Records Compromised in Data Breaches Skyrocketed in 2014: Research
Posted on February 16, 2015 by Kara Dunlap in Security
Security firm Gemalto released a report on 2014 data breaches recently and the news was not good.
In its latest Breach Level Index report, the company revealed that one billion records were compromised last year in more than 1,500 data breaches worldwide. Compared to 2013, those numbers are an increase of nearly 80 percent in terms of data records and more than 40 percent in terms of breaches overall.
Gemalto’s Breach Level Index calculates the severity of data breaches across multiple dimensions based on breach disclosure information. Among the notable attacks included in the report are the Home Depot breach, the attack on JP Morgan Chase and the attack on eBay.
“Easily at the top of the list in terms of the number of breaches was North America with 1,164 breaches, accounting for about three quarters of all breaches (76%),” according to the report. “Those attacks involved more than 390 million records, or 38% of the total.”
According to the data in the BLI, the main motive for cyber-criminals in 2014 was identity theft. Fifty-four percent of all data breaches were identity-theft related – more than any other category, including access to financial data. In addition, identity theft breaches accounted for one-third of the most serious incidents. Incidents where the compromised data was encrypted in part or in full increased from one percent to four percent.
“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Tsion Gonen, vice president of strategy for identity and data protection at Gemalto, in a statement. “Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.”
Broken down by industry, retail and financial services experienced the most activity compared to other sectors. Retail companies saw an increase in data breaches compared to 2013, and accounted for 11 percent of all breaches in 2014, according to the report. However, in terms of data records compromised, the percentage of retail records jumped drastically, from 29 percent to 55 percent. This was due in large part to attacks on point-of-sale systems, according to the report.
In the case of the financial sector, the number of breaches remained relatively unchanged, though the average number of records lost per breach increased ten-fold. Overall, the number of data breaches involving more than 100 million compromised data records doubled compared to 2013. Most of the time, the malicious activity was traced to an outsider (55 percent), though 25 percent of incidents were tied to accidental loss. Fifteen percent were linked to a malicious insider.
“Not only are data breach numbers rising, but the breaches are becoming more severe,” said Gonen. “Being breached is not a question of ‘if’ but ‘when.’ Breach prevention and threat monitoring can only go so far and do not always keep the cyber criminals out. Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.”
The full report can be read here.
Feedback Friday: Is North Korea Behind the Sony Hack?
Posted on January 9, 2015 by Kara Dunlap in Security
In late November, Sony Pictures Entertainment was hacked by a group calling itself Guardians of the Galaxy (GOP). What initially appeared to be another hacktivist attack, later turned out to be a sophisticated operation possibly orchestrated by a state actor.
The hackers’ activities came to light on November 24, when the computers of Sony employees started displaying an image of a skull accompanied by a warning message. In the following days, the hackers started leaking large amounts of information stolen from the entertainment giant’s networks. The leaked data included unreleased movies, private emails, the personal details of actors, financial and business information, and employee records (including medical information).
North Korea was named a suspect after investigators found similarities between this attack and others believed to be carried out by Pyongyang. Shortly after, the hackers told Sony to erase all traces of The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-Un. Sony initially called off the release of the movie because of the hackers’ threats, but later decided to go ahead with the release on Christmas Day, as planned.
Sony has avoided pointing a finger at North Korea. United States authorities, on the other hand, say they’re certain North Korea is behind the attack, but they haven’t provided any proof to back their claims, except for the fact that the attackers used IP addresses “exclusively used by the North Koreans.”
North Korea has denied being responsible, but officials admitted that it might be the work of supporters furious over The Interview. Last week, the US imposed new sanctions on North Korea in retaliation for the attack on Sony. On Wednesday, Director of National Intelligence James Clapper claimed that he dined with the North Korean general who Clapper says was responsible for overseeing the attack against Sony, during a secret mission to Pyongyang two months ago.
Everyone agrees that attribution is tricky. Some believe US authorities are jumping to conclusions, but others say the FBI surely has other evidence, which they might never share with the public, to back their claims.
This topic will be debated by a panel of experts and moderated by The Wall Street Journal’s Danny Yadron at the Suits and Spooks DC conference on February 4-5 at the Ritz-Carlton, Pentagon City.
And the Feedback Begins…
Jeffrey Carr, President/CEO, Taia Global, Inc:
“The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI’s single point of failure because while that might have been true prior to 2009, it isn’t true any longer.
Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections.
