Tag Archives: Cybersecurity

Dropbox employee’s password reuse led to theft of 60M+ user credentials

Posted on August 31, 2016 | 1 comment

Drop_Box
Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company most-recently said it now has 500 million registered users, though it won’t say exactly how many of those are monthly active users. If Dropbox had roughly 100 million users at the same time the hack occurred, this breach represented a staggering three-fifths of the company’s user base.

Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password re-use that can extend into a corporate environment.

Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts, Patrick Heim, head of trust and security for Dropbox, told TechCrunch. The company has licensed the password management service 1Password for all employees, in an effort to encourage the use of unique and strong passwords. Dropbox also requires two-factor authentication for all internal systems, Heim said.

Given that Dropbox has continued to grow and there have been no colossal security snafus (that we know about) the company appears to have gotten by largely unscathed. Online cloud storage services are frequent targets for hackers because of the variety of content stored. One of the most poignant examples is the massive private celebrity photo leak that happened in September 2014. Dropbox was not linked to that hack, and sources stress that the passwords contained in the 2012 breach do not appear to have been cracked.

And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now). Security breaches like this occur, though for Dropbox to be so light on the details can be frustrating given the necessity of transparency during security breaches.

 

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud

Tagged , ,

Mobile ransomware use skyrockets, blocking access to phones

Posted on July 6, 2016 | Leave a comment

mobile_phones-100576186-primary_idge
Kaspersky Lab has detected almost four times as many attacks on its Android customers compared to last year

The number of users infected with mobile ransomware is skyrocketing, as hackers try to expand the number of potential victims they can target.

Compared with a year ago, almost four times as many users are being attacked by mobile ransomware, security firm Kaspersky Lab said on Wednesday.

It’s a troubling trend. Ransomware has typically targeted PCs by encrypting all the information that is inside the targeted machines, and then holding the data hostage in exchange for money.

The threat is that users who fail to pay ransom will see all the data erased. Hospitals, schools and police departments have all been major victims. But increasingly, hackers have begun focusing on smartphones.

Kaspersky looked at its own Android customers and noticed the spike. Between April 2015 and March this year,136,532 of its users encountered a mobile version of ransomware. That’s up from 35,413 in the year earlier period.

Kaspersky customers in Germany, Canada, the U.K. and the U.S., in that order, were the top four countries affected by mobile ransomware.

The largest mobile ransomware family detected is called Fusob, Kaspersky said.  It was responsible for 56 percent of the attacks during the year and targets Android users.

Victims are unwittingly downloading it when visiting porn sites. Fusob masquerades as a multimedia player, called xxxPlayer, that’s been designed to watch the porn videos.

Once downloaded, Fusob can block all user access to a device. Victims are told to  pay between $100 and $200 in iTunes gift cards to deactivate the block.

Most of the victims have been located in Germany. The ransomware ignores devices that use Russian and several Eastern European languages.

Kaspersky noted that much of mobile ransomware detected actually doesn’t encrypt any information on the infected device. Smartphone owners usually back up all their data to a cloud service anyway, so there’s no point to try and encrypt it, the security firm said. Instead, the ransomware blocks user access to apps on the phone. Often, victims of mobile ransomware will see a ransom note on their device’s screen with instructions on how to pay the ransom, and will not be able to use the phone otherwise until they do so.

Hackers are increasingly using mobile malware in order to expand the number of potential targets outside of PCs, according to security firms.

“In the end, they’re going to follow the money, and find what’s most effective,” said Christopher Budd, the communications manager with Trend Micro. He expects ransomware to continue to evolve and possibly target more Android-based devices, including smart TVs in the future.

To avoid ransomware, Kaspersky advises that users regularly update their software and back up all crucial files. Users should also be wary of downloading anything from untrusted sources and look into buying strong security software.

Leave a comment

Posted in Cyber Security, Data Breach

Tagged ,

Tips on Training Employees on the Dangers of Cyberthreats

Posted on July 5, 2016 | Leave a comment

Unfortunately, no amount of training for your employees will prevent cyberthreats. If thatcomputer-security.png were the case, those of us in the cybersecurity industry would be without employment. However, training to reduce the risk of cybercriminal activity is essential to a company’s bottom line. Without training and security measures we may as well leave the front door open at night with a sign stating, “Welcome all criminals.”

