Tag Archives: data security

Rental Cars Pose Data Security Risk

rental-carDid you know that renting a connected car may pose a security risk to your private information? When you connect your phone or mobile device to the car’s infotainment system it may store personal information such as GPS locations, call logs, your mobile phone number, or even contacts and text messages.

The Federal Trade Commission (FTC) recently released an alert on best practices to secure personal information when using rental vehicles. If you’re renting a connected car, here are some tips to keep personal and sensitive information protected:

  • Charging: Avoid connecting your mobile device via USB just for charging. It’s safer to use the cigarette lighter adapter to charge your phone. The USB connection might be transferring data automatically.
  • Permissions: If you connect to the car’s infotainment system, it should allow you to choose which types of information to access. Only give access to the information you want to use. If you’re playing music, the car doesn’t need access to your contacts list.
  • Delete Data: Make sure you delete your data from the car’s system before returning the car. Find the infotainment system’s settings menu. Locate your device and follow the instructions to delete it from the system.

Read the FTC’s alert here.

USB Related Cyber Attacks and How to Defend Against Them

usb-virus-imageWe all love the “plug and play” convenience that USB ports and devices have brought to our digital lives. However, along with the ease of use comes significant security risks. Keep reading to learn more about the threat, the types of USB related attacks and how to defend against them.

The Threat

The crux of the problem is that operating systems blindly trust any device connecting through USB ports. Current security relies on users’ knowledge of the USB device and their ability to decipher whether it’s benign or malicious which, as you are about to read, is not exactly the best line of defense.

A Simple Start to an Attack

The most common and simple type of cyber-attack related to USB begins with a rogue flash drive placed in an office, parking lot or break room where an unsuspecting employee is likely to find it. Research shows that when people find what appears to be a misplaced flash drive, the urge is to plug it in to identify who it belongs to so the drive can be returned.

Attackers count on people finding the rogue flash drive and connecting it to their computer. Some attackers will even label the flash drive – i.e. Corporate Layoffs, Corporate Salaries – to entice curiosity and increase the chance it gets connected to a computer.

Several Types of Attacks

USB devices can be loaded with malware so that when the unsuspecting user plugs in the device, their computer becomes compromised.

Attacks like BadUSB can modify the device to emulate a keyboard, install malware onto the computer, perform DNS spoofing, spy on the user, or even create a communication link to exfiltrate data.

All of the attacks using a USB device rely on attaching an unknown interface without the user’s knowledge. An interface is an internal function on the USB device. For example, a normal headset has interfaces for the speaker, microphone, and volume controls.

As identified earlier, operating systems inherently trust USB devices when attached along with all of their interfaces. Once all the drivers are loaded, all interfaces are granted access to the host computer. All this is to say, USB devices present an attractive attack vector for cyber-attackers.

One Way to Defend

It is tough to tell a good interface from a bad one. Aside from the human defense, USB packets are difficult to analyze. Enter USBFILTER – a packet-level firewall for USB.

A research paper detailing USBFILTER was presented at the Usenix Security Symposium. The USBFILTER software gives administrators the ability to set rules for how interfaces on the USB device and the operating system interact with each other.

USBFILTER helps assess which packets are coming from which interface. The operating system can use this software to prevent unauthorized interfaces from connecting. USBFILTER can also be used to limit what functions the interfaces can perform and which applications with which they interact.

Practical Examples

Here are a few practical examples of USBFILTER at work:

USB Headset

A typical headset has multiple interfaces, as mentioned earlier – speaker, microphone, and volume controls. This could open up the possibility of an eavesdropping attack using the microphone interface. Some companies might ban the user of these headsets to prevent an attack.

With USBFILTER, administrators can set the protocols such that any incoming packets from the headset’s microphone are dropped. This means the headset’s microphone is disabled and cannot be enabled by users.

Disguised Keyboard

Many BadUSB attacks utilize devices that act as a Trojan horse; on the outset they appear to be a regular flash drive, but they secretly have other functions. Most of the time this secret function is a keyboard or mouse. Once connected, the device can send keystrokes to the computer and perform actions as the user.

With USBFILTER, administrators can whitelist the existing keyboard and mouse connected to the computer. This way, the computer will only run actions from the real keyboard and mouse and drop other packets trying to disguise themselves. Administrators can also configure it so that any packets other than storage functions are automatically dropped.