It simply isn’t enough for the FBI director to say “We know who hacked Sony. It was the North Koreans” in a protected environment where no questions were permitted. The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it’s doing wrong in incident attribution and fixes it.”
Joshua Cannell, malware intelligence analyst at Malwarebytes Labs:
“Many people continue to speculate about who was really behind the cyberattack against Sony Pictures. We know the director of the F.B.I. has made it publicly clear that North Korea was to blame, and the fact that he’s pushing to declassify that information should tell the world that they have solid evidence to back it up. If we weren’t living in a time where the ability to trust a U.S. Intelligence agency hadn’t recently been questioned during the release of incriminating N.S.A. documents, most people would have likely accepted the F.B.I.’s statement as fact long ago. It seems that by releasing more information, the F.B.I. is hoping to regain the confidence placed in U.S. Intelligence.
You have to look at some of the details leading up to the hack in November. North Korean officials called the release of The Interview ‘an act of terrorism,’ and there was a Facebook group sending threats to Sony Pictures months before the movie’s release. When that was shut down, actors continued to use other methods to communicate their threats, like e-mail. Finally, the threats came to fruition, and simply saying ‘it wasn’t us’ at this point doesn’t do much when all of the evidence points at them. There may have been others involved, that’s true, but that doesn’t change the conclusion of a lengthy federal investigation.”
Jay Kaplan, CEO of Synack:
“The security pundits that we’ve seen in the media disagreeing with the government’s assertion of North Korean attribution are ill-informed with conclusions that I believe to be fundamentally flawed. Even with the latest revelation of details tying North Korea to the Sony breach by “slipping up”, there is much more under the covers that the public is not seeing (and will never see as a result of classified sources.) Conclusions made by security firms after reviewing methodology, technical capability, and modus operandi are flawed given their non-complete picture of the situation at hand.
It is especially interesting to see how just a few months ago the world thought the government had too much information — the intelligence community was running rampant, too much data was being siphoned, and the integrity of our privacy was in question. Yet today, post-Sony breach, people are questioning the same government for coming to conclusions due to a lack of knowledge and perspective.”
Ken Westin, senior security analyst, Tripwire:
“It is difficult if not impossible for those of us in the private sector to verify the FBI¹s findings without access to the information they have.
However, I think it is important to note that in this latest statement they are tying their attribution case to IP addresses they say were exclusively used by the North Koreans. I think it is important to point out that Comey said they were IP addresses exclusively used by the North Koreans and not IP addresses in North Korea. The IP addresses that were issued to the public in their flash advisories were IP addresses that have been seen before and used for spam and command and control by other criminal actors. This was a key reason many in the security community were skeptical of the findings, as based on the evidence provided there wasn’t exactly a smoking gun and the information was vague and inconclusive.
I would like to give the FBI the benefit of the doubt and assume that they have additional evidence aside from just IP addresses, which I think they must if they have the level of confidence that Comey is claiming. The difficult part of that for the security community is trusting the FBI. Trust does not come easily to this group, as by nature of their profession they are paranoid and skeptical and want to see the evidence for themselves to establish the facts.”
Suits and Spooks DC: Not Just a Conference, a Collision. Washington DC, Feb 4-5. See the Agenda & Register Today |
Marc Gaffan, CEO & Co-founder of Incapsula:
“While we may never know the the motives behind the Sony Pictures attack, we’ve found that some attackers will publicly deny involvement, but leave breadcrumbs in an attempt to demonstrate prowess without taking the full brunt of public criticism. As for North Korea’s cyber espionage capabilities, despite the fact that their Internet capacity is less than half of the Falkland Islands, it would be foolhardy to equate a small Internet presence with a lack of skilled individuals working with or for their government.
Regardless of origin or motive, companies need to turn their focus to the blind spots in their organizations. Hackers will only continue to create more illusive and inventive ways to take down websites or steal information; our global networks see new methods every day. Sony Pictures learned their lesson, but will other companies? This remains to be seen.”
Michael Sutton, VP of Security Research, Zscaler:
“Attribution is hard. This is always the case when dealing with a cyber attack where IP addresses can be spoofed, proxies can be employed and digital weapons copied. Attribution is impossible when we don’t have all the facts. The FBI was surprisingly quick to finger the DPRK for the Sony attacks. Less than a month after the breach, the FBI confidently proclaimed that they had “enough information to conclude that the North Korean government is responsible for [the attacks]”.
