The Hacker Diaries

Written by Ben Miller, CEH

Sony announced, Wednesday April 20, they were aware of their network services being down.  Little did they know this would turn into one of the largest data breach fiascos in history.  On May 14, Sony began bringing their network back online for customers in North America.  News stories have been concerned all along with the amount of credit card numbers stolen but, there is more at stake than just credit card numbers.

On April 26, Sony released a statement clarifying what had been breached on their blog.  Their statement included this:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”

This constitutes a gold mine of information to use in any number of secondary thefts, such as credit card fraud and other forms of identity theft.  All of this information together can be aggregated and analyzed to form connections across many systems and used to provide entry ways into more breaches.

The real world data, personal identifier used for impersonation and fraud, is frightening enough to be handed out amongst criminals, this is the sort of data that would be used for more personal grudge type hacks.  Seventy-eight million accounts worth of this real data is something that could be used for legitimate advertising and demographic usages, the types of endeavors that Sony uses it for.  From a hacking stand point it might give me the information needed to pull off a high stakes theft against a handful of users.  There is a secondary market for this data, corners of the Internet where names, social security numbers and addresses are posted by hackers, most likely it has already been sold.

The data that I would go after is the online identifiers: your email address, your PSN network name, password, security questions. From this you can glean a significant understanding of how a person sets up their online accounts.  If you are like most people, you use one or maybe two standard usernames and passwords to keep everything connected.  It is human nature to make things simple so that we are not burdened with extra “work” every time we log on to play a game, check a forum we read, or even view our bank statement.  However, not being willing to do the “work” of separating our different levels of sensitive info is exactly what a hacker counts on.  If you happened to be one of the seventy eight million accounts compromised in these breaches, and if you used the same password for your PSN account and your email account you registered, then the hackers now have access to that email as well.  From that email they would be able see that have other websites in them, such as your bank, your retirement fund, maybe your work log ins.  If you used the same email for two accounts, why not three or four?  Not everyone will be affected in this manner, but the possibility is there for everyone who reuses a password.

Imagine this:  an average PlayStation owner Darren uses his PlayStation network account to play Call of Duty: Black Ops multiplayer.  He also uses their network to watch Hulu and rent Netflix movies.  To keep everything simple he uses his work email to access his account and to use if he forgets his password.  His PSN handle is MedicDarren, in our hypothetical situation he works at Hypothetical Hospital.  Now, we have a data breach and the hackers have a pile of data to work with.  Using MedicDarren’s information they put it into a database of instances of medical words and group all the email addresses and username data together that might be used to commit medical fraud of any kind.  This data could be sold to a secondary market of individuals who target these types of people and businesses.  These other hackers then isolate Darren’s email account as one that could be used to break into one of the systems at the local hospital.  Darren uses a different password for work email, as he has gone through security awareness training.  However, the hackers also have access to Darren’s password recovery questions and answers, so they know his mother’s maiden name, his first pet’s name, and what city he was born in.  If Hypothetical Hospital uses an automated password recovery system, the hackers would be able to use these answers to change his password, getting access to a completely separate protected system.  Once they have that, depending on the Electronic Medical Systems in use at Hypothetical Hospital, they could reset his password again and be able to harvest whatever patient information Darren normally has access to in his normal course of work.  The medical identity fraud begins, unrelated, but aided by a breach into the PlayStation gaming network.

This scenario isn’t far -fetched, and could be happening and going unnoticed since the end of April.  The “gamer” demographic is broad and can reach into every other industry.  We’ve had a little more than a month to figure out how we as customers will react.  We have had time look at our own habits (or accounts if we are PSN customers) and verify that we’re still safe.  We all have to remember that when it comes to security, even multinational corporations are not going to one hundred percent of the time protect us.  When it comes to Security – U R IT!

No Comments »

Written by Renee Chronister, CEO

Everywhere you turn you hear of more victims affected by the Epsilon breach. Best Buy, Target, 1-800-FLOWERS and the list continues to grow. While Epsilon claims only names and email addresses were accessed, not financial information or anything profoundly compromising, you still can be victimized with the data that was leaked.

How? Well, names and email addresses offer hackers a nucleus from which to launch targeted phishing attacks. Those with malicious intent now have names and active email addresses to create a clever phishing attack by copying a legitimate U.S. Bank email and sending it to a U.S. Bank customer, addressed by their name, together with requests for account information. And guaranteed, some will be fooled and give their sensitive data over to hackers.

So how can you protect even the simplest of information? Well, when people ask me about security I have one answer: SECURITY. Let me break it down for you. When it comes to SECURITY: U R IT.

By taking the bull by the horns, you can mitigate risk on your end, understanding that after a certain point it truly is out of your hands. However, you can make an impact on the security of your data by conducting due diligence when it comes to your email marketing firm, insurance provider or other vendor with whom you do business. Here’s how:

Research: You can do this in a number of ways but let’s start with what’s at your fingertips: Google. Find as much info (good and bad) about the vendor to assist you in making an educated decision. Have they been victim of a breach before? In this case, did you even know you were doing business with Epsilon? Apparently, they have a parent company that many were under the impression of doing business with called Allied Data Systems. Look at their past track record. Have they been subject to a security breach before or careless use of customer data? If so, how did they respond?

Check Company Website: Look for press releases and statements made regarding “mishaps.” Epsilon’s parent company, Allied Data Systems, has a statement on their website regarding the recent data breach and lends insight into how they are handling it as well. This tidbit can be just as important as the breach itself.

Complaints, Judgments and Docket Reports: These are other means by which you can identify security breaches. They also spell out what is expected of the vendor going forward.

Third-Party Vendors: Do they use a third-party to protect their data? If so, what due diligence did they perform on the vendor? Who is the vendor? What are the policies and procedures in handling, transmitting and storing such data? You have a right to know. What kinds of security polices does this vendor have in place and what does that mean for your information? And, are there any “dings” against the third-party vendor regarding information security?

Security Policies: What are your vendor’s internal and external security policies and procedures? Do they have any? If so what are they? If not, why not? How often are these updated? (This applies to third-party vendors as well.)

Employees: How about those handling your info – background checks conducted on employees? How about credit checks and drug testing? What are your vendor’s internal controls with regards to employees accessing your data and so forth? This too applies to third-parties.

Compliance Record: While compliance does not equal security (did you catch that?) it does at least reflect low-level security measures to protect your information. Find out which industry and federal compliance requirements your vendor is required to meet and inquire out their compliance track record. Ask if they do more in terms of security than just meet the minimum requirements. (Again, this can pertain to third-parties.)

Ask Around: Talk to people about their email marketing firms, insurance providers or other vendors you are considering doing business with. Word-of-mouth is one of the fastest ways to get answers, opinions and facts. Don’t be shy, ask.

So, while we can’t control every aspect of our information’s security, we can mitigate the risk with the things that are within our control as mentioned above. You just may sleep better at night knowing you did what you could. As for vendors, we can only hope they start to follow your lead with SECURITY: U R IT.

No Comments »