Saturday, February 28, 2015

Legal liabilities in recent data breach extend far beyond Anthem

Legal liabilities in recent data breach extend far beyond Anthem

The potential legal liabilities from the unprecedented breach of some 80 million individuals' records at Indianapolis-based insurance giant Anthem could entangle nearly 60 health insurance plans from Hawaii to Puerto Rico, legal experts say. More than 50 class-action lawsuits related to the breach already have been filed in less than a month.

The plans could find themselves held legally responsible for the breach under the federal Health Insurance Portability and Accountability Act privacy and security law as well as state laws. They likely also face a rising number of private civil suits, according to legal experts.

The reason—the legal fates of Anthem, the other Blues plans and the Chicago-based Blue Cross and Blue Shield Association are intertwined by “business associate” agreements signed to facilitate a national, reciprocal claims payment network called BlueCard.

The network is run by the association, which at least partially explains why Anthem, with 37.5 million members, had more than double that number of individuals' records purloined. Anthem has said that policyholders of other plans who received care in one of its service areas had their data exposed in the breach as well. Presumably the payment data for those traveling policyholders was processed through the BlueCard network.

The breach, revealed Feb. 4, exposed records of individuals in 14 Anthem plans plus millions more enrollees of 42 non-Anthem Blues plans from Hawaii to Puerto Rico.

“What you have here with Anthem is just a problem on mega steroids,” said Kenneth Dort, a partner and privacy lawyer with Drinker Biddle & Reith in Chicago. “You have 80 million people spread out across (dozens) of plans.”

CareFirst Blue Cross Blue Shield, Owens Mills, Md., is a case in point. It serves its own members in its home state, the District of Columbia and parts of Virginia, but also, potentially, members of any other plan in the BlueCard network.

In a message posted last Tuesday, CareFirst said its own members “represent a small portion of the overall number of individuals affected by the Anthem breach—around 0.5 percent of the total.” That still works out to about 400,000 CareFirst members whose records were compromised. Had it been a stand-alone breach, it would currently rank as the eighth largest healthcare data hack and the 19th largest breach on the “wall of shame” website, which lists major data loss incidents since 2009. The list is kept by the Office for Civil Rights at HHS.

The primary regulatory liability for companies involved in a breach is the potential for multiple violations of HIPAA. It was revised by Congress in 2009 by amendments in HITECH provisions of the American Recovery and Reinvestment Act, a federal stimulus law. A 2013 “omnibus” privacy and security rule fleshed out those legislative changes.

The rule made any organization that handles patient information under a “business associates agreement” with a HIPAA “covered entity” equally liable for breaches as the covered entity itself.

HIPAA covered entities include hospitals, physician practices, claims clearing houses and health plans. Business associates often are transcription services, data analytics firms or health information exchanges, but can include one health plan serving another.

Before the HITECH Act, Dort explained, “A covered entity had X, Y and Z obligations for privacy and security, but there were not direct obligations on their business associates. They (covered entities) entered into business associate agreements that laid out what their legal obligations were and they typically laid their (HIPAA) obligations onto the business associate.”

“Now, with HITECH, you have those legal obligations applied to the business associates,” Dort said. HITECH also beefed up potential civil penalty limits for HIPAA violations to a maximum of $1.5 million a year.

So, with the Anthem breach, who is the covered entity and who is the business associate? It depends.

Anthem is clearly a covered entity to its own enrolled members, but it was serving as a business associate for the 42 other plans whose members' records were stolen along with its own, according to Anthem's explanation of how the BlueCard program works.

The good news, for Anthem, from a HIPAA standpoint, “It wouldn't make them any more liable than they otherwise would be,” Dort said. “It's not going to compound their exposure.”

But the bottom line is, according to legal experts, Anthem and 42 plans could be held legally responsible for the breach, under HIPAA as well as state laws.

“In the event a business associate had a breach, before as now, the covered entity, the person who has the direct contract with the affected person, they're still on the hook,” Dort said. “The plan is the one providing the service. They're the ones who have to face their own plan members.”

HIPAA violations also could be cited in multiple class-action suits, said James Pyles, a privacy lawyer with Powers Piles Sutter and Verville in Washington. Because HIPAA's privacy and security rules were set after periods of public review and comment, they are often cited as standards of best practice in plaintiffs' cases brought under state statues and common law, he said.

“So you can sue someone on state tort law because the organization failed to comply with HIPAA standards,” Pyles said.

Further, Pyles said, the omnibus rule likened the responsibilities of a covered entity and its business associate to those of a principal and its agent. “Under that general law, if the business associate is doing something that requires the direction and close involvement of the covered entity, then the business associate and the covered entity would have equal liability,” he said. Pyles said he “can't imagine” a circumstance under which a healthcare business associate and a covered entity would not share equal liability.

The Office for Civil Rights at HHS, the chief federal privacy rule enforcement agency, declined to comment on the Anthem case.

In contrast, a posse of state attorneys generals, led by George Jepsen of Connecticut, is being demonstrative about the states' enforcement authorities.

