Bob Sullivan

How can a bank – or any organization — become less secure in its attempts to become more secure?  Let me tell you how.

Security must do two things: Protect and enable.  If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking).

Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways.  Both are equally important if a security scheme is to work.

This month brought yet another story chronicling theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-passwords security” at places that really matter.

But I’m about to turn off two-factor authentication at my bank, right at the moment when everyone seems hell bent to turn it on. Why?  Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.

I’ve run into classic 21st Century Red Tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme.  I often don’t like single-anecdote stories, but occasionally they illuminate larger problems so perfectly they are worth telling. So here goes.

A quick review:  Two-factor authentication adds a strong layer of security to a service by requiring two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know.  Online banks and websites are slowly but surely nudging everyone towards various forms of two-factor authentication, because it really does make life harder for hackers.

Most of these two-factor forms involve use of smartphones, as they have become nearly ubiquitous. Log on to a website at a PC, confirm a code sent to your phone.  Something you have (the phone) and something you know (the password). Simple, but elegant, and far harder for bad guys to crack.

And it’s great, when it works. But what about when it doesn’t work?

Here’s a simple problem. Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then?

Turns out this can be a really vexing problem. (Readers of this column know why I had to get a new smartphone recently)

I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason:  It really does take good care of members.

At least it did, until it tried to implement two-factor security. I try not to be hypocritical, and follow my own advice, so I turned on USAA’s flavor of two-factor pretty early on. It’s a solid design: A Symantec app loaded onto your smartphone offers a temporary token — a 6-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log into the website. You can see all the layers of protection that creates.

Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website — a larger hassle if your phone battery is dead. But that’s a fair price to pay for security.

However, the hassle becomes immense when it becomes time to change handsets.   So immense that as I type this, I cannot access my bank…and have no idea when I will be able to do so.(UPDATE: I was able to fix my login woes 24 hours later.) And that’s happened twice to me in the past year. Why? Chiefly because USAA is not set up to deal with the problem of new handsets.

To review: When I tried to access the website it demanded a token from my phone — a token that was no longer valid because I had a new phone.  When I tried to use the phone’s app to access my accounts, USAA asked for a password because it didn’t recognize the phone.  I didn’t have a password, I had a token — an invalid token.  You get the picture.

All that is a predictable technology hiccup that’s not the end of the world.  The real problem came next.

A call to customer service seemed to be my last available option, but that was dismal, too.  At various times I wasn’t been able to get through to customer service phone lines. What’s much worse, however, is what happened when I did get through.

People change phones roughly every two years, so this new handset problem must come up often enough.  Yet it’s obvious to me USAA operators are not ready to handle the problem when consumers call.  Each time I have reached an operator, I had to spend a lot of time explaining the problem — and remember, I do this for a living.  The first successful call today, the operator merely changed my mobile application login settings after putting me on hold for minutes.  When I protested that, she said she had to transfer me to a special department, and then the phone went dead.

After a second call and wait, the operator was sympathetic, but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number.  It took a while before I could convince her that “new phone” meant “new handset” not “new number,” a mistake I will correct in future calls. We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account.  But after another long hold, and transfers to two other operators, I was told that, sadly, they were having trouble issuing temporary passwords and asked if I could call back in an hour or so.

I’ve left out many steps in this saga.  At each stage, of course, I was subject to strict authentication questions. That’s fine — I was asking for a new password, after all.  But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “no.”  So I will have to once, again, convince a primary operator who I am, and that I am having token problems and that I need a temporary password.  There is obviously no “token problem” script, ready for my problem.

My experience last time was similar, so I know I am not just the victim of bad luck.

The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback — there needs to be a tidy process for dealing with people who get new handsets.    Obviously, that hasn’t occurred. And so, the first thing I will do when I can access my account is disable the token. (I’ll use another form of two-factor). While I am afraid of hackers, I’m more afraid of not be able to access my money because my bank has poorly implement a security solution.

When I called USAA as a reporter to discuss my experience, the firm owned up to the challenges of implementing two-factor security.