The total global impact of cybercriminal activity is expected to cost businesses over $2 trillion by 2019. This is larger than the cocaine, heroin, and marijuana trade combined.
Cybercriminal gangs are increasing by the thousands monthly, and why not? In comparison with other criminal activity (drugs, robbery, guns, etc.) cybercrime is much easier, more profitable, and less likely to land one in prison. While cybercriminal activity may be on the mind of our government here in the states, the argument can be made it is not nearly as significant as it should be, and it certainly is not of concern to the governments in the far east of the world. If you think the Russian government is overly
concerned with locating small groups of hackers in basements ripping off Americans, you are mistaken.
We can place prevention products like a firewall and anti-virus on our network, as well as protection software like CryptoStopper.io, HackTraps and Carbon Black, but the first line of defense is training our staff.
Here are a few tips for educating employees about cybersecurity that are essential to business:
1. Create an environment open to discussion on cybersecurity.
In several workplaces, for whatever reason, many employees don’t feel comfortable with the IT staff and vice versa. This cannot be an issue. The staff must feel comfortable taking suspicious e-mails to IT, and IT departments must feel comfortable discussing recent threats with the staff. Do not have an environment of, “Sign this policy every year and be on your way.”  Issues must be discussed. Never make anyone feel bad for bringing something they think is an issue to IT. Thank them for bringing a false alarm to your attention, or they may not bring a real one next time. Also, provide food.  This always makes people happy.
2. Create a regular meeting to discuss various concerns on cybersecurity and make it worth employees’ time.
This may be met with groans at first, but if you make the content relevant, you will be surprised by how many people are genuinely interested in how to keep themselves and friends and family at home safe from cybercriminals. Keep it simple at first. Discuss how to keep their social media accounts safe, improving passwords and interesting stories and of individuals getting hacked (yes, in cybersecurity you actually do run into some pretty crazy stories).
3. Educate the staff to recognize an attack.
 Training is essential prior to being attacked. Assume an attack will happen; what is the first thing that needs to be done? Teach employees what a suspicious e-mail looks like. Provide examples. What should be done if a suspicious e-mail is received? This all needs to be done in orientation for new hires and reviewed more than just once a year.
4. Send internal phishing campaigns.
 A well-done phishing campaign can be 45% effective. Again, do not harass anyone who fails. I can promise you will have failures. Use this as a time to teach how to spot a fraudulent e-mail: are there any spelling errors? Does this not appear to be the way this sender speaks? Is this from UPS/Fed Ex and you are not expecting a package? Is the salutation vague and not personalized? All of these are signs of a phishing campaign. Teach them to spot them, contact the sender if known before clicking on anything, or contact IT to analyze.
5. Lastly, and probably most simply, make sure employees are changing passwords frequently.
 I bet if you surveyed the office you would find many employees store passwords on a spreadsheet directly on their wall or even worse in a spreadsheet on their desktop. I once encountered a situation where an employee had a spreadsheet on the shared file on the server. You may laugh, but did anyone let them know this was a giant no-no? Of course not. The key is, don’t assume your head accountant, top salesperson, or even your CEO knows as much as you do.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware, Security

Tagged

Dozens of Malicious Apps on Play Store can Root & Hack 90% of Android Devices

Posted on June 28, 2016 | Leave a comment

Android
It’s not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that’s slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as “android-rooting-tools” to gain root access to the victim’s device.

From there, the malware will make sure the victim’s screen is turned off before executing the malicious code.

Here’s what a Godless-Packed App can do to your Device:
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

“With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices,” Trend Micro says. “This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.”

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it’s still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims’ handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

“Unknown developers with very little or no background information may be the source of these malicious apps,” Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always “review the developer” when downloading apps even from Google’s official store.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware

Tagged ,

Enterprises may soon get FICO-like cybersecurity scores

Posted on June 20, 2016 | Leave a comment

FICO_Scores

This could become reality:

  • Fair Isaac Corp., the company that generates consumer-credit scores, purchased Michigan-based cybersecurity startup QuadMetrics Tuesday.
  • The company said it plans to use QuadMetrics’s predictive analytics and security-risk assessment tools to develop security scores for businesses.
  • The scores would help CIOs and other tech professionals measure their company’s online risks, including better understanding third-party risks.

“Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” Doug Clare, FICO’s vice president of cybersecurity solutions, said in a statement.