On his office's website, Jepsen has posted letters to Anthem and releases about it, recommending, for example, that the company add a second year of credit monitoring, (One year of coverage has been standard practice in previous breach cases) commending Anthem for doing it, and then warning the insurer that his office's investigation into this breach remains “active and ongoing.”

AGs can bite as well as bark. In 2009, Congress broadened the civil enforcement authority for HIPAA violations to include state attorneys general. Some have since flexed their regulatory muscle.

In 2010, former Connecticut Attorney General Richard Blumenthal was the first state AG to file a civil suit for a healthcare data breach under his new authorities. The case involved a hard disk loaded with 1.5 million individuals' records that was either lost or stolen from a Connecticut office of California-based insurer Health Net. Blumenthal's action resulted in a $250,000 settlement agreement.

Last year, Massachusetts AG Martha Coakley reached a $100,000 settlement agreement with Beth Israel Deaconess Medical Center, Boston, over a breach of nearly 4,000 patient records on a stolen unencrypted laptop computer, in an action brought under both state law and HIPAA.

Anthem has posted to its website all 42 Blues plans whose members have been impacted by the breach.

They are members who used the BlueCard network of the Chicago-based Blue Cross Blue Shield Association and sought care in any of the 14 states where Anthem-owned blues plans do business.

BlueCard “enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield plan's service area,” according to Anthem. “(T)he program links participating healthcare providers with the independent Blue Cross and Blue Shield plans across the country and in more than 200 countries and territories worldwide.”

In a statement on its web site, CareFirst explained, that when a member is treated out of its service area, his or her claims are sent by the provider to the local Blues plan, and then to their own plan.

“This process ensures that your claim is processed based on your personal benefit plan, while receiving the discounts agreed upon between the provider and the Blue Cross Blue Shield company that received it while you were living or traveling outside of your Blue Cross Blue Shield company's coverage area,” the CareFirst statement said.

CareFirst declined to comment about its legal liabilities under the breach.

According to Anthem spokeswoman Kristin Binns, HIPAA-mandated business associate agreements are part of each plan's license agreement with the Blue Cross Blue Shield Association. These agreements “must cover all interactions” between the various blues plans, she said.

Under the BlueCard operation, plans that enroll members are called “home plans” while plans that serve another plan's members are called “host plans,” Binns said. “Host plans are considered business associates of home plans and there are business associates agreements in place to reflect that relationship for purposes of HIPAA compliance,” she said.

In an emailed statement, BCBSA said it is a business associate under its licensing agreement with its member plans. Whether it has a shared responsibility under HIPAA for the breach remains to be seen.

“Right now, the FBI, federal and state regulatory authorities and Anthem's own internal teams are investigating what happened and its potential impact,” it said.

Members of the plaintiff's bar quickly filed a host of class-action lawsuits on behalf of affected patients/plan members.

“Our count right now is 53 cases,” said Lynn Toops, a lawyer with the Indianapolis firm of Cohen & Malad, which filed a federal suit on behalf of Anthem member Karen Meadows and others in Indiana's Southern District.

For now, their causes of action are breach of contract and negligence, Toops said, but, “We're still developing theories.”

“We have serious concerns about the vast amount of data that Anthem is storing about not even it's own insured,” Toops said. “Why is that data being retained and being retained in an unencrypted fashion?”

Whether the 42 plans, as covered entities, are liable for the activities of their business associate, Anthem, is “a very interesting point,” she said. “We're not ruling out any avenues or defendants in this case.”

Consolidation of the cases will likely occur this summer, she said.

Follow Joseph Conn on Twitter: @MHJConn

Friday, February 27, 2015

ASML is gehackt door Chinese overheid

ASML is gehackt door Chinese overheidDoor: redactie 

27-2-15  © reuters.

Chinese staatshackers hebben ingebroken bij de Nederlandse chipmachinefabrikant ASML. Dat melden anonieme bronnen tegenover technologiesite Tweakers. De hackers hebben bij de aanval mogelijk informatie over hoogwaardige technologie van machines voor chipproductie buitgemaakt.
Meerdere anonieme bronnen bevestigen tegenover Tweakers dat de hack is uitgevoerd door Chinese overheidshackers. Daarbij moet worden aangetekend dat hackaanvallen lastig te herleiden zijn. De aanval zou zich hebben gericht op de Nederlandse vestiging van het bedrijf, al is volgens één bron ook de Franse vestiging van het bedrijf aangevallen. ASML wil de berichtgeving van Tweakers bevestigen noch ontkennen.

