Friday, March 29, 2013

Cyberattacks Seem Meant to Destroy, Not Just Disrupt

Jung Yeon-Je/Agence France-Presse — Getty Images
Officials at a South Korean security agency study an attack that disabled 32,000 computers.
American Express customers trying to gain access to their online accounts Thursday were met with blank screens or an ominous ancient type face. The company confirmed that its Web site had come under attack.
The assault, which took American Express offline for two hours, was the latest in an intensifying campaign of unusually powerful attacks on American financial institutions that began last September and have taken dozens of them offline intermittently, costing millions of dollars.
JPMorgan Chase was taken offline by a similar attack this month. And last week, a separate, aggressive attack incapacitated 32,000 computers at South Korea’s banks and television networks.
The culprits of these attacks, officials and experts say, appear intent on disabling financial transactions and operations.
Corporate leaders have long feared online attacks aimed at financial fraud or economic espionage, but now a new threat has taken hold: attackers, possibly with state backing, who seem bent on destruction.
“The attacks have changed from espionage to destruction,” said Alan Paller, director of research at the SANS Institute, a cybersecurity training organization. “Nations are actively testing how far they can go before we will respond.”
Security experts who studied the attacks said that it was part of the same campaign that took down the Web sites of JPMorgan Chase, Wells Fargo, Bank of America and others over the last six months. A group that calls itself the Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for those attacks.
The group says it is retaliating for an anti-Islamic video posted on YouTube last fall. But American intelligence officials and industry investigators say they believe the group is a convenient cover for Iran. Just how tight the connection is — or whether the group is acting on direct orders from the Iranian government — is unclear. Government officials and bank executives have failed to produce a smoking gun.
North Korea is considered the most likely source of the attacks on South Korea, though investigators are struggling to follow the digital trail, a process that could take months. The North Korean government of Kim Jong-un has openly declared that it is seeking online targets in its neighbor to the south to exact economic damage.
Representatives of American Express confirmed that the company was under attack Thursday, but said that there was no evidence that customer data had been compromised. A representative of the Federal Bureau of Investigation did not respond to a request for comment on the American Express attack.
Spokesmen for JPMorgan Chase said they would not talk about the recent attack there, its origins or its consequences. JPMorgan has openly acknowledged previous denial of service attacks. But the size and severity of the most recent one apparently led it to reconsider.
The Obama administration has publicly urged companies to be more transparent about attacks, but often security experts and lawyers give the opposite advice.
The largest contingent of instigators of attacks in the private sector, government officials and researchers say, remains Chinese hackers intent on stealing corporate secrets.
The American and South Korean attacks underscore a growing fear that the two countries most worrisome to banks, oil producers and governments may be Iran and North Korea, not because of their skill but because of their brazenness. Neither country is considered a superstar in this area. The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field. “These countries are pursuing cyberweapons the same way they are pursuing nuclear weapons,” said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington. “It’s primitive; it’s not top of the line, but it’s good enough and they are committed to getting it.”
American officials are currently weighing their response options, but the issues involved are complex. At a meeting of banking executives, regulators and representatives from the departments of Homeland Security and Treasury last December, some pressed the United States to hit back at the hackers, while others argued that doing so would only lead to more aggressive attacks, according to two people who attended the meeting.
The difficulty of deterring such attacks was also the focus of a White House meeting this month with Mr. Obama and business leaders, including the chief executives Jamie Dimon of JPMorgan Chase; Brian T. Moynihan of Bank of America; Rex W. Tillerson of Exxon Mobil; Randall L. Stephenson of AT&T and others.
Mr. Obama’s goal was to erode the business community’s intense opposition to federal legislation that would give the government oversight of how companies protect “critical infrastructure,” like banking systems and energy and cellphone networks. That opposition killed a bill last year, prompting Mr. Obama to sign an executive order promoting increased information-sharing with businesses.
“But I think we heard a new tone at this latest meeting,” an Obama aide said later. “Six months of unrelenting attacks have changed some views.”
Mr. Lewis, the computer security expert, agreed. “The Iranian attacks have tilted private sector opinion,” he said. “Hence the muted reaction to the executive order versus squeals of outrage. Companies are much more concerned about this and much more willing to see a government role.”
Neither Iran nor North Korea has shown anywhere near the subtlety and technique in online offensive skills that the United States and Israel demonstrated with Olympic Games, the ostensible effort to disable Iran’s nuclear enrichment plants with an online weapon that destabilized hundreds of centrifuges, destroying many of them. But after descriptions of that operation became public in the summer of 2010, Iran announced the creation of its own Cyber Corps.
North Korea has had hackers for years, some of whom are believed to be operating from, or through, China. Neither North Korea nor Iran is as focused on stealing data as they are determined to destroy it, experts contend.
When hackers believed by American intelligence officials to be Iranians hit the world’s largest oil producer, Saudi Aramco, last year, they did not just erase data on 30,000 Aramco computers; they replaced the data with an image of a burning American flag. In the assault on South Korea last week, some affected computers displayed an ominous image of skulls.
“This attack is as much a cyber-rampage as it is a cyberattack,” Rob Rachwald, a research director at FireEye, a computer security firm, said of the South Korea attacks.
In the past, such assaults typically occurred through a denial-of-service attack, in which hackers flood their target with Web traffic from networks of infected computers until it is overwhelmed and shuts down. One such case was a 2007 Russian attack on Estonia that affected its banks, the Parliament, ministries, newspapers and broadcasters.
With their campaign against American financial institutions, the hackers suspected of being Iranian have taken that kind of attack to the next level. Instead of using individual personal computers to fire Web traffic at each bank, they infected powerful, commercial data centers with sophisticated malware and directed them to simultaneously fire at each bank, giving them the horsepower to inflict a huge attack.
As a result, the hackers were able to take down the consumer banking sites of American Express, JPMorgan Chase, Bank of America, Wells Fargo and other banks with exponentially more traffic than hit Estonia in 2007.
In the attack on Saudi Aramco last year, the culprits did not mount that type of assault. Instead, they created malware designed for the greatest impact, coded to spread to as many computers as possible.
Likewise, the attacks last week on South Korean banks and broadcasters were far more sophisticated than coordinated denial-of-service attacks in 2009 that briefly took down the Web sites of South Korea’s president and its Defense Ministry. Such attacks were annoyances; they largely did not affect operations.
This time around in South Korea, however, the attackers engineered malware that could evade popular South Korean antivirus products, spread it to as many computer systems as possible, and inserted a “time bomb” to take out all the systems at once for greatest impact.
The biggest concern, Mr. Lewis said: “We don’t know how they make decisions. When you add erratic decision making, then you really have something to worry about.” 