QuadMetrics uses predictive analytics and data from various sources to generate a security score.

FICO has been investigating the cybersecurity area for a while now, and recently developed their Falcon Cybersecurity Analytics service. The company says the new service could also help manage cyber risk from third party vendors, a growing problem for enterprises.

“Some large enterprises are dealing with over 10,000 external vendors, suppliers and partners, and many compliance regulations now demand they have to gauge the risk of all of them and somehow remediate that risk,” Garrett Bekker, a cybersecurity analyst at 451 Research, told the Wall Street Journal.

A repoprt released by the Ponemon Institute in early May found that the risk associated with third party data sharing is growing, but the C-Suite is not adequately prioritizing the issue. The report, sponsored by Shared Assessments, found that third party vendors and partners can significantly increase the risk of cyberattacks or data breaches. As a result of “negligent or malicious” third parties, Ponemon researchers found that organizations spent an average of $10 million responding to security incidents.

The cyber insurance market could also use the score to assist in cyber breach policy writing and portfolio management. Though cyber insurance is a fast growing market, there is not yet an industry standard to measures a company’s risk.

Leave a comment

Posted in Cyber Security, Security, Technology

Tagged ,

US warns of hacking threat to interbank payment network

Posted on June 9, 2016 | Leave a comment

_89909468_thinkstockphotos-507473994

US regulators have warned banks about potential cyber attacks linked to the interbank messaging system.

The statement came two weeks after the Federal Bureau of Investigations sent a notice cautioning US banks after the hacking of Bangladesh’s central bank.

The FBI message warned of a “malicious cyber group” that had already targeted foreign banks.

In February, hackers stole $81m (£56m) from Bangladesh’s account with the Federal Reserve Bank of New York.

The hackers used the Bangladesh central bank’s Swift credentials to transfer money to accounts in the Philippines. Swift is the system banks use to exchange messages and transfer requests.

The hackers attempted to steal nearly $1bn, but several of their requests were rejected because of irregularities.

The Federal Financial Institutions Examination Council (FFIEC) – a group of US banking regulators- issued a statement encouraging banks to check the security of their links with interbank messaging and payment systems.

The council said that following recent attacks banks should “actively manage the risks associated with interbank messaging and wholesale payment networks”.

The FFIEC said the statement was intended to alert banks to specific security steps that could protect their messaging and payment networks from “unauthorized entry”.

It warned that unauthorised transactions may subject the originating bank to losses and compliance breaches.

The Bangladesh central bank and Swift have blamed each other for the security shortfalls that led to the February hacking.

The FBI sent its warning to US banks on 23 May, telling them to pay particular attention to potentially fraudulent international transfer requests.

“The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorised monetary transfers over an international payment messaging system,” the alert said.

The Bureau said it would not comment on these alerts, but a spokesman added: “The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Attorney Confidentiality, Cybersecurity, and the Cloud

Posted on June 9, 2016 | Leave a comment

Legal

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

White_Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US_Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Cloud_Mag

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Contract

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles.  Thanks to Microsoft for its support of this piece.  All views in this piece are my own.

Leave a comment

Posted in Cyber Security, eDiscovery, Public Cloud, Security

Tagged , ,

Looking to improve cybersecurity? Fire some CEOs

Posted on April 5, 2016 | Leave a comment

Great Article by Bill Siwicki

Running security and IT under a CFO or chief administrative officer is bound to be problematic because they typically lack a technology background. One expert’s alternative: Empower CIOs and all employees to innovate a culture of security.

MansurHasibhitnThere’s a big problem thwarting cybersecurity today and it has to do with people – those at the top specifically, according to Mansur Hasib, a cybersecurity professor at the University System of Maryland.

“Many executives have taken the view that cybersecurity is control of people, limiting people’s use, essentially telling people they are dumb, that they cannot use technology, that their ability to load software on their computers will be disabled,” said Hasib, who wrote the books “Cybersecurity Leadership” and “The Impact of Security Culture on Security Compliance,” and earned a doctorate in cybersecurity from Capital Technology University in Laurel, Md. “Most companies run IT and cybersecurity where IT professionals live in these hallowed halls and they do not share knowledge.”

As part of his doctoral dissertation on cybersecurity in 2013, in fact, Hasib conducted a national study across a wide swath of organizations in the U.S. and found that half of healthcare entities operate IT and cybersecurity efforts through non-IT officers such as the CFO or the chief administrative officer.