Contrast that with the grand jury indictment of five Chinese Military officials charged last year with cyber espionage, a case which involved years of investigation. Why did the FBI move so quickly this time? Was it truly an open and shut case? Were there other political motivations for fingering North Korea? Without full transparency we’ll likely never know but we can presume that attribution was needed prior to retaliatory measures. Measures that have already publicly emerged in the form of US sanctions, but other more covert responses are no doubt also currently underway and unlikely to show up in the headlines.
Some have claimed that the DPRK did not have the means to conduct such a successful attack, but this is a country that has had an offensive cyber capability for many years and has shown a willingness to leverage it against foreign nations/companies. The Sony breach, while broad in terms of the damage caused, would not have required great sophistication if network admin credentials were indeed stolen and the target had poor internal controls to limit the reach of that individual’s network access. Given Sony’s poor history with previous attacks, including a 23 day DoS attack on the PlayStation Network in 2011, it’s not hard to fathom that internal security controls were lacking.”
Mike Tierney, COO at SpectorSoft:
“As the feeding frenzy around the possibility a nation was behind the Sony hack calms a bit, more and more credible experts are indicating that it is at least as likely that the hack and subsequent data dump were clearly designed to embarrass Sony. The fact that the tie between a pending movie release and the hack was originally made in news reports, and not by the hacker(s), lends some credence to the idea that there may be a more mundane, but all too common, perpetrator.
Very often, data leaks of this type stem from a disgruntled employee. Whether the source of their anger is specific, as in the case of a poor performance review or being passed over for a promotion, or more general, as in the case of rumored layoffs (which seem to be a possibility in the Sony case), disgruntled employees can and do present significant risk to organizations.”
Greg Martin, CTO at ThreatStream:
“The big issue with the Sony hack is that any “Security Expert” outside of the core investigation can claim an “alternate theory.”
This has been highly confusing to the public who have been hungry for more details which the FBI finally came out with. The FBI had clear evidence that they have some ‘smoking gun’ data showing the North Korean hackers were sloppy when setting up their social media accounts.
This is a common mistake made by many hackers – even the very sophisticated ones – and it’s one of the more common ways they get caught. My question to the ‘truthers’ is: why is that so hard to accept?”
Tal Klein, VP of Strategy, Adallom:
“The trouble with breach attribution is that smoking guns are hard to come by. A more concerning issue to those of us watching from the sidelines is that the initial attack vector has still not been discovered, and no breach containment announcement has been made thus far. That means we don’t know whether the attackers still have a foothold in Sony’s infrastructure or if there are more exfiltrated data dumps coming.
It is strange that the U.S. would rush to point fingers at North Korea, especially given that any recourse would doubtlessly punish the hapless DPRK proletariat more than government or military. Further, it seems obvious in hindsight that the FBI’s most recent revelations, as presented, would not quell detractors’ call for solid attributable evidence—so one wonders, ‘Why bother?’”
Lior Div, CEO and Co-founder of Cybereason, a MalOps protection company:
“When a company is attacked, it reduces the liability and blame of the attacked company if the public believes it is a nation state attack. This attack may have very well been done or aided by insiders, or other players, including North Koreans that are not nation state cyber attackers, but…certainly the legal and PR fallout for Sony will be less severe if it was believed the attack was state sponsored terrorism as opposed to a disgruntled insider.
From all that we’ve read so far, we haven’t seen significant hints for attribution to North Korea as a nation-state sponsored attack. The FBI stated that the attackers were negligent, leaving evidence that ties the attack to North Korea, but in my experience hackers with the capacity to exfiltrate the amount of data involved in the Sony attack are very far from being negligent. It is quite possible that any indicators pointing to North Korea were intentional, left or intentionally planted in order to mislead investigators.
So either the FBI knows things that were not shared with the media (possible) that clearly proves it in NK, or – somebody is leveraging it for his own political purposes. That includes the US government, Sony, the hackers…really, we may never know…”
Brendan Spikes, CEO, Spikes Security:
“Given the dangers of using the web today, is it not unreasonable to assume that any network can be breached by web malware trojans? This could surely include servers thought to be used exclusively by North Koreans. I wouldn’t be so quick to assume that someone intending to frame NK for the Sony attack could not intentionally leave breadcrumbs leading back to compromised NK servers.”