USB Webcams

Webcam attacks allow an attacker to exploit vulnerable applications to gain access to the user’s webcam. From there, the attacker is able to watch or listen to the area around the user’s computer.

Administrators can identify the webcam’s serial number so USBFILTER can recognize when other webcams are plugged in and prevent them from connecting. USBFILTER can also specify certain applications for the webcam to run on, such as Skype. So in practice, only the identified webcam can connect and turn on when the user is using Skype.

USB Charge-Only

Other BadUSB attacks allow the attacker to use a connected smartphone to perform DNS spoofing. When the smartphone is connected, it will automatically enable USB tethering and inject spoofed DNS replies to the computer. If all goes right, this results in a man-in-the-middle attack with the attacker gaining access to the computer’s network communications.

With USBFILTER, administrators can set the protocols such that any packets to and from the phone are dropped, rendering the phone solely a charging device. Additionally, USBFILTER can designate a specific port on the computer to only be used for charging.

Key Takeaway

USBFILTER is a solution that can give administrators better, granular control over the functionality of USB ports and devices. USBFILTER is open-sourced code, and posted here on GitHub. It’s currently written for Linux, but can be ported for Windows and Mac.

Recent Ruling Set the Bar Low for Establishing Injury Under the FTC Act

The FTC recently announced its latest move in an ongoing legal saga with LabMD. The results of this case, along with other recent decisions, provide a clear picture on how the FTC interprets privacy harms and data security issues.

LabMD Breach

The LabMD case dates back to 2008, when a document containing sensitive patient information was found on a publicly accessible website.

LabMD received a notification from Tiversa, a firm monitoring peer-to-peer networks for inappropriate information sharing. Tiversa claimed to have found a file containing 1,718 pages of LabMD billing information on Limewire, a peer-to-peer file sharing website.

The file contained personal information on 9,300 patients: names, dates of birth, Social Security numbers, “CPT” codes for specific medical tests, and health insurance information.

LabMD quickly traced the incident back to a billing manager’s computer. She had installed Limewire on her work computer to download music. She inadvertently left her documents folder open for sharing on Limewire, where the 1,718-page file found its way onto the shared network.

Tiversa brought the incident to LabMD’s attention in hopes of signing the company as a customer. Tiversa offered to fix the issue for a fee. LabMD declined. Tiversa then notified LabMD that they were obligated to report the findings to the FTC.

Legal Battle

In 2010, an intense legal battle between LabMD and the FTC began. After almost 3 years of investigation, the FTC charged LabMD under the unfairness prong of Section 5 of the FTC Act. They found numerous unreasonable data security practices they deemed to be unfair. The FTC claimed LabMD:

  • Failed to monitor traffic across firewalls
  • Failed to train employees
  • Failed to update software
  • Failed to require strong passwords
  • Allowed employees to download and use peer-to-peer services

LabMD challenged these charges. The ongoing case gave LabMD bad press, hurt their reputation, and caused them to lose customers. Eventually, LabMD was forced to close shop in 2014 due to the costs of fighting the legal battle.

But LabMD caught a huge break in November 2015, as we previously reported. The judge overseeing the FTC case ruled in favor of LabMD. He held that Tiversa’s evidence against LabMD was unreliable. A previous Tiversa employee testified that he fabricated the digital trail leading to the file with personal information. The judge also held that LabMD’s data security practices weren’t likely to cause substantial injury to consumers, like the FTC Act requires.

In response to the judge’s ruling, the FTC acted as expected and appealed. This time, without standing on Tiversa’s evidence, the FTC claimed that LabMD’s mere exposure of the file was evidence of unfair data security practices.

FTC Ruling

The FTC overturned the judge’s ruling in August 2016 and found consumer injury was a probability. They said “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5.”

According to the FTC, subjective feelings qualify as an injury under the FTC Act. This means that reputational harm and embarrassment are enough to bring charges against a company using Section 5. Notably, they also found that substantial injury actually occurred without any evidence of a specific aggrieved consumer after 7 years. This has also been seen recently in high profile cases – Hulk Hogan and Erin Andrews – in which the ruling favored the plaintiff without tangible evidence of harm.

The decision in this case also provides clarity on how the FTC views the definition of “disclosure of personal information.” With evidence of only two people viewing the 1,718-page file on Limewire, the threshold for disclosure appears to be low.

With the result of this case, the FTC definition of disclosure relies solely on the release of personal information from a secure location. It doesn’t seem to take into account whether or not other individuals have actually viewed or accessed the information.