“You’ve encountered an experience we are aware of,” said Mike Slaugh, Executive Director, Financial Crimes Prevention, at USAA. “What we’re working on here is a way to make that experience better. … Multi-factor authentication for us at USAA and the industry in general, it’s important.  (Making this experience better) is top of mind for us as we work to help members protect  themselves.”

USAA is hardly the only firm having trouble dealing with two-factor issues.  Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages.

“The moment you start traveling, all bets are off. Text messages over roaming are far from reliable – they either are never delivered, or they experience regular delivery delays over 10-15 minutes, which are the most typical time-out limits on the websites,” he said. Hursti, who was in Portugal when I interviewed him, said he was late paying an electricity bill this month because of two-factor pain points.  “Basically, in order to do banking when travelling internationally, you need to start that by turning all security off. And yet you are knowingly getting into increased security risk environment.”

Gartner security analyst Avivah Litan says these kinds of implementation and customer service issues not only threaten adoption of two-factor security, they actually create more pathways for hackers.

“Two factor, in this case, actually weakens security – rather than strengthens it,” she said. “I always tell our clients that their security is only as strong as its weakest link and surely, when they disable two factor authentication on the account, they likely ask the account holder to verify their identity by answering those easily compromised challenge questions, which any criminal who can buy data on the dark web has access to.  Therefore this is an easy way for criminals to get access to your account.  So not does two factor authentication without proper supporting processes serve to annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out for this and other reasons.”

As Litan is fond of saying, there’s a fallacy that “harder is better” in security.  It “doesn’t keep bad guys out, but it annoys good guys.”

Perhaps this problem isn’t *that* common yet, as uptake on two-factor is still relatively small (USAA acknowledged that, and it’s common across the industry). Don’t worry: With each password hack, more and more people will turn on two-factor.  If companies blow the implementation, consumers will just as quickly turn it off again.  And we might lose them for several years.

Protect and enable, or we’re all at greater risk.

Larry Ponemon

We are pleased to present the findings of The State of Malware Detection & Prevention sponsored by Cyphort. The study reveals the difficulty of preventing and detecting malware and advanced threats. The IT function also seems to lack the information and intelligence necessary to update senior executives on cybersecurity risks.

We surveyed 597 IT and IT security practitioners in the United States who are responsible for directing cybersecurity activities and/or investments within their organizations. All respondents have a network-based malware detection tool or are familiar with this type of tool.

Getting malware attacks under control continues to be a challenge for companies. Some 68 percent of respondents say their security operations team spends a significant amount of time chasing false positives. However, only 32 percent of respondents say their teams spend a significant amount of time prioritizing alerts that need to be investigated.

Despite such catastrophic data breaches as Target, cyber threats are not getting the appropriate attention from senior leadership they deserve. As shown in the findings of this research, respondents say they do not have the necessary intelligence to make a convincing case to the C-suite about the threats facing their company.

The following findings further reveal the problems IT security faces in safeguarding their companies’ high value and sensitive information.

Companies are ineffective in dealing with malware and advanced threats. Only 39 percent of respondents rate their ability to detect a cyber attack as highly effective, and similarly only 30 percent rate their ability to prevent cyber attacks as highly effective. Respondents also say their organizations are doing poorly in prioritizing alerts and minimizing false positives. As mentioned above, a significant amount time is spent chasing false positives but not prioritizing alerts.

Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and necessary information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need-to-know basis (36 percent of respondents) or never (34 percent of respondents).

Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.

The percentage of malware alerts investigated and determined to be false positives. On average, 29 percent of all malware alerts received by their security operations team are investigated and an average of 40 percent are considered to be false positives. Only 18 percent of respondents say their malware detection tool provides a level of risk for each incident.

Do organizations reimage endpoints based on malware detected in the network? More than half (51 percent) of respondents say their organization reimages endpoints based on malware detected in the network. An average of 33 percent of endpoint re-images or remediations are performed without knowing whether it was truly infected. The most effective solutions for the remediation of advanced attacks are network-based sandboxing and network behavior anomaly analysis.

Download and read the rest of the report.

Bob Sullivan

We know that Americans are concerned about their cars being hacked.  We also know that some consumers believe criminals are “hacking” into their parked cars and committing “snatch and grab” crimes using devices that simulate newfangled keyless entry systems.

