishaps.” Epsilon’s parent company, Allied Data Systems, has a statement on their website regarding the recent data breach and lends insight into how they are handling it as well. This tidbit can be just as important as the breach itself.

Complaints, Judgments and Docket Reports: These are other means by which you can identify security breaches. They also spell out what is expected of the vendor going forward.

Third-Party Vendors: Do they use a third-party to protect their data? If so, what due diligence did they perform on the vendor? Who is the vendor? What are the policies and procedures in handling, transmitting and storing such data? You have a right to know. What kinds of security polices does this vendor have in place and what does that mean for your information? And, are there any “dings” against the third-party vendor regarding information security?

Security Policies: What are your vendor’s internal and external security policies and procedures? Do they have any? If so what are they? If not, why not? How often are these updated? (This applies to third-party vendors as well.)

Employees: How about those handling your info – background checks conducted on employees? How about credit checks and drug testing? What are your vendor’s internal controls with regards to employees accessing your data and so forth? This too applies to third-parties.

Compliance Record: While compliance does not equal security (did you catch that?) it does at least reflect low-level security measures to protect your information. Find out which industry and federal compliance requirements your vendor is required to meet and inquire out their compliance track record. Ask if they do more in terms of security than just meet the minimum requirements. (Again, this can pertain to third-parties.)

Ask Around: Talk to people about their email marketing firms, insurance providers or other vendors you are considering doing business with. Word-of-mouth is one of the fastest ways to get answers, opinions and facts. Don’t be shy, ask.

So, while we can’t control every aspect of our information’s security, we can mitigate the risk with the things that are within our control as mentioned above. You just may sleep better at night knowing you did what you could. As for vendors, we can only hope they start to follow your lead with SECURITY: U R IT.

No Comments »

by Renee Chronister, CEO, Parameter Security

WikiLeaks. WikiLeaks. Everywhere I turn I hear about WikiLeaks followed by “What does that mean for healthcare?” Well…it means absolutely nothing for healthcare. I know you’re scratching your head right now going “huh?” Here’s why: healthcare has already outpaced other verticals when it comes to data security breaches, including government, by as much as threefold in 2010 alone according to a recent report issued by Identity Theft Resource Center. So to put it bluntly, healthcare is the winner when it comes to security breaches.

Here’s another heart-stopper. The latest Ponemon Institute study reveals 60% of healthcare providers had more than 2 security breaches in the last year with the average breach costing them $2 million. Whoa! It then goes on to state that 70% of hospitals say protecting patient data is not a priority. Biting my tongue! See previous paragraph.

Healthcare providers in the Ponemon study also say they lack resources, trained personnel, policies and procedures to safeguard patient records. 58% claim they have little or no confidence in their ability to protect records in their possession. Forget WikiLeaks, as a hacker, this is music to my ears.

So what this really means for healthcare is that something has got to change. Specifically, the mindset that data security is not a priority and that all I have to be is HIPAA compliant to be secure. Well, I hate to be the bearer of bad news but I can’t tell you how many times I’ve hacked HIPAA compliant healthcare providers but I guess telling your patients, personnel and anyone else affected by the data breach that “I was HIPAA compliant” is better than “Data security isn’t a priority” but I’m guessing that will still go over like a lead balloon.

So the real question here should be: How am I going to improve data security? The answer (and read carefully): SECURITY. Did you get it? When it comes to improving data security, U R IT.

From an ethical hacker’s perspective (thought it was time to add “ethical” so you could breathe a little easier), security is two-fold – Internal and External. So let’s start with some internal security measures.

Background Checks for Employment
Knowing who you are hiring can help mitigate security risks. Organizations need to ensure they work better to screen those who will be handling sensitive data.

Case & Point: University of Texas Medical Branch
Using a stolen identity to gain employment at UTMD’s medical biller, MedAssets, Katina Rochelle Candrick helped herself to up to 2,400 UTMD patient records.

Access & Permissions
Unless an employee needs access to sensitive data to successfully complete their job function, they shouldn’t have access. Levels of access controls need to be implemented. Meaning, a receptionist/front desk person should have not have the same access permissions to patient data or any other sensitive data that a doctor would have access to.

Case & Point: Community Hospital of San Bernardino
Community Hospital of San Bernardino, failed to prevent unauthorized access of 204 patients’ medical information by one employee. The same hospital also failed to prevent unauthorized access of three patients’ medical information by one employee in a separate incident.

Physical Security
Physical Security is just as important as electronic security. You need a gate keeper. In fact, all employees at your healthcare organization need to be gate keepers. Don’t let just anyone wander into the office; question why they are there; do not leave laptops or any other mobile device for that matter unattended so that they grow legs; and create and put into place physical security measures to protect your fort.

Case & Point: AvMed Health Plan
More than 200,000 AvMed Health Plan subscribers’ sensitive personal information fell into the wrong hands after a pair of laptops were stolen from a conference room at the company’s corporate headquarters. The laptops contained current and former subscribers’ names, addresses, Social Security numbers and health information.