Tuesday, March 26, 2013

HIPAA Compliance in the Spotlight

Effective Date of HIPAA Omnibus a Reminder of Unfinished Tasks

By , March 26, 2013.

The HIPAA Omnibus Rule goes into effect today, March 26. While organizations have until Sept. 23 to comply with the rules' many provisions, including modifications to the HIPAA security and privacy rules, recent federal breach investigations and audits have shown that many organizations are having trouble complying with basic HIPAA requirements that have been in place for years - much less the additional omnibus requirements.

Longstanding trouble spots in HIPAA compliance include: conducting a thorough and timely risk assessment; documenting those assessments as well as security policies and procedures; and training staff on compliance.

Because HIPAA Omnibus requires business associates and their subcontractors to comply with the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule, hospitals, insurers and other covered entities now face the extra task of making sure their vendor partners are compliant (see: HIPAA Omnibus: Business Associate Tasks).
In addition to changes related to business associates, other major provisions of the HIPAA Omnibus Rule include:
  • New guidance for how to assess whether to report a breach based on the probability of information being compromised (see: HIPAA Omnibus: Breach Notification Tips);
  • A prohibition against covered entities selling patient information, such as for marketing, without patient authorization, and the need to modify notices of privacy practices to reflect that (see: HIPAA Omnibus: Consumer Protections);
  • A requirement to provide patients with electronic copies of their records upon request;
  • A requirement that covered entities not disclose to health insurers information about treatment or services if the patient pays out of pocket for the care (see: HIPAA Omnibus' Trickiest Provision).

Business Associates' Responsibilities

Business associates that "create, receive, maintain or transmit protected health information on behalf of a covered entity" are now directly liable for HIPAA compliance. And some of these vendors will have a lot of catching up to do to comply, says David Newell, director at CTG Health Solutions' Security Solutions Practice.
"Business associates being liable for HIPAA is the biggest sweeping change in omnibus," he says.
Security consultant Rebecca Herold says she's working with companies "that are making it a point to get in compliance with all the requirements as soon as possible. Why? Their covered entity clients are telling them they need to, or, more often, the covered entities that want to be their clients are making HIPAA compliance a requirement to do business."
Herold, partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm, adds: "Business associates are now scrambling more than ever before to work on their compliance activities. However, I estimate there are still a good 50 percent or so that are still in denial about what they actually need to do."

Risk Assessments

Conducting a timely and thorough risk assessment, as well as documenting all security policies, are key components of a HIPAA compliance program, Newell stresses. Unfortunately, the last time that some organizations conducted a risk analysis was when the HIPAA Security Rule went into effect in 2005, he says. As a result, some organizations don't have a clue about how their risks have evolved.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, says that an insufficient risk analysis is among the top weak spots discovered during the agency's pilot HIPAA compliance audit program, which evaluated 115 organizations in 2012. Also, some of the breach-related settlements with OCR have noted risk analysis as an area of deficiency.