Now, we know the FBI is worried about car hacking, too. The agency, along with the National Highway Traffic Safety Administration, issued a bold warning to consumers and manufacturers last week.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the warning says. “While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.”

The FBI warning didn’t raise any new concerns; it mainly cites revelations of car hacking from 2015 as impetus for the warning. Still, the notice clearly demonstrates there is a level of activity around car hacking that should have everyone concerned. Drive down the highway sometime (as a passenger) and use your smartphone to see at all the cars sending out Bluetooth connections around you and you’ll get an idea about how connected our vehicles have become.

Meanwhile, consumers continue to report mysterious car break-ins around the country with no signs of forced entry, in situations when they swear their car doors were locked.  In Baltimore, a string of crimes following this pattern frustrated local residents earlier this year.

“What was strange to me was that, while I could tell it was broken into because my jacket was taken and they tossed through the stuff in the car, there were no signs of a breaking. No broken windows or anything,” said one driver. “I called and reported it mostly because I wanted to know how anyone could have gotten in if it was locked and no windows were broken. The officer said people have these things that basically interfere with newer cars electronic/fob locking systems and disable the alarms.”

The reports follow a persistent set of national stories around keyfob break-ins that began with a CNN report two years ago, and was followed by a New York Times story last year that casually suggested drivers store their car fobs in their freezers to keep them safe from hackers. (Notably, the story appeared in the Times’ Style section. The science was a little shallow).

There have also been vague warnings issued by some agencies around the world, like this notice from London Police, or this notice from the National Insurance Crime Bureau,

“The key-less entry feature on newer cars is a popular advancement that lets drivers unlock their cars with the simple click of a button on a key fob using radio frequency transmission. The technology also helps prevent drivers from locking their keys in the vehicle,” it says.  “Not surprisingly, thieves have found a way to partially outwit the new technology using electronic ‘scanner boxes.’ These small, handheld devices can pop some factory-made electronic locks in seconds, allowing thieves to get into the vehicle and steal personal items left inside.”

The existence of such a scanner box is very much in question, as are assertions that such a universal master key can be purchased for as little as $17; so is any notion that the crime is widespread. If any law enforcement agency has seized such a device, we are all waiting for it to be put on display.

How would such a magic device work?  By tricking your car into thinking your key fob is nearby and opening the door in response to a handle jiggle; or perhaps by amplifying the signal it sends out, or by intercepting that signal and copying it somehow. Or, hackers could “guess” the code for opening a car, if the code were poorly constructed. Here’s a great explanation of how it might work, and why it’s a major challenge unlikely to be used by street thugs.

*Could* such a hack exist? Well, of course, says embedded device security expert Philip Koopman, a professor at  Carnegie Mellon. Koopman actually worked on earlier generation designs for key fobs.

“I would not at all be surprised if the Bad Guys have figured out that some manufacturer has bad security and how to attack it,” he said. “There is nothing really new here, other than general lack of people to admit that if you cut corners on security you will get burned, and an insistence by manufacturers and suppliers that known bad practices are adequate.”

In a blog post six years ago, he warned about the cost sensitivity for auto manufacturors (“No way could we afford industrial strength crypto.”)

Back to today, he offered this speculation on keyless entry attacks.

“It is (possible) that the manufacturers used bad crypto that is easy to hack, possibly via just listening to transmissions and doing off-line analysis. And it is possible to attack by getting near someone when they aren’t near their car and extracting the secrets from their car keys when it is in their pocket, then using that info to build a fake key. The technology is very similar to the US Passport biometric chips, so all the attacks for those are plausible here as well.”

The FBI offers the following advice to consumers: Keep your car software up to date, as you do with your PC; don’t modify your car software; be careful when connecting your car to third parties; and “be aware of who has physical access to your vehicle.”

That last bit of advice might work for people with long driveways, but the rest of us can’t do much about who might be able to walk by our cars on streets and in parking lots.