Further, one-third of healthcare organizations have no CISO and one-fifth have no plan to hire a CISO anytime soon. He said this is an enormous problem for healthcare cybersecurity today.

Hasib will speak at The HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2016, in Los Angeles, California.

“Anthem, which had the biggest security breach in healthcare, runs IT through its chief administrative officer,” Hasib said. “These executives, with their MBA backgrounds, have no clue about IT and security, so why is this person in charge of it? Yes, they have a CIO, but no real CIO should work for a CFO or CAO. If I am a CIO and I am not reporting directly to the CEO, then I am not a CIO.”

That problem starts in graduate schools, Hasib said, where the lack of focus on IT or cybersecurity is partially responsible for what London Business School researcher and professor Gary Hamel determined, which is that innovation and productivity in the U.S. are half of what they were in 1972.

Individuals and employees, on the other hand,  are armed with greater access to technology than they have ever had. Today’s mobile phones and tablets, for instance, effectively democratize IT by putting it in just about everyone’s hands. As a result, the concept of technology run by a privileged few no longer works.

“That’s why there is a massive failure – the trust divide between executives and the common people,” Hasib explained. “Employees realize they do not have access or a role. But the reality is everyone handles data and technology, therefore the ultimate cybersecurity posture of any organization depends on people. Behavior of people determines ultimate success.”

Hasib learned about that massive failure when Anthem breached his own health data. And because of Anthem’s reporting structure, Hasib has a cure to the company’s cybersecurity woes that is blunt. “In order to improve cybersecurity, fire some CEOs,” he said. “If any CEO thinks their CFO can run their IT and cybersecurity, then that CEO does not belong in the CEO role.”

Hasib went on to say that the reason there has been such a decline in innovation in America – innovation by employees that is needed to bolster cybersecurity – is because Corporate America has put leaders on an anointed pedestal.

“We think authority is leadership, but it is not – knowledge is leadership,” he said. “Every one of us has some knowledge we can use to guide others in whatever it is we know. Leadership is guiding someone to a purpose, usually where that person wants to go. Management is forcing someone to go where you want that person to go. It is much better to inspire people and lead them to where they want to go.”

As such, any C-suite officer can inspire values in employees throughout an organization, values that in the case of cybersecurity can include, for example, loyalty, trust and innovation.

“A company that does not have the loyalty of the people in its organization will never have cybersecurity,” Hasib said. “Great companies have a culture where they allow people to take risks – and understand innovation by itself has risk.”

Hasib cited as an example a nuclear power plant he studied. Needless to say, safety was a value its leaders promulgated throughout the organization.

“There, safety is the culture,” he explained. “Every employee is incentivized. Their business is based on how many hours they can go without a safety incident. In healthcare, does any organization give incentives for how many days without data loss? You can certainly have a goal of zero data loss, that is easy enough. What if you rewarded people for that? Everything is negative today, and people are not excited about negative stimulus. Leaders should give people incentives and reward innovation.”

Cybersecurity must indeed be about continuous innovation, Hasib added. Without innovation, an organization will never have cybersecurity, and it’s people who create a culture of innovation.

Hasib will speak at The HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles, in a session titled “Healthcare USA: How to Create a Human Firewall,” May 11 from 1:45-2:30 p.m. Register here

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Healthcare, Security

Tagged , ,

JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product

Posted on February 19, 2016 | Leave a comment

John_McAfeeCybersecurity expert John McAfee is running for president in the US as a member of the Libertarian Party. This is an op-ed article he wrote and gave us permission to run.

Using an obscure law, written in 1789 — the All Writs Act — the US government has ordered Apple to place a back door into its iOS software so the FBI can decrypt information on an iPhone used by one of the San Bernardino shooters.

It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers and to our nation’s enemies than publishing our nuclear codes and giving the keys to all of our military weapons to the Russians and the Chinese, our government has chosen, once again, not to listen to the minds that have created the glue that holds this world together.

This is a black day and the beginning of the end of the US as a world power. The government has ordered a disarmament of our already ancient cybersecurity and cyberdefense systems, and it is asking us to take a walk into that near horizon where cyberwar is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly.

Any student of world history will tell you that this is a dream. Would Hitler have stopped invading Poland if the Polish people had sweetly asked him not to do so? Those who think yes should stand strongly by Hillary Clinton’s side, whose cybersecurity platform includes negotiating with the Chinese so they will no longer launch cyberattacks against us.