Thursday, February 26, 2015

Why Anthem Was Wrong Not to Encrypt

Why Anthem Was Wrong Not to Encrypt

Screen Shot 2015-02-22 at 7.23.57 AMBeing provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.
His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.
I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

I don’t disagree with Fred’s narrow technical argument, but there is definitely a larger issue that he chose to ignore. That larger issue ‒ and one I’ve written about frequently ‒ is what industry experts call a “culture of security.” The sheer volume of data breaches suggests a serious lack of that culture specifically in healthcare.  The SANS Institute report last year highlights the dire state of cybersecurity in healthcare. New Cyberthreat report by SANS Institute Delivers Chilling Warning to Healthcare Industry
Less than 6 months prior to the time Anthem pulicized their breach earlier this month, Community Health Systems (CHS) announced their breach of 4.5 million patient records. Some of the top security analysts have already begun to link the two (Anthem and CHS) ‒ right down to the lethal vulnerability that was discovered last April ‒ the Heartbleed bug. There’s even speculation that the actual breaches at both Anthem and CHS may have occurred in fairly close proximity to each other (after April of last year). Again, something I covered here: Are the Data Breaches at Anthem and CHS Linked?
That “culture of security” means that there’s a technical basis ‒ and logic ‒ to use the appropriate technology (both software and hardware in tandem) to ensure that adequate data (and network) security is in place. Note the use of that word ‒ adequate.
There will never be a perfect. The attack surface in increasing ‒ exponentially with IoT ‒ and the attackers have only to find one vulnerability once. Defenders, on the other hand, need to defend against all vulnerabilities ‒ all the time. That equation gives the attackers the upperhand and the gap between attacker and defenders is widening.
In the end ‒ we’ll likely see at least 2 outcomes from these new mega breaches.
  1. If it’s determined ‒ in court ‒ that the breach was the result of the Heartbleed bug,  both Anthem and CHS will have a much harder time defending against negligence ‒ which means the damage awards will be significant.
  2. Whatever the final cost of both breaches (and those yet to come), as always, they will be passed on to each of us as patients and healthcare consumers in the form of higher premiums.
This last one is simply an extension of many other perverse incentives that exist throughout our for‒profit healthcare system. Why bother paying for an expensive barn door that locks when we can simply pass the cost of the all the lost animals onto someone else? Sure there will be hits to profits and earnings, for awhile, and some heads may actually roll (the CIO at Sony was summarily dismissed), but will these mega breaches (and others yet to happen) be enough to change the “culture of security” inside healthcare? Probably not ‒ and certainly not if strong technical voices like Fred’s continue to defend what amounts to a cavalier attitude of security on the basis of a narrow argument – even if that argument is technically correct.
A relatively high proportion of the healthcare executives we interviewed believe that the sophistication or pace of cyberattacks will increase quickly, and all of them agreed that attackers’ capabilities will likely outpace the capabilities of their organization. The healthcare sector appears to be the most underdeveloped, with 56% of healthcare respondents believing that their company spends insufficiently on cybersecurity. Risk and Responsiblity in a Hyperconnected World ‒ McKinsey ‒ January, 2014
The author is a writer for Forbes. He is based in Arizona.

Tuesday, February 24, 2015

Visa Europe to Launch Tokenization Service

Visa Europe to Launch Tokenization Service

Fraud-Fighting Move Lays Foundation for Apple Pay

By Mathew J. Schwartz, February 24, 2015.

Visa Europe is set to debut in April a new mobile payments service that will tokenize payment card data. The move is designed to enable consumers to use their smart phones and wearable devices to securely pay retailers, and it could pave the way for the European rollout of Apple Pay.
See Also: 5 Must-Haves for an Enterprise Mobility Management (EMM) Solution

"We've designed this flexible and scalable service, enabling issuers, merchants and acquirers to provide consumers with the next generation of innovative payment methods - all with the high level of security they expect," says Sandra Alzetta, Visa Europe's executive director of core products.
Tokenization refers to the practice of transmitting a unique, one-time token in place of card data whenever a transaction gets made. And unlike physical cards, Visa Europe notes that the use of a particular token can be restricted to certain types of scenarios. For example, banks might prohibit a token created for contactless payments from being used for online purposes.
Experts say that making tokenization mainstream, as well as implementing end-to-end encryption to secure data during transit, will be crucial for improving payment card security and combatting fraud (see Beyond EMV: Technology for Fighting Fraud).
Visa Europe is also expanding its peer-to-peer payments service, Visa Direct - formerly known as Visa Personal Payments - and says that by this summer, it will be available in 20 languages, support multiple currencies, and enable individuals to transfer money using only a recipient's mobile phone number. The service will also allow payments to be made via multiple social networks and messaging applications, including Facebook, Twitter, WhatsApp and LinkedIn.
Singapore-based Fastacash, which is partnering with Visa Europe to provide the social network payment feature, says it will be available to more than 500 million people across Europe. "We see this partnership with Visa Europe as the next step in bringing banks and end users closer in the often complicated process of money transfers," says Fastacash CEO and Chairman Vince Tallet.
Visa Europe notes that the peer-to-peer payments service will not be available in the United States or Japan. "Visa blocks incoming cross-border transfers due to local regulations for their respective countries," Visa Europe spokeswoman Rica Squires tells Information Security Media Group. The service will also not be available for any countries that are currently on the U.S. Department of the Treasury's Office of Foreign Assets Control - or OFAC - sanctions list, which lists countries to which payments are prohibited, for example because those countries promote terrorism or narcotics trafficking. All U.S. businesses and their foreign subsidiaries must abide by that list.

