Modernizing Authentication — What It Takes to Transform Secure Access
Each month, eSecurity Planet looks back at the data breaches we’ve covered over the past 30 days or so, providing an admittedly unscientific but (we hope) interesting overview of the current breach landscape.
To get some perspective on the current range of threats and recent breaches, eSecurity Planet spoke with Giovanni Vigna, co-founder and CTO of Lastline and a professor at the University of California, Santa Barbara.
Regarding the recent high-profile data breaches at Target and Neiman Marcus, Vigna says it’s worth noting that retailers in general are particularly vulnerable to such attacks."They’re super-dispersed, they have sometimes hundreds and hundreds of separate offices and separate point-of-sale devices – and all of these are very difficult to protect in an integrated way," he says.
Any effective security solution for a retailer, Vigna says, needs to be able to monitor all point-of-sale devices from a central location.
"The idea that POS and terminals are just devices and cannot be compromised, that’s gone out the window. They’re Windows machines that can be hacked, like any others," he says. "The problem is that for certain industries, investment in this type of security is very difficult to motivate, because there are very, very tight margins."
Importance of User Education
At the same time, several other types of breaches – laptop thefts, employee error, and insider breaches – are far more low-tech.
"We call it PEBKAC – problem exists between keyboard and chair," Vigna says. "Oftentimes, security issues come down to the person, and I think there’s an incredibly important and incredibly underestimated value in educating people on security. If you go to a company, you’ll get trained on pretty much everything – sales, strategies – but how much training in security will you get?"
That training, Vigna says, can be as simple as ensuring the implementation of basic policies, like requiring the use of two-factor authentication.
"You can have all the security you want, but if somebody leaves their laptop unencrypted, someone can just pick it up and have full access to everything – especially with long-lasting, single sign-on access, where if I have your Twitter password, now I can use Twitter authentication to move to all these other services," he says. "People don’t realize how having a person’s device, even a cell phone, can really break the security of a whole company."
For mobile devices in particular, Vigna says it can make a huge difference simply to implement password protection, along with the ability to wipe a device if it’s stolen. "You have to understand that if somebody is NSA-level motivated to break into your company, they will … but you can do a lot to prevent the generic, opportunistic attack of the guy who just steals a laptop," he says.
Still, Vigna says, corporate culture can make that very difficult to implement. "I’ve seen situations in which the techies say, 'Hey, if we put Google Authenticator on our Gmail, we completely solve the problem of stolen Gmail accounts – can we please do that?' And it’s management that says, 'No, I don’t know how to set it up, I don’t want to have to put in a number – no, absolutely not.'"
And that’s what has to change, he says.
"Even the best security tool cannot solve the problem if we are not able to, as a culture, provide the user with the sensitivity and the type of attention to what’s happening in the cyber world that we have in the physical world," Vigna says.
A person who would be cautious when walking through an empty parking lot at night often will not exhibit the same caution when dealing with potential cyber threats, he says. "Unfortunately, the cyber world is very new to a lot of us, and that type of culture has not percolated down to people enough. So when they see an attachment, their first thought isn’t, 'What is this attachment?' Their first thought is, 'I’m going to click on it.' And until we change that culture, you can have a lot of good security, but you’ll always find somebody who shoots themselves in the foot."
Among the data breaches that occurred in January:
An undisclosed number of Burlington, Vt. residents’ Social Security numbers were mistakenly published online as part of an agenda item posted on the city council’s website; Nebraska’s Sidney Regional Medical Center notified employees and job applicants that their personal information had been made available online by mistake; and the U.S. Department of Veterans Affairs eBenefits website briefly provided site visitors with access to other users’ personal, medical and financial information due to a “software defect.”
Third party vendors were also a source of such breaches. EasyDraft, which processes payments for Bright Horizons Family Solutions, notified current and former Bright Horizons customers that their names and bank account details were mistakenly made available online; and Virginia’s Loudoun County Public Schools said an error by third-party provider Risk Solutions International made students’ and staff members’ personal information accessible online.