TaaSera CTO, Vice President and Founder, Srinivas Kumar:
“Attacker attribution requires reliable information to analyze how the breach was orchestrated internally, identifying the origin of the malicious code (supply chain), and finally tracking down the location of the attackers. The warrant required in a breach investigation to convict the cyber criminals must provide credible evidence as assurance that no evasion techniques were detected, including use of Tor networks, Fast flux DNS, and IP address spoofing. Further, for long duration and high volume data haul, determination of the corpus of actors by geo-location may be an authoritative assertion of the locality or distribution of the attackers.
Most investigations today that typically follow in the wake of high profile breaches rely on static geo-location markers for the network addresses and domain names linked to the security episode. The availability of cloud computing services, elastic IPs, Tor networks coupled with the dynamic domain name services, domain name and IP address fast flux warrant evidence beyond reasonable doubt to determine true actors (perpetrators).”
TK Keanini, CTO at Lancope:
“While attribution can be difficult in the physical world, it is incredibly tricky in the digital world. Not only are there effective tools to remain anonymous but there are equally as many tools to make it look like it is attributed to a certain source when it is actually another.
Conflict in simpler times was very symmetrical in that the red team versus the blue team but these days in the digital realm of the Internet, it is almost never that simple. an orange team can make it look like the red team is to blame for the attack on the blue team and from there it can grow even more complex. This asymmetrical pattern is the new pattern of cyber conflict and the sooner we all recognize it the better.
Ultimately there is an information layer that is adjacent to the physical world meaning at some point you do get back to a person or set of people who are behind the attacks. The synthesis and analysis that lead up to this is complex and not well understood by everyone. Those that understand the dynamics of information spaces are slow and cautious to point fingers as we have seen in the controversy around attribution the Sony Pictures attacks. Even when the culprit stands up, makes themselves known as the Guardian of Peace (GOP), law enforcement still struggles to ties it all back to the physical world where laws can be enforced.”
Ian Amit, Vice President of ZeroFOX:
“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere.
In short, attribution is not a technology game, and trying to deduce attribution based on technical indicators is inherently flawed. If a hacker has deep access in the system, it is extremely easy to change the evidence in order to throw off the trail. What you find from a forensic perspective can mean a thousand different things all at once, based on little fragments of code here or there or the geographic location where an attack was routed though. All these red herrings mean is that attribution becomes political very quickly: any party can conduct their own analysis and come to a conclusion that suits their purposes, all supported by some pieces of incomplete technical evidence.”
Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:
“Attribution is an extremely complex challenge that requires the support of all forms of intelligence to include network, signals, physical, human, etc. In this case, let’s assume the attacker is highly skilled. A highly skilled attacker would understand that leaving false evidence would confuse investigators and lead them to conclusions that point away from themselves.
I view this scenario based on how I would compromise a target. First, I would be sure to have multiple launch points between my clandestine Internet connection and my target. That means I would chain multiple compromised hosts through a series of VPNs that encrypt all my traffic. If an investigator was able to trace from the target to my last launch point, they would only find evidence of my tunnel termination. All of my traffic would be passing through the host, never leaving a trace of my activity. If I was determined to frame a person or entity for my activity, I would certainly attempt to compromise a host on their network that was used by many other users, a proxy for example. My malicious traffic would be lost in the noise of thousands of other users.
Tracing activity back to me through my tunneled infrastructure may not be impossible, but it would be extremely difficult given that I’m focused on not being caught. If I accessed this network on multiple occasions, I would change the compromised hosts I used for my tunnels and never use the same combination twice. Every comment referencing attribution in the SONY attack introduces more questions.”
Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.
Until Next Friday…Have a Great Weekend!
Hacking Threatens Airline Safety: Aviation Chiefs
Posted on December 11, 2014 by Kara Dunlap in Security
Cyber crime is a serious threat to safety in the skies, aviation industry heavyweights said Wednesday, vowing to fight the growing scourge before it causes a catastrophic incident.
Hackers, cyber criminals and other “terrorists” are stealing information but in a worst-case scenario could endanger lives by tampering with airline systems.
Among the five organizations getting together to take action against hacking are the International Air Transport Association (IATA) and other bodies that signed a new cyber security agreement late last week, formalizing their front against cyber crime.
“Our common goal in developing this agreement is to work more effectively together to establish and promote a robust cyber security culture and strategy for the benefit of all actors in our industry,” said Raymond Benjamin, secretary general of the International Civil Aviation Organization (ICAO).
He added: “As technologies rapidly evolve and become more readily accessible to all, cyber threats cannot be ignored.”
“This is an important new area of aviation security concern and our global community will ensure that it is met with a strong level of commitment and response.”