Creating & Enforcing Policies & Procedures
Creating security policies and procedures is necessary and all employees need to be made aware of what these policies and procedures are. Once that happens, it is essential to ensure these policies and procedures are adhered to, otherwise it’s a waste of time and paper if they are not enforced.

Case & Point: Cardinal Health
The buyer of a laptop sold on eBay contacted Cardinal Health to tell them the used laptop that he/she purchased online contained company information. According to Cardinal Health’s policies, data on decommissioned computers are to be securely deleted by their IT department and then securely destroyed by a vendor. Rather, an employee in their IT department said he had not properly destroyed the data nor did he send it to a third-party to destroy and, in fact, had sold it on eBay.

End-User Security Awareness Training
Common sense isn’t so common anymore. Training employees on what sensitive data is and what it isn’t is a start but training them on what can and can’t leave the premise and when it can, how it can, is another story.

Case & Point: Keystone Mercy Health Plan & AmeriHealth Mercy Health Plan
A flash drive was taken to a community health fair by an employee of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan which then turns up missing. On this flash drive – 280,000 Medicaid recipients’ information including names, addresses, personal health information and even social security numbers.

IT Staff Security Training:
Sorry to burst everyone’s bubble but IT doesn’t know everything. If they did, these back-up tapes and disks would never have left the premise let alone been left unattended in the IT guy’s car. Proper IT staff security training is essential to better lock down networks, wireless, mobile devices and more. These people can help or harm your data security just as the typical end-user can.

Case & Point: Providence Home Services, a Division of Providence Health System
An IT employee was fired in connection with the theft of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients. A Providence Home Services IT department worker took backup tapes and disks home as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions, lab results, social security numbers and patient financial information.

Vendor Due Diligence
Just because a vendor can do something doesn’t mean they should. Again, knowing who you do business with is important because even though you are using a third-party, they do not assume complete liability for a security breach. You do. (U R IT)

Case & Point: South Shore Hospital & Archive Data Solutions
800,000 records containing sensitive, personal health and financial information were compromised when South Shore’s data management company, Archive Data Solutions, lost backup tapes containing copies of the hospital’s most sensitive databases created between 2006 and early 2010. On these tapes were: names, addresses, phone numbers, birth dates, social security numbers, patient health information and bank account data.

Destruction of Medical Records
Anyone heard of shredding? How about HIPAA compliance? When you are dealing with sensitive data proper disposal of data files – electronic or paper – has to occur. You are ultimately responsible for that data.

Case & Point: Avalon Center
An Erie County worker tossing garbage into a dumpster discovers odd boxes filled with files containing Avalon patient medical records. Files included full names, addresses, social security numbers and diagnosis information left in the trash for anyone to access.

Are you sick to your stomach yet? How about we look at some external security controls?

Penetration Testing
Knowing your weaknesses and remediating them is better when discovered before a hack instead of after. Even your best IT people can leave a hole in network security on a bad day and/or because they are fighting the functionality vs. security battle. Regardless, identifying your weaknesses by emulating a real-world hack with a penetration test and fixing them before disaster strikes is better than becoming the next media headline.

Case & Point: Express Scripts
Express Scripts disclosed unauthorized persons gained access to personal and medical information of 50 million people. Express Scripts received an anonymous letter containing names of 75 or so clients showing their birth dates, social security numbers and prescriptions. These extortionists threatened to disclose personal and prescription information if the company failed to meet payment demands.

Website Security Assessment
Remember, your website is like a billboard in cyber space advertising “Look at me. Look at me.” When the visitor wants to take it step farther, make sure it’s locked down. A simple website security assessment can show you the vulnerabilities that hackers take advantage of to deface your site, access to your network and so on.

Case & Point: Virginia Health Professionals
Hackers broke into a Virginia state website used by pharmacists to track prescription drug abuse and deleted the records of 8+ million patients plus 35,548,087 prescriptions. They then defaced the site’s homepage with a ransom note demanding $10 million for the return of the records.

Social Engineering
Social Engineering is where you hack the people. By manipulating the target, you gain admission to the sensitive data you wish to access. This is excellent if you want to see if your policies and procedures are in place and where human error can play a part in a security breach. This can be done onsite or remotely and really is telling of how easy it is to be the victim of a security breach. Here, hackers were able to manipulate an email request from those legitimately working on a computer security upgrade on UCSF systems.

Case & Point: UCSF Doctor
A faculty doc at UC San Francisco fell for an email phishing scam, opening up access to personal information on some 600 patients and others to hackers. The physician replied to a scam email seeking user name and password information. The request was named to look like it had come from UCSF workers who were involved with upgrading security on UCSF’s computer system.

While this is only the tip of the iceberg when it comes to information security measures, I hope that when it comes to security one thing is clear: SECURITY.

No Comments »