Key Takeaway

In over 60 cases related to privacy and data security issues, all but two companies have settled with the FTC. So the ongoing legal battle between LabMD and the FTC provides important insight on how the FTC handles privacy and data security issues under the unfairness prong of the FTC Act.

It seems at times the FTC can bully companies into settling with the agency. Settlements often include penalties, consent decrees to monitor future privacy and data security practices, and damage to the company’s reputation.

Nevertheless, this case shows that the burden is currently on organizations to protect sensitive information. Emotional and reputational harm to a consumer is enough for the FTC to bring charges against a company. On top of that, those injuries occur when sensitive information is merely exposed in the public domain.

Gmail Alerts: State-Sponsored Attacks

Google is pretty good at letting users know in a practical way when they are in danger online. Google has been warning Gmail users since 2012 when they become the target of a state-sponsored attack.

google-alert-old

 

 

 

But now the alerts will be a little more ‘in-your-face’ as you can see below.

warn-gmail

 

 

 

 

 

 

 

“The users that receive these warnings are often journalists, activists, and policy-makers taking bold stands around the world,” says Gmail’s Nicolas Lidzborski. Nevertheless, based on Google’s stats, the number of users targeted could be as high as 1 million.

Kudos to Google, as well as other websites like Facebook and Twitter, for playing a part in keeping users safe against cyber attacks.

Top 5 Data Security Questions

During 2015, ePlace cyber professionals answered questions covering just about every cyber and data security related topic. Below are the top 5 most asked questions.

Question 1: Is the vetting process important for the Cloud Vendors and Business Partners who have access to your data?

Answer: Since your organization will have little or no visibility into the security posture of a partner or cloud vendor and as your valuable data flows through the chain of business ecosystem, it should be shared securely, managed, protected, and archived according to corporate regulatory and legal mandates. The following are tips on protecting your data that is being shared:

  • Assess your partner or vendor’s security posture.
  • Cyber security is not an afterthought and should be communicated to every vendor/partner at the beginning of every relationship.
  • Assess and classify your data periodically and share with your partners accordingly.
  • Require your data custodian to execute an NDA and other legal documents requiring compliance with applicable data and privacy laws as well as your organization’s policies and procedures.
  • Require the vendor to purge and scrub the data upon termination of the project or engagement.

Question 2: How do we protect our sensitive/critical data from leaving our organization?Answer: As the organization’s network perimeter expands through the use of cloud and mobile technologies including bring your own device (BYOD), your data is no longer centralized and has many egress points through different means. Protection requires organizations to clearly understand which of their assets are key to their existence. Asset identification should include categories such as revenue, income, reputation, intellectual property, strategic growth planning, and core operations. Implementing a Data Loss Prevention (DLP) program is a critical factor in protecting the aforementioned data categories and a successful approach to the DLP would include:

  • Implementing a sounds ISMS (Information Security Management System) which can include:
    • Implementing security policies
    • Performing risk assessments
    • Implementing security controls
    • Implementing security awareness programs
    • Implementing physical security
  • Implementing Data Life Cycle Management (DLCM) which can include:
    • Identifying critical data lifecycle including its creation, storage, usage, transmittal, archival and end of life/purge
    • Acquiring and installing DLP security tools
    • Identifying all the stake holders and obtaining their buy-in

Question 3: What kind of data at rest do I need to encrypt?

Answer: Data at rest encryption begins with knowing your data classification, location and understanding your organization’s business and security objectives including data governance policies and compliance mandates (e.g., PCI, HIPAA, GLBA, and SOX etc.). Based on the aforementioned information collected, start designing data encryption policies and schemes that will protect the confidentiality of your most valued assets. Encryption does add an overhead and can tax your system performance. Data at rest encryption strategies include:

  • Understanding your organizational structure and data locations.
  • Choosing the right encryption algorithm (most secure today AES-256).
  • Encrypting your data based on sensitivity, location and compliance mandates.
  • Creating a data encryption policy.
  • Auditing any encryption solution implemented.
  • If encryption is not an option in some data implementations such as databases, using token to replace actual data field to obfuscate certain sensitive fields.

Question 4: Why do I need to patch my software and operating system?