Experts point out that the lack of timely risk assessment has also played a key role in organizations failing to take other important measures, such as widespread implementation of encryption. OCR's "wall of shame" website shows that of the 556 major breaches that have occurred since September 2009, more than half have involved the loss or theft of unencrypted computing devices (see: Breach Tally: Encryption Still an Issue).
"One thing we're seeing is that some organizations will encrypt their laptops because they hear of breaches involving these devices, yet they don't have a solid plan for what to do with encryption because they haven't done a recent risk analysis," Newell says.
For instance, a risk analysis can help identify protected health information that's located on desktop computers or other devices that need protections, he says.
Sometimes covered entities need help to uncover where PHI is hidden in applications and databases, especially if they've been involved with a merger or acquisition, says Maureen Kaplan of Verizon's healthcare cloud and security services unit. "Many organizations have good controls around procedures, but not for application development, where PHI can be hidden," she says.

Write It Down

Documentation of all security steps provides critical proof of HIPAA compliance in case of a federal audit or investigation. Plus, it helps support development of staff education programs.
But too many organizations fail to document the findings of their risk assessments or create formal, written policies tied to new security-related processes, experts say.
For example, Newell has found that when some organizations implement security measures, such as using new anti-malware software, they fail to document the use of the software or explain in their policies their strategy for addressing viruses, he says. "There is no real policy, nothing gets documented, no records are kept," he says.
While the compliance efforts for HIPAA Omnibus could offer some organizations a fresh start to address HIPAA security and privacy issues they've neglected in the past, Chuck Christian, CIO of St. Francis Hospital in Columbus, Ga., says those laggards need to get moving soon.
"I'm sure that there are organizations that have been lulled into complacency due to the fact that 'nothing has happened' [in terms of breaches]," he says. "We all need to make certain that all of our ducks are in a row as we move forward."
Christian says it's important for organizations to stay vigilant about evolving threats and have adequate resources available for data security, going beyond a focus on HIPAA compliance.
Finally, making sure staff understand HIPAA security and privacy policies is critical to compliance - especially for the new provisions of HIPAA Omnibus, security experts say.
"Training is almost always inadequate," says Herold, the consultant. "Ongoing awareness reminders in-between training is often missing altogether."

Fed orders Citigroup to improve anti-money laundering controls

A Citi sign is seen at the Citigroup stall on the floor of the New York Stock Exchange, October 16, 2012. REUTERS/Brendan McDermid
March 26, 2013 (Reuters) - Citigroup Inc entered into a consent order with the Federal Reserve to improve its anti-money laundering controls, after several units of the bank were subject to similar orders in 2012.
The Federal Reserve announced on Tuesday that it ordered Citigroup's board to submit a plan to improve its oversight of companywide anti-money laundering compliance, including plans to fund personnel and resources based on the risks of different units.
Citibank had entered into a consent order with the Office of the Comptroller of the Currency in April 2012 to fix problems with its compliance with the Bank Secrecy Act anti-money laundering law.
Last year, the FDIC and the California Department of Financial Institutions also ordered Citigroup's Mexican subsidiary, Banamex, to address problems with its compliance program.
Citigroup neither admitted nor denied the Fed's findings under the order, the Fed said.
(Reporting by Aruna Viswanatha; Editing by Lisa Von Ahn)

Theft of Intellectual Property Continues to Wound U.S. Businesses

Theft of Intellectual Property Continues to Wound U.S. Businesses

Shanshan Du, an ex-employee of automaker General Motors and her husband, Yu Qin, were convicted this past December of stealing trade secrets from the automaker and soliciting Chinese businesses to invest in their own company. According to the prosecution at their trial, Du positioned herself to work in GM’s hybrid-car division as an electrical engineer, a position she held for several years. After being offered a severance package due to poor performance, Du stole information about the hybrid’s motor controls and fed the stolen data to Qin, who was also an electrical engineer at a car part manufacturer. Armed with the stolen data, Qin solicited business ventures to sell the data to Chinese car companies and attempted to leverage the information to gain employment and investments.
The two were caught when Qin’s employer became suspicious that he was running a business that was in direct competition to their company and started to investigate his work area. Upon investigating some portable hard-drives, files believed to be the property of GM were identified. Qin’s employer notified GM who in turn notified the Federal Bureau of Investigation, which opened an investigation into the two.
Estimates given by GM placed the value of the information stolen by Du at near $40 million dollars. Both Du and Qin faced one count of conspiracy to possess trade secrets without authorization and two counts of unauthorized possession of trade secrets, as well as three counts of wire fraud. Following a trial, Du would be acquitted of the wire fraud charges but convicted of the three trade secret counts. Qin would be found guilty on all six counts as well as an obstruction of justice charge. The two will be sentenced this month but face 10 years for each count.
Given the tendency of data to “spill” sooner or later from an enterprise, organizations must tackle the issue with the short and long term in mind. Monitoring the Internet for leaked documents is not an option today. Cyveillance helps large enterprises protect themselves from data leakage so reach out to us if you’d like assistance at your organization. We also strongly recommend raising counterintelligence awareness locally by hanging posters like the one above, made available for free by the US Office of the National Counterintelligence Executive provides free posters. Make information protection a priority in 2013!