The FBI, in a laughable and bizarre twist of logic, said the back door would be used only once and only in the San Bernardino case.

Tim Cook, CEO of Apple, replied:

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

Tim_Cook

No matter how you slice this pie, if the government succeeds in getting this back door, it will eventually get a back door into all encryption, and our world, as we know it, is over. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be in the US government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.

Cook said:

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The fundamental question is this: Why can’t the FBI crack the encryption on its own? It has the full resources of the best the US government can provide.

With all due respect to Tim Cook and Apple, I work with a team of the best hackers on the planet. These hackers attend Defcon in Las Vegas, and they are legends in their local hacking groups, such as HackMiami. They are all prodigies, with talents that defy normal human comprehension. About 75% are social engineers. The remainder are hardcore coders. I would eat my shoe on the Neil Cavuto show if we could not break the encryption on the San Bernardino phone. This is a pure and simple fact.

And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.

gettyimages-136135710

Cyberscience is not just something you can learn. It is an innate talent. The Juilliard School of Music cannot create a Mozart. A Mozart or a Bach, much like our modern hacking community, is genetically created. A room full of Stanford computer science graduates cannot compete with a true hacker without even a high-school education.

So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.

If you doubt my credentials, Google “cybersecurity legend” and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.

Leave a comment

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Network, Security, Technology

Tagged , , , , ,

DNI announces CTIIC leadership

Posted on February 12, 2016 | 1 comment

DNI_Ugoretz_Tonya_370Director of National Intelligence James Clapper has named a career FBI analyst and an Iraq War veteran to head up the cyber intelligence center that the White House ordered created after the massive hack of Sony Pictures Entertainment.

Tonya Ugoretz, the FBI’s former chief intelligence officer, will head the Cyber Threat Intelligence Integration Center. She has done stints at the CIA, Department of Homeland Security and National Intelligence Council, and is listed as an adjunct associate professor at Georgetown University.

Maurice Bland, who most recently was the National Security Agency’s associate deputy director for cyber, will serve as Ugoretz’s deputy. Bland has done two combat tours in Iraq and Afghanistan, according to his official biography.

Ugoretz and Bland could be talking face-to-face with President Obama following the next large-scale hack of U.S. assets.

Clapper also tapped Thomas Donahue, a nearly three-decade veteran of the CIA with a PhD in electrical engineering, as CTIIC’s research director. The center will “build understanding of cyber threats to inform government-wide decision-making,” Clapper said in a statement.

The White House announced the creation of CTIIC last February. It is based at the Office of the Director of National Intelligence, and is modeled after the National Counterterrorism Center in an effort to “connect the dots” on cyber threats. Michael Daniel and Lisa Monaco, respectively the top White House advisers on cybersecurity and counterterrorism, have been the driving forces behind CTIIC, according to an administration official involved in the agency’s standup.

CTIIC is meant to fill a void in the bureaucratic chain of command wherein Obama had no one entity to turn to for an all-source briefing on foreign cyber threats. That void became abundantly clear to White House officials after the digital destruction of Sony Pictures’ IT systems in November 2014.

The agency got off to a rocky start. House lawmakers were irked that they didn’t get a heads-up on its creation, and DHS officials were worried that the new agency might encroach on their own work.

But several months later, agency turf battles that appeared ready to unfold have been quieted, and there is agreement on Capitol Hill on the need for CTIIC, according to the administration official. The omnibus package funding the government this fiscal year includes money for CTIIC; the exact amount of funding is classified.

“CTIIC is vital because the foreign cyber threats we face as a nation are increasing in volume and sophistication,” DHS Deputy Secretary Alejandro Mayorkas said in a statement. “The CTIIC will help DHS better understand various cyber threats and provide targeted intelligence community support” to the department’s own cyber threat center.

Bland’s battlefield experience could come in handy, as there is increasingly a cyber dimension to kinetic war. A key to the “surge” of U.S. troops in Iraq in 2007 was an accompanying surge in cyber weapons that the NSA unleashed, as journalist Shane Harris reported in his book “@War.”

Bland’s LinkedIn profile touts his experience “leading numerous efforts regarding the organization of cyber units, policy, and authorities related to cyber operations.”

1 Comment

Posted in Data Breach, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,