Tokenization Hits Europe

Experts have been predicting that many more merchants and banking institutions would soon begin using end-to-end encryption and tokenization, especially in the wake of EMVCo - which manages the EMV standard - releasing its specification for tokenized payments in March 2014, upon which Apple Pay is now based. "Tokenizing at the point of capture - that will be key going forward," payments expert Nathalie Reinelt, an analyst at consultancy Aite (see Why Merchants Embrace Tokenization), said in December.
The October 2014 launch of Apple Pay in the United States - and only there - was tied to U.S. card brands MasterCard, American Express and Visa Inc. - the former parent of Visa Europe - having introduced tokenized payment systems there, experts say.
In the run-up to the launch of Apple Pay, however, Apple CEO Tim Cook said the company was eying a rapid expansion of the service to the 66 countries that now offer NFC-compatible point-of-sale terminals. At the time, officials at Visa Europe and rival MasterCard also announced that they were eager to advance Apple Pay adoption in Europe (see Apple Pay: Global Expansion Planned).

To date, however, no new announcements have yet been made about Apple Pay's expansion in Europe. Steve Perry, Visa Europe's chief digital officer, tells Reuters that the card brand's approach parallels the one being taken by Visa in the United States - that led to the Apple Pay rollout there - although he declined to comment on any potential rollout plans in Europe, referring such questions to Apple. In response to a related query from Information Security Media Group, Apple declined to comment.
See Also: Digital Identity Verification for Fraud Mitigation
While Visa Europe's Squires declined to comment on any questions related to Apple Pay, she notes that Visa Europe will now be able to support a range of new services. "The tokenization program we announced today will support a variety of mobile payment solutions - as well as has the potential to support a variety of other digital payment solutions in the future," she says.

Cybersecurity Summit

As the launch of Apple Pay highlights, tokenization is also taking off in the United States. It also was mentioned at this month's White House cybersecurity summit at Stanford University, which highlighted a number of payments-related private-sector initiatives, as well as enhanced security for federally issued debit and credit cards (see Payment Security Initiatives Unveiled).
Security experts say the increased use of tokenization and encryption is essential for increasing card security and may one day help mitigate the seemingly nonstop pace of data breaches that involve the theft of payment card data.
The White House has announced a Buy Secure initiative requiring that all government-issued cards be compatible with the EMV standard. While EMV-compatible cards have long been in widespread use in Europe, their use in the United States remains relatively scant. But critics say the summit failed to address some ongoing industry concerns, including how tokenization might be best standardized to meet the needs of all industries (see Did Obama's Cyber Summit Miss the Mark?).
In particular, Liz Garner, vice president of the U.S.-based trade association Merchant Advisory Group, says that merchants have continuing concerns about the EMVCo standard, which they note has been designed by card brands, and which isn't interoperable with other standards. To date, furthermore, Visa and MasterCard have only committed to offering tokenization for mobile and contactless payments, despite the fact that the vast majority of breaches involve contact-card data.

JPMorgan Goes to War

JPMorgan Goes to War
The bank is building a new facility near the NSA’s headquarters to attract new talent

JPMorgan Takes Military Tact to Fighting Cybercrime

Convinced that it faces threats from governments in China, Iran, and Russia, and that the U.S. government isn’t doing enough to help, JPMorgan has built a vast security operation and staffed it increasingly with ex-military officers. Soon after joining the bank in early 2014, Cummings helped hire Gregory Rattray—like Cummings, a former Air Force colonel—as chief information security officer. Together the men oversee a digital security staff of 1,000, more than twice the size of Google’s security group. To make it easier to woo military talent, the bank built a security services facility in Maryland near Fort Meade, home of the National Security Agency.
The military overtones are no accident. JPMorgan is responding to attacks that the federal government is unable or unwilling to stop, says Nate Freier, research professor at the U.S. Army War College, yet it isn’t clear whether the bank’s weapons-grade operation is doing a better job than law enforcement agencies. “It’s a brave new world that’s not very well understood by the people playing the game,” Freier says. “It really is every man for himself.”
The bank hasn’t said publicly who it believes is responsible for the June attack, in which hackers stole the names, addresses, and e-mail addresses—but not credit card numbers or passwords—of 83 million individuals and small businesses. Several people connected to the probe say Cummings and Rattray strongly suspected very early that it was engineered by the Kremlin. That message was delivered through back channels to the White House, according to a senior U.S. official.
Cummings and Rattray, who was Condoleezza Rice’s cyber expert when she headed the National Security Council under President George W. Bush, retain a network of high-level contacts in Washington. Less than three weeks after the breach was discovered on Aug. 27, the two men organized a conference call with more than a dozen agents from the FBI, Homeland Security, the Secret Service, and the Treasury Department. Over the course of an hour, they made the case that the breach was a national security matter, say two people familiar with the call.
Patricia Wexler, a JPMorgan spokeswoman, declines to say how the bank categorizes the breach. “While we were open to all theories in the early stages of the investigation, we never concluded that this was a state-sponsored attack,” she wrote in an e-mail. The bank wouldn’t make executives available.