A patch is a software update that is released by the software manufacturing vendor to address security vulnerabilities in their product. Whenever software developers release a patch, hackers analyze it to find out the vulnerability it addresses and once identified they start searching for systems that have not been patched to compromise them. Following are best practices for patch management:

  • Inventory all software and hardware used in your organization.
  • Use automated tools to scan for vulnerabilities.
  • Develop a test environment to test the patches.
  • Apply critical patches first.
  • Patch business and mission critical systems manually.
  • Use automated system to push the patches.
  • Develop a backout plan if the patch breaks the system functionality.
  • Audit patched systems for consistency.

Question 5: Do I need to perform a cyber risk assessment in my organization?

No matter how secure your organization is, occasional lapses in its infrastructure are inevitable. A risk assessment report will give your organization a snapshot of its posture including all of its strengths and weaknesses. A risk assessment report will also provide a more accurate picture of how much to budget for cyber security and which computing areas need more money allocated. Following are guidelines for conducting a risk assessment as defined by NIST (National Institute of Standards and Technology) 800 series standards:

  • Scope environment (identify the systems that will be assessed).
  • Identify the threats to the scoped systems.
  • Expose their vulnerabilities.
  • Identify current protection controls.
  • Identify the likelihood the systems will be breached.
  • Assess the potential impact to the organization in the event of a breach.
  • Determine the risks by multiplying the likelihood of breach by the impact to the organization.
  • Mitigate the risks identified in the previous steps.

Wifatch Malware Improves Security?

Symantec has reported on an interesting piece of malware that aims to increase the security of the devices it infects. The name of this malware is Linux.Wifatch, and it has been infecting Internet of Things (IoT) devices since 2014. The Wifatch network has infected more than 300,000 devices so far.

Attackers have found IoT devices particularly useful and have taken advantage of the common vulnerabilities that many still deploy – out of date software and default passwords. IoT devices can be very functional to attackers when they have access control over the device. Many times the attacker will use a botnet – collection of infected devices – to launch Distributed Denial of Service attacks on larger servers or networks.

The average user is usually oblivious to their device being infected. Like the DDoS example, there are many instances in which the attacker isn’t looking to hurt the device or steal information from it. They simply utilize its functionality in the background for larger attacks. And because of the stealthy nature of the attack, attackers can maintain their control of the device for long periods of time without being detected.

What does Linux.Wifatch do?

So how does Linux.Wifatch compare to the other malware in the wild infecting countless devices? Wifatch infects the device much like other remote access malware using common vulnerabilities. But that’s where Wifatch starts to differ from other malicious software.

Wifatch starts to distribute threat updates to the infected device. It seeks out and removes existing malware on the device. If successful, Wifatch will leave behind a warning message that encourages the user to change the passwords for the device and update the firmware. Wifatch also configures the device to reboot automatically on a regular basis to reset the device to a clean state and get rid of any active malware.

The hackers’ original plan was to quietly secure devices with poor security hygiene behind the scenes. Being hidden allowed the hackers to stay off the radars of other malware authors they are trying to protect against. The device users are usually unaware their routers are being used to attack other hosts on the Internet.

The hackers released part of the code for the Wifatch malware and made it free to use under the General Public License. The goal is to get people to take security more seriously and adopt better security practices on their devices.

Best Practices:

The team behind Linux.Wifatch responded to questions by saying that they don’t use any elaborate backdoors or zero-day exploits to hack into devices. Instead they rely on telnet and other simple protocols, then try several remedial passwords – like password – or default passwords to gain access. In effect, the team is only infecting devices that aren’t protected at all in the first place.

It seems like the goal of Linux.Wifatch is to get users adopting security best practices with their devices. So with that in mind, the best way to protect against malware – like Linux.Wifatch and other malicious software – is to stay current with any updates and change default or weak passwords.

Four Reasons Millennials are an Organization’s Biggest Data Security Risk

Absolute Software’s recent study on U.S. mobile security shows that Millennials represent the greatest risk when it comes to data security over other age groups. Millennials (adults ages 18-34) have surpassed Generation X (adults ages 35-50) to make up the largest share of the American workforce. According to the study, Millennials do not compare favorably against other age groups in several data security areas:

Boomers

Millennials

5%

Compromise IT Security

25%

8%

Modify Default Settings

35%

37%

Use Work Device for Personal Use

64%

5%

Not Safe for Work

27%

 

Organizations need to reevaluate their security policies and adapt to the changing mobile behaviors and trends that are coming from the Millennial group, who have grown up in a society driven by social media and mobile applications.

