Cyberwars: The Month of Cyberattacks

hackers_securityThe month of August has been a busy time for online security specialists, due to numerous cyberattacks being reported close to each other. First came word that supermarket chain Supervalu had been hacked, followed by news of security breaches at a largest American medical group, the Nuclear Regulatory Commission and then the UPS Store. In all cases, the intrusions led to the theft of millions of users’ personal data.

The worst of the lot appears to have been the massive cyberattack on Community Health Systems, one of the largest hospital chains in the US that oversees 206 hospitals in 29 states. According to the company, the intrusion led to stolen Social Security numbers, patient names, addresses, birth dates and telephone numbers of some 4.5 million patients. And as usual, the attack is believed to have had the backing of a foreign government.

https://i2.wp.com/www.chs.net/wp-content/uploads/2013/12/hma-map.pngThis is the largest known attack to involve hospital patient information since the US government began tracking these types of data breaches in 2009. According to Elysium Digital data security expert Joseph Calandrino:

One possible goal of this attack is to facilitate future targeted attacks. The type of data that was stolen from the hospital system is often used to verify a person’s identify. The exposure of this data creates a risk that the hackers could leverage it to gain access to other accounts and information.

As is so often the case these days, it is believed the cyberattack originated in China. Security firm Mandiant, which investigated the breach in April and June, said the hackers belong to a group that targets crucial infrastructure, such as defense, engineering, financial services, and health care companies. It’s unclear if these hackers are affiliated with the Chinese government.

Unit-61398-Chinese-Army-Hacking-Jobs-With-Great-BenefitsVarious security experts have long accused China of waging a cyberwar on US government and private company websites. For example, a report that was released by Mandiant back in 2013 linked Unit 61398 of the China’s People’s Liberation Army to a large number of cyberattacks on US soil. However, the Chinese government has flatly denied that it is involved in cyber-espionage or hacking.

Community Health Systems has since reported that it stopped the cyberattack by removing the malicious software used by the hackers and is notifying its patients of the breach. It has also been reported that the hack may have been facilitated by the Heartbleed bug, a flaw in OpenSSL that hackers use to exploit to obtain encrypted data. The timing certainly seems apt, as the bug was revealed back in April and the attack took place between April and June.

nsasecurity_primary-100041064-largeHowever, this was were merely one of several breaches that took place over the past few months. In addition to the CHS, UPS, and numerous major outlets, cybersecurity firm Hold Security identified what was arguably the largest known data breach in history earlier this month. In this attack, the Russian cybergang Cybervor allegedly stole 1.2 billion username and password combinations and more than 500 million email addresses.

With these latest attacks, it appears that large-scale security breaches carried out by individual hackers and sponsored by nation-states is becoming the new normal. And as these kinds of attacks become more common, cybersecurity experts are concerned that people may suffer from “alert fatigue”, where they will basically cease caring about and not be aware of breaches that affect them.

RAND_hqIn addition, security experts would like people to keep in mind that there is a difference between a spike in activity and reporting on activity. Much like the problems of violence, teen sex and crime rates, there is likely a gap between an actual increase and the perception of one. As Lillian Ablon, a researcher for the RAND Corporation, explained:

Back during Operation Aurora [in 2009], when Google got hacked, Google coming out [in 2010] was a big step in the industry. Before that, companies didn’t really talk about being breached.

Legally, companies and government agencies are required to report security breaches to the public only when customer data is involved, and only in 47 states. Alabama, New Mexico, and South Dakota lack mandatory reporting laws, and few laws on the books extract penalties when a breach occurs. Still, whatever the magnitude of the number of security breaches, it’s also true that we are living in an increasingly uncertain world when it comes to keeping our data safe.

internetNaturally, public vigilance is a good policy, but its not exactly a solution. When the hacks at the Nuclear Regulatory Commission, the Community Health Systems, the Cybervor attack, and hack of the DHS, the attacks were suspected of coming from abroad. More and more, attacks are being staged from a location that is far removed from the source, and backed by third parties who are likely unknown.

Security experts believe that the eventual solution will require businesses to rethink how they operate, putting a much bigger emphasis on security. But the consequences of that could have global economic implications, if better security hurts competitiveness. In the short term, it means that customers who do business with companies that suffer security breaches will need to be that much more vigilant.

That means not reusing passwords for multiple accounts, using two-factor authentication when available, and keeping a close eye on bank statements and credit card activity. And as for the breaches themselves, there’s not much you can do except be prepared to hear about more of them, more often. For better or for worse, it is the age we live in, where big data means big data intrusion!

Sources: cnet.com, (2), (3)

Cyberwars: The Credit Card Info Stealing App

theft_creditcard1Want to steal someone’s credit card information? There’s an App for that! Yes, it seems that smartphones are the latest tool in the identity and info thief’s arsenal, just a few years after it was reported that laptops were being used for to read people’s passports. And the worst part of it is, it can be done using a technology that is perfectly legal, and worse, was designed to make the life of consumers that much easier.

MasterCard calls the App PayPass, while Visa calls it payWave. Simply wave your credit card over a sensor and you’ve made a transaction, without the hassle of having to remember or enter a PIN number. But one of the unintended downsides is that it also makes it that much easier for a third party to steal your credit card information, and just as quickly and conveniently.

theft_creditcard3An investigative report was recently performed by CBC News and Mandy Woodland, a St. John’s lawyer who specializes in technology and privacy law. Using a Samsung Galaxy SIII, one of the most popular on the market today, the team downloaded a free app from the Google Play store to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card.

According to their report, a thief can simply walk by, pause and read the information through an unwitting person’s coat and wallet, and then the information can be sent to another phone. The entire process only takes five minutes to download the App, and just seconds to obtain the credit card info. After conducting the process with a team members credit card, they used the stolen information to buy a coke.

??????????????Naturally, the process could be used to pay for gas, a new computer, or plane tickets to a vacation paradise! And as Woodlands said in an interview with CBC:

It’s always a concern when a stranger could obtain my personal information and my banking and financial information just from a simple walk by, particularly the fact that that worked so quickly.

Furthermore, Michael Legary, who runs a security company called Seccuris Inc., claims they have investigated cases where phones paired with these apps were used to commit credit card fraud. Legary also claims that the app has become a tool for organized crime in Europe:

They don’t even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime.

theft_creditcardBut of course, credit card companies would like their clients not to worry. In a written statement, Visa claimed that there have been no reports of fraud perpetrated by reading its payWave cards, in the manner shown by the CBC. Citing the many layers of protection and identity security, Visa points to its record, which it claims shows historic lows of fraud. Mastercard similarly claimed that its customers are protected, specifically their MasterCard’s Zero Liability Policy. My only answer to that is, wait a while…

At the same time, Google has announced, in response to this investigation, that it would remove any app that violated Google’s developer distribution agreement or content policies. However, the app in question is still available on Google’s download site.

In conjunction with other forms of identity theft and RFID skimming, this latest revelation only adds to the growing concern that technologies which are designed for convenience are being abused to make our lives more harassed and insecure. It also raises an important issue about corporate security in the digital age.

Much like with internet security and hackers, there appears to be a constant back and forth between thieves and credit card companies, the one erecting more and more barriers of security and the other coming up with more elaborate ways to beat them. As for the rest of us, it seems we can only be vigilant. But if possible, it might be smart to purchase an Faraday pouch for your personal effects!

In the meantime, here is a demonstration of the credit card “skimming” at work.


Sources: CBC.ca, huffingtonpost.ca