The military orientation of JPMorgan’s security team leaders may incline them to see the involvement of governments and spies when companies face a range of threats, many motivated purely by profit, says Brendan Conlon, who spent 10 years in computer network operations with the NSA and now runs Vahna, a security firm in Washington. “It’s like groupthink,” he says.
The FBI initially assigned two groups of agents from the New York office to the case—one specializing in nation-state attacks and one in criminal hacks—because it was unclear which group would be needed. Rattray and Cummings had already decided, according to two people familiar with the investigation; they advised the bank security team to refer to the breach as a probable national security event.
A person familiar with the investigation says Rattray and Cummings were under pressure from bank executives to obtain a letter from the Department of Justice that would have exempted the bank from having to notify customers and regulators of the data loss. These rare waivers are typically only granted when the victimized company can convincingly show that the loss was the result of a state-sponsored or serious criminal attack that requires absolute secrecy while the government investigates.
Within two weeks of the conference call, the FBI handed the investigation to criminal specialists and told the bank it wasn’t getting the letter. One key piece of evidence the FBI considered was that the hackers were using a data center in St. Petersburg, Russia, of the sort used by low-level cybercriminals to send spam or operate botnets, according to three people familiar with the probe, who were among more than two dozen interviewed about the breach and who asked to remain anonymous because the investigation is confidential. “The evidence collected thus far points to it being a criminal actor and not a nation-state,” says Ari Baranoff, assistant special agent in charge of the Secret Service’s Criminal Investigative Division.
Bank insiders say Rattray and Cummings, aided by private cybersecurity companies, haven’t found a smoking gun. But there are what one person familiar with the probe described as nation-state fingerprints. The attackers appeared to have deleted or altered server logs that would have helped investigators retrace their steps inside the network—a degree of meticulousness that’s a hallmark of an intelligence agency or someone trained by one. And they lingered on servers that would seem to have no value to criminals.
To Cummings and Rattray, those were signs the hackers might be engaged in a long-term operation. Rather than steal easily marketable data such as credit card numbers or account passwords, they may have been looking for deep vulnerabilities in the bank’s infrastructure or custom software that could be exploited later. “Greg usually knows what he’s doing,” says James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. “You can say these guys see spies everywhere, but the problem with that is spies are everywhere.”
Not all of that information was shared with the FBI. While Rattray and Cummings were asking the government to help, they were also tightly limiting access to the attack data, to prevent leaks and also to allow the bank to control the investigation, say two people familiar with those decisions. Rattray stalled law enforcement requests for information with vague explanations about legal process, according to people familiar with the matter.
The Secret Service, which has a secondary role in the investigation, became so frustrated that it threatened to seize the evidence, says one person familiar with the situation. Joseph Demarest, assistant director of the FBI’s cyber division, called Chief Operating Officer Matthew Zames to discuss the issue. The bank and the FBI settled their dispute after Demarest’s call with a formal agreement on information sharing. “Our relationship with JPMorgan Chase remains outstanding, and we continue to work together to solve this crime,” Demarest says. Wexler, the bank spokeswoman, wrote: “The report of clashes regarding information sharing is not true.”
On Jan. 8 a group of 15 state attorneys general sent a letter to the bank, asking it to explain how it can be sure that more sensitive information wasn’t stolen in the breach. The answer is, it can’t be sure. Six months after the hack, and despite a security budget of a quarter of a billion dollars, JPMorgan still faces big holes in its understanding of the attackers’ movements or exactly what data they removed from the network. It owned an expensive system designed to capture that data—something like a video security camera that gives an after-the-fact view of a crime—but programmed it with too little storage to retain all evidence of the intrusion, according to people familiar with the bank’s response. “We have a full accounting of what information was breached,” Wexler wrote.
Following the attack, CEO Jamie Dimon vowed to increase JPMorgan’s security budget and move quickly to address any problems exposed in the hack, which in turn has led to more hiring of defense contractors and people with military backgrounds, say three people familiar with the bank’s team. Some security experts say that whatever the government’s failings at protecting American companies from cyberattack, creating a mini-NSA in Midtown Manhattan isn’t the answer, especially given the power and influence already wielded by Wall Street banks. Digital war is being privatized, says Freier, the U.S. Army War College professor. “What you worry about is a virtual Guns of August moment, where every actor is so well-armed and so able to mobilize assets in their own defense that they start an escalation.”
The bottom line: JPMorgan has hired men with military backgrounds and increased spending to improve its cyber defenses.