Here’s a closer look at the greater risk for data security from Millennials compared to the older age groups:

  1. Millennials are more willing to admit to compromising the organization’s security because they assume that security is IT’s responsibility.
  2. Millennials are generally more tech-savvy and find ways to go around a device’s default settings to meet their wants. This could look like jail-breaking a device or downloading an unauthorized application.
  3. Across all age groups it’s common for employees to use their work device for personal use. The difference lies in the type of use and how that affects the organization’s risk. Millennials are more apt to use social media apps without privacy settings in place or do online banking on their work devices instead of things that carry less risk like checking sports scores.
  4. Along the same lines, Millennials access more Not Safe for Work content on their work devices, which include sites most notorious for malware like social media sites, gaming sites, online shopping, etc.

Training, training, training. Make sure your employees are aware of mobile security best practices and the organization’s policies towards mobile device security.

New Hampshire Enacts Breach Notification for Department of Education

New Hampshire enacted HB 322, requiring the Department of Education (DOE) to implement additional procedures to protect student and teacher data from security breaches, including a breach notification requirement.

According to the law, the DOE shall develop a detailed data security plan including compliance standards, security audits, breach procedures, and polices for data retention and disposal.

Additionally, notifications are required to as soon as practicable to any student or teacher whose personally identifiable information is assumed to have been involved on a security breach. Other entities to be notified include the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee, and commissioner of the department of information technology.

This new law follows HB 520 passed last year as an effort by New Hampshire’s legislature to increase protections of student data. HB 520 follows in the footsteps of California’s Student Online Personal Information Protection Act and prohibits companies from using student information to target advertisements to students.

The bill is effective August 11, 2015.

Password Recovery Scam!

http://www.symantec.com/connect/blogs/password-recovery-scam-tricks-users-handing-over-email-account-access
http://www.symantec.com/

Security firm Symantec is reporting an increase in a specific type of social engineering attack directed at mobile users to gain access to the victim’s email account. This simple attack method takes advantage of people’s willingness to trust authority figures.

The attacker uses the password recovery feature offered by email providers to gain access to the target’s account. All the attacker needs to know is the target’s email address and mobile number.

This video shows the attack in action.

Symantec also gave an example to describe the type of attack:

  • The victim, Alice, registers her mobile number with Gmail to recover her password through texting a verification code if she forgets it.
  • The attacker, Malroy, wants access to Alice’s account but doesn’t know the password. He knows Alice’s email address and mobile number though. Malroy visits the Gmail login page and enters Alice’s email address and then clicks on the “Need help?” link, which is used when people have forgotten their login credentials.
  • Malroy is offered several options, including “Enter the last password you remember” and “Confirm password reset on my phone,” but skips these until he is given the option “Get a verification code on my phone.”
  • Malroy chooses this option and an SMS message with a six-digit verification code is sent to Alice. Alice receives a message saying “Your Google Verification code is (six-digit code).”
  • Malroy sends Alice an SMS message saying something to the effect of “Google has detected unusual activity on your account. Please respond with the code sent to your mobile number device to stop unauthorized activity.”
  • Alice, believing the message is legitimate, replies with the verification code. Malroy then uses the code to get a temporary password and gains access to Alice’s email account.

Attackers can use this access for many different malicious activities. They can set up an alternate email on the account to receive copies of all messages and eavesdrop on the victim’s communications. The focus of these attacks seem to be around information gathering rather than financial gain like ripping off credit card numbers. Users need to be wary of all communications requesting verification codes – especially if they did not request one themselves. Legitimate password recovery messages will simply give the verification code and never ask for a response.

UPS Stores Notifies Customers of Malware-Related Data Breach

UPS Stores, a subsidiary of United Parcel Service (UPS), was breached at the end of March, with the malware eliminated by August 11. The 51 stores affected were located in 24 states, with 100,000 customer records placed at risk of identity theft and credit card fraud.

The malware, eventually found on the stores’ networks, was not discovered until the UPS received a bulletin from the DHS (Department of Home Land Security) about broad-based malware intrusion affecting retailers. The malware, found on the stores’ point-of-sale (PoS) registers, is similar but not related to the Target attack of 2013. Customer data breached included names, postal addresses, email addresses, and payment card information.

UPS posted notice of the breach on their website to inform their customers that could not be reached via normal communication channels. The notice included a statement from UPS CEO Tim Davis offering his apologies and taking responsibility for the loss of information.