A breach at software provider BigTree Solutions may have exposed credit card information for customers of food delivery services BringItToMe.com and The Bike Waiter; hackers stole more than a million credit and debit card numbers from Neiman Marcus’ point-of-sale systems; and data on approximately 6,000 medical responses was stolen from Washington’s North East King County Regional Public Safety Communication Agency (NORCOM).
Orient-Express Hotels notified an undisclosed number of customers that their names, credit/debit card numbers, expiration dates and security codes may have been exposed when an attacker accessed seven company email accounts; the Puerto Rico College of Physicians and Surgeons was hacked, exposing the personal information of all doctors licensed to practice in Puerto Rico; and unidentified hackers claimed to have leveraged a security flaw in the Snapchat app to access 4.6 million users’ phone numbers and user names.
The encrypted credit or debit card information of 93,389 Staysure customers was stolen when the company’s systems were breached; The Straight Dope message board was hacked, exposing user names, email addresses and hashed passwords; and hackers stole an undisclosed number of donors’ personal and financial information from the U.S. Fund for UNICEF.
An undisclosed number of wichcraft customers’ credit or debit card information was stolen when the company’s servers were breached, and a hacker claimed to have breached the website for the World Poker Tour Amateur Poker League (WPTAPL), and leaked 175,333 email addresses and clear text passwords.
Several hacker groups are still active. ObeySec hackers breached the website for the Directors Guild of Canada and leaked 2,031 user names, email addresses and clear text passwords, and members of Anonymous defaced Monsanto’s Korean website and leaked what appeared to be two user names, email addresses and plain text passwords.
Hackers regularly leverage malware. Hackers may have accessed the personal and medical information of patients at Barry University’s Foot and Ankle Institute after a school laptop was infected with malware, and a malware infection provided attackers with access to the personal and health information of an undisclosed number of customers of Edgepark Medical Supplies.
Third-party vendors are a common weak point. A breach of a Web portal run by REI Systems for the Department of Homeland Security exposed private documents and financial information for at least 114 companies that bid on a contract in 2013; Easton-Bell Sports notified several customers that their personal and financial information may have been exposed when a third-party vendor’s servers were infected with malware; T-Mobile USA notified customers that their personal information, including names, addresses and Social Security numbers or driver’s license numbers, may have been exposed when a third-party supplier’s servers were hacked; and an undisclosed number of Yahoo Mail passwords after were reset after the company discovered what it described as “a coordinated effort to gain authorized access” to the accounts, using passwords that it said were “likely collected from a third-party database compromise.
The City of Sumner, Wash., fired a temporary municipal court clerk after she forwarded information on 3,600 people to her personal email account; a Korea Credit Bureau employee was arrested and charged with stealing at least 20 million people’s names, Social Security numbers and credit card numbers; and a former Riverside Health System employee inappropriately accessed 919 patients’ medical records, including their Social Security numbers and medical history.
Third-party vendors were the source of insider breaches as well. Colorado’s Department of Health Care Policy and Financing informed 1,918 clients that a temporary employee of a third-party contractor had inappropriately accessed their names, addresses, birthdates and protected health information.
Laptop/Drive Theft or Loss
Barnabas Health patients’ medical information may have been exposed when an unencrypted laptop was stolen; 74,000 current and former Coca-Cola employees, contractors and suppliers’ personal information may have been exposed when several unencrypted company laptops were stolen; and New Mexico Oncology and Hematology Consultants notified 12,354 patients that their protected health information may have been exposed when a laptop was stolen.
Georgia’s Phoebe Putney Memorial Hospital said 6,777 patients’ personal information may have been exposed when an unencrypted computer was mistakenly discarded, and the personal information of 41,437 Unity Health Insurance customers may have been exposed when a portable hard drive was lost.
The personal or medical information of approximately 1,800 UC Davis Health System patients may have been exposed when three UC Davis’ physicians’ email accounts were compromised by phishing attacks.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.