Monday, February 23, 2015

MasterCard, Visa up ante in battle for data security

MasterCard, Visa up ante in battle for data security

MasterCard and Visa are adding more firepower in their fight to combat data security abuses.
The plans were revealed separately by each company, and coincided with last week's White House Summit on Cybersecurity and Consumer Protection at Stanford University.
MasterCard reported that it would invest more than $20 million in cybersecurity-related technology enhancements to deliver greater confidence to MasterCard cardholders, merchants and issuing banks. The enhancements will include biometrics

"These new activities will help us continue to deliver the tools and solutions that instill a peace of mind by protecting each transaction that crosses our network," Chris McWilton, president, North American Markets, MasterCard, said in a press release. "While progress is being made with the move to EMV and mobile payments, our continued investments reinforce the efforts we are taking to protect the payments system for cardholders, merchants and issuers. That's at the heart of what our cardholders expect when they see our brand mark."
This spring, MasterCard will launch MasterCard Safety Net in the United States. The solution is designed to reduce the risk of fraud or cyberattacks before issuers and processors might notice these threats. It provides an independent layer of security on top of the tools and policies of financial institutions by monitoring and blocking specific transactions based on selected criteria, the company said. "MasterCard Safety Net is designed to intervene only in extreme cases to block fraudulent activity."
Later in the year, MasterCard and First Tech Federal Credit Union will roll out a pilot program that will enable consumers to authenticate and verify their transactions using a combination of unique biometrics, such as facial and voice recognition and fingerprint matching. "This initial test has the potential to deliver greater security to U.S. cardholders without compromising the ease and convenience Americans have come to expect today when using their credit and debit cards," the press statement said.
Up to now, biometric authentication has been considered unproven as a replacement for passwords, according to PaymentsSource. "There's been advancement in the technology behind biometrics that makes this a good time," said Carolyn Balfany, MasterCard's senior VP of product delivery, who is focused on EMV and security.
"We've been talking about biometrics for a long time, but I think we're at the tipping point of adoption, spurred both by the advancement of the various biometric technologies, combined with the fact that we finally have a set of endpoints such as mobile devices that can easily facilitate the authentication without requiring any special hardware," Julie Conroy, a research director at Aite Group, told PaymentsSource.
Visa said that it is expanding the use of new security technology that replaces the traditional 16-digit account number with a unique series of numbers. This will help to prevent exposure of sensitive consumer account information in online and mobile payments.
"In 2015, Visa will offer secure payments across a wide variety of devices, platforms and apps," said Charlie Scharf, Visa's CEO,  in a prepared statement. "In order to enable these innovative new ways to pay, we are deploying smart technologies that help to prevent fraud, while also maintaining consumer and merchant trust in digital commerce."
Last year, the company launched Visa Token Service, the technology that replaces the sensitive payment account information found on plastic cards, such as the 16-digit account number, expiration date and security code, with a unique series of numbers that can authorize payment without exposing actual account details. To date, more than 500 financial institutions have started to implement the service, Visa said. In 2015, the service will expand to more payment environments, helping merchants, financial institutions and mobile device manufacturers to offer secure digital payment experiences.
"Removing card account numbers from the processing and storage of payments represents one of the most innovative and promising technologies we've seen in decades," said Scharf. "This, combined with chip card technology, advances in account holder authentication through analytics and biometrics, and more sophisticated risk monitoring, will allow Visa account holders to enjoy new, secure payment experiences."
Gil Luria, an analyst at Wedbush Securities, told the Wall Street Journal it's no sure thing that the initiatives will be sufficient to stop the data abuses. "Nobody's really come up with a foolproof way to safeguard consumer information. At the end of the day, it's the retailer, the bank that has to keep it secure. [Visa and MasterCard] can only do so much to set the rules, enforce them," he said.
For more:
-See this MasterCard press release
-See this Visa press release
-See this PaymentsSource article
-See this Wall Street Journal article

Thursday, February 19, 2015

Superfish Compromises All SSL Connections on Lenovo Gear

Superfish Compromises All SSL Connections on Lenovo Gear

More than just pre-installed adware on some Lenovo laptops, Superfish acts as a man-in-the-middle certificate authority, hijacking every SSL session the laptop makes.
PC manufacturer Lenovo has confirmed that it had -- between mid-2014 to mid-January -- shipped laptops pre-loaded with the Superfish adware application. The problem with Superfish isn't that it's annoying adware. The problem is that it compromises the sanctity of all SSL connections a Lenovo client machine makes. (As though SSL didn't have enough problems.)
Security researcher Marc Rogers drew attention to the problem in a blog post, Wednesday. Paco Hope, principal consultant for Cigital, provided more analysis in a blog post, today.
The intended purpose of Superfish is to serve targeted ads to Lenovo users. It does so by looking over users' shoulders when they're web browsing, peeking at the images being displayed, then serving up ads similar to those images -- the idea being that if a user is already interested in a vacuum cleaner, maybe they'd be grateful for more info about great deals on vacuum cleaners.
Lenovo's reason for pre-loading Superfish is to make some extra cash, since they, like most client machine manufacturers, don't profit greatly from selling laptops.
If only spying on users and pelting them with ads was the worst Superfish did.
Essentially, Superfish hijacks every SSL connection and operates as a man in the middle certification authority (CA). See, every computer contains a certificate store with trusted certs pre-installed by the operating system or browser. Yet, Superfish also installs its own certificate -- not approved by the OS or browser -- into the laptop's cert store -- meaning that the machine will always trust anything signed by Superfish.
And as it is implemented on those Lenovo clients, everything is signed by Superfish -- web sessions, VPNs, software updates, etc. For example, when a website -- say, Bank of America -- attempts to initiate a secure connection with a browser, Superfish intercepts the communication. It (not the browser) decrypts the site, inspects it for "suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to Bank of America," explains Hope. "Likewise, the web page sent back by Bank of America might have advertisments inserted into the HTML by Superfish."
Adding insult to injury, Superfish does not seem to check whether or not the initial certificate (from Bank of America, or wherever) was, itself, legitimate. So, while a user's browser might issue a warning message that "this site's certificate is untrusted/expired," Superfish may not do that due diligence.
Plus, the Superfish certificate uses the SHA-1 algorithm -- so it may be trashing a stronger SHA-2 cert in favor of a weaker one.
"It is hard to overstate how catastrophically bad this design is," writes Hope. "[Superfish] doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make. Lots of software—way beyond web browsers—use the certificate store to fetch certificates. ... Everything on a Lenovo computer that says it is 'making a secure connection' is now lying."
It gets worse.
"The catastrophic failure," writes Hope, "is that Superfish installs a certificate at the highest level of trust, and they ship both the public key and private key that belong to it on every single laptop. Once that private key is known, then anyone can issue certificates for web sites or VPN concentrators and sign them with this Superfish private key. Users of Lenovo laptops who trust the Superfish key will accept those certificates as genuine."
It effectively disables "the laptop’s ability to distinguish genuine web sites from fake" ones, he says.
Lenovo said that it stopped pre-loading Superfish last month and has since disabled existing implementations. Unfortunately, axing the app is not enough -- the more important job is deleting the certificate, and that's something users must do manually. (Microsoft provides instructions on how to do so. LastPass has done similarly, and created a tool for checking if Superfish is running on your machine.)
The damage to Lenovo's reputation may already be done.
"This is unbelievably ignorant and reckless of [Lenovo]," Rogers wrote. "It's quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch."
"Recent revelations about Lenovo enabling MiTM attacks are similar to what was reported last month about the Gogo service," says Kevin Bocek, VP of security strategy and threat intelligence at Venafi. "You’ve got good guys doing what the bad guys do. In this case, they're breaking everything that’s been built over 20 years to create trust and privacy on the Internet, by inserting a CA into systems that can impersonate any trusted site.
"This is exactly what bad guys do with Trojans and other malicious software," he adds, "to trick users to access fake sites to surveil/monitor private communications."
Ken Westin, senior security analyst from Tripwire says that, despite the economic reasons for pre-loading its laptops with adware, Lenovo hasn't done itself any favors. "With increasingly security- and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies," he says. "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.”
Timo Hirvonen, senior researcher of F-Secure put it succinctly

Tuesday, February 17, 2015

Nieuwe Wet Bescherming Persoonsgegevens aangenomen door tweede kamer

Nieuwe Wet Bescherming Persoonsgegevens aangenomen door tweede kamer

SSL-beveiliging Belgische banken zwaar onder de maat

SSL-beveiliging Belgische banken zwaar onder de maat

Volgens beveiligingsblogger Yeri Tiete is de SSL-beveiliging van veel grote banken niet up-to-date, wat de encryptie in casu nagenoeg waardeloos maakt. Dat maakte DataNews gisteren bekend
De Belgische securityblogger ontdekte enkele weken geleden dat het niet goed gesteld was met de SSL-beveiliging bij het grootste deel van de Belgische financiële instellingen. Zo wordt SSL op een slechte manier geïmplementeerd en worden updates en belangrijke bugfixes te lang uitgesteld.
Volgens de securityblogger aarzelen de banken vaak bij het updaten van hun SSL-beveiligingsprotocol omdat ze er willen voor zorgen dat ook computers die nog draaien op het oude Windows XP of gebruik maken van Internet Explorer 6 hun toepassingen nog kunnen draaien.

Bron: DataNews

Thursday, February 12, 2015

Security gaps found in 39,890 online databases containing customer data

February 10, 2015
University Saarland
Anyone could call up or modify several million pieces of customer data online including names, addresses and e-mails. Three students were able to show this for 40,000 online databases in both Germany and France. The cause is a misconfigured open source database upon which millions of online stores and platforms from all over the world base their services. If the operators blindly stick to the defaults in the installation process and do not consider crucial details, the data is available online, completely unprotected.

Kai Greshake, Eric Petryka and Jens Heyens discovered 39,890 unprotected Internet databases.
Credit: Image courtesy of University Saarland
Kai Greshake, Eric Petryka and Jens Heyens discovered 39,890 unprotected Internet databases.
Credit: Image courtesy of University Saarland
Anyone could call up or modify several million pieces of customer data online including names, addresses and e-mails. According to the Center for IT-Security, Privacy and Accountability (CISPA) in Saarbrücken, Germany, three of its students were able to show this for 40,000 online databases in both Germany and France. The cause is a misconfigured open source database upon which millions of online stores and platforms from all over the world base their services. If the operators blindly stick to the defaults in the installation process and do not consider crucial details, the data is available online, completely unprotected. CISPA has already contacted the vendor and data protection authorities.
"It is not a complex bug, but its effect is disastrous," explains Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA. He was contacted by the students and CISPA employees Kai Greshake, Eric Petryka and Jens Heyens at the end of January. Heyens is a cybersecurity student at Saarland University, and his two fellow students plan to concentrate on this subject in the upcoming semester. The flaw which the three CISPA students detected affects 39,890 databases. "The databases are accessible online without being protected by any defensive mechanism. You even have the permissions to update and change data. Hence we assume that the databases were not left open on purpose," Backes explains. The vendor of the database is MongoDB Inc. Its database MongoDB is one of the most widely used open source databases worldwide. Out of curiosity, the students queried a publicly accessible search engine for servers and services connected to the Internet. In this manner, they discovered IP addresses companies use to run unprotected MongoDB databases.
When the students called up the detected MongoDB databases with the respective IP addresses, they were surprised: Access was neither locked, nor protected in any other way. "A database unprotected like this is similar to a public library with a wide open entrance door and without any librarian. Everybody can enter," explains Backes. Within a few minutes, the students detected this critical condition within numerous other databases as well. They even found a customer database which might belong to a French Internet service provider and mobile phone carrier. It contained the addresses and telephone numbers of roughly eight million French customers. According to the students, among those addresses they also found the data of half a million German clients.
They also detected the unprotected database of a German online retailer, including payment information. "The saved data can be used later to steal identities. Even if the identity theft is known, even years later the affected people have to deal with contracts signed under their own names by the identity thieves," says Backes. The CISPA researchers began contacting MongoDB Inc. immediately, as well as the international computer emergency response teams (CERTs). They informed the French data protection service Commission nationale de l'informatique et des libertés and the German Office for Information Security. "We do also hope that the developer of MongoDB will quickly include our results, incorporate them into its guidelines and forward them to the companies using the database," says Backes.

Story Source:
The above story is based on materials provided by University Saarland. Note: Materials may be edited for content and length.

Tuesday, February 3, 2015

Data Protection Warning: Prepare Now for New EU Privacy Laws

Data Protection Warning: Prepare Now for New EU Privacy Laws

European organizations are being urged to use today’s ninth annual Data Protection Day as an incentive to step up preparations for major new EU privacy laws coming down the road.
The date was created to raise awareness about data protection issues as it falls on the anniversary of the opening for signature of the Council of Europe's Convention 108 – a cornerstone of international privacy laws.
It’s named Data Privacy Day in the US.
However, with the EU General Data Protection Regulation (GDPR) approaching the latter stages of negotiations between member states, organizations across Europe are being told to get ready for the potentially onerous new obligations.
“Strong, effective data protection and the responsible, transparent use and retention of data are the hallmark of an ethical organization,” said Sue Trombley, managing director of Professional Services at Iron Mountain.
“It is an approach that can inspire customer trust just as much as a data breach can destroy it. The equation is simple: trust builds loyalty and loyalty drives sales. Organizations have much to gain from taking action now before the law obliges them to do so.”
The firm has released a report detailing the opportunities to plan and manage the impact of legal change.
Privacy has certainly become a major issue in the minds of consumers. In fact, almost half (45%) of Brits believe it’s more important than national security, according to the TRUSTe 2015 GB Consumer Confidence Privacy Index.
The data privacy management firm interviewed around 1,000 British netizens to compile its research, which also revealed that 92% are concerned about their online privacy and one third are more concerned than they were a year ago.
Of most concern to respondents was the possibility of firms collecting personal data and sharing it with other companies (48%).
However, security firm Egress claimed that a recent FoI request to privacy watchdog the Information Commissioner’s Office (ICO) revealed the vast majority of data breaches (93%) occur as a result of human error.
“Businesses must start looking closer to home if they want to prevent data breaches. Mistakes such as losing an unencrypted device in the post or sending an email to the wrong person are crippling organizations,” argued CEO Tony Pepper.
“In fact, our ICO FoI data shows that a total £5.1m has been issued for mistakes made when handling sensitive information, whereas to date no fines have been levied due to technical failings exposing confidential data.”
It’s not just in the UK and Europe where data protection is becoming a major talking point. Stats from the Identity Theft Resource Center earlier this month revealed that reported data breaches hit 783 in 2014, growing by a whopping 27.5% over the previous 12 months.