“While these tips may seem innocuous, they do show the limitations that law enforcement and consumers have in combating the car hacking threat,” said Tyler Cohen Wood, Cyber Security Advisor of Inspired eLearning.  “With the ever-increasing implementation of Internet of Things devices, including devices installed in newer cars, it’s a real challenge for law enforcement to identify different threat vectors associated with vehicle hacking.  There is no real standard for Internet of Things devices from a vehicle standpoint—each automobile manufacturer offers different types of devices as options in vehicles, from entertainment and navigation systems to remote ignition starting devices.  There is no industry standard for operating systems or security protocols on these devices, so it’s difficult for law enforcement to identify the specific threats that the devices pose to the public.”

So what else should you do?  Putting your car “keys” in the freezer is probably a bad idea; it will likely create more problems than it solves.  You might damage the very expensive key, for example, to mitigate a threat that is still perceived as low. But it wouldn’t hurt to take great care with where you leave the key. If you park directly in front of your front door, perhaps you shouldn’t leave the key right there.  Otherwise, read the local police blotter and talk to neighbors about street crime.

Most of all, make sure you really do lock your car doors.

Bob Sullivan

It’s natural to look for a scapegoat after something terrible happens, like this: If only we could read encrypted communications, perhaps the Paris terrorist attacks could have been stopped.  It’s natural, but it’s wrong.  Read every story you see about Paris carefully and look for evidence that encryption played a role.

There’s a reason The Patriot Act was passed only a few weeks after 9-11, and it wasn’t because Congress was finally able to act quickly and efficiently on something.  The speed came because many elements of the Patriot Act had already been written, and forces with an agenda were sitting in wait for a disaster so they could push that agenda.  That is wrong.

So here we are now, once again faced with political opportunism after an unthinkable human tragedy, and we must remain strong in the face of it.  There is no simple answer to terrorism, and we should all know this by now.  And so there must be no simple discussion about the use of encryption in the Western world.  The debate requires a bit of thoughtful analysis, and we owe it to everyone who ever died for a free society to have this debate thoughtfully.

The basics are this: Only recently, computing power has become inexpensive enough that ordinary citizens can scramble messages so effectively that even governments with near-infinite resources cannot crack them. Such secret-keeping powers scare government officials, and for good reason.  They can, theoretically, allow criminals and terrorists to communicate with a cloak of invisibility.  Not surprisingly, several government officials have called for a method that would allow law enforcement to crack these codes.  There are many schemes for this, but they all boil down to something akin to creating a master key that would be generated by encryption-making firms and given to government officials, who would use the key only after a judge granted permission.  This is sometimes referred to as creating “backdoors” for law enforcement.

Governments can already listen in on telephone conversations after obtaining the proper court order.  What’s the difference with a master encryption key?

Sadly, it’s not so simple.

For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.

There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.

Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.

In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.

Is there some creative technological solution that might help law enforcement find terrorists without destroying the entire concept of encryption? Perhaps, and I’d be all ears. I haven’t heard it yet.

Only a few weeks after 9-11, a software engineer who told me he was working for the FBI contacted me and told me he was helping create a piece of software called Magic Lantern.  It was a type of computer virus, a Trojan horse keylogger, that could be remotely installed on a target’s computer and steal passphrases used to open up encrypted documents.  The programmer was uncomfortable with the work and wanted to expose it. I wrote the story for msnbc.com, and after denying the existence of Magic Lantern for a while, the FBI ultimately conceded using this strategy.  While we could debate the merits of Magic Lantern, at least it constituted a targeted investigation — something far, far removed from rendering all encryption ineffective.

For a far more detailed examination of these issues, you should read Kim Zetter at Wired, as I always do. Then make up your own mind.

Don’t let a politician or a law enforcement official with an agenda make it for you. Most of all, don’t allow someone who capitalizes on tragedy a mere hours after the first blood is spilled — an act so crass it disqualifies any argument such a person makes — to influence your thinking.

Larry Ponemon

User growth has become a key indicator of a company’s financial growth and sustainability. Even a company’s revenues can take a back seat to its user base as a metric that predicts future success. While it may have taken the telephone 70 years to reach 50 million users, in today’s fast-paced world companies can reach that same number in a matter of months.

As the user-base becomes a new form of currency, driving valuations of companies around the world higher and faster than ever before, it is becoming increasingly important to protect the integrity of these users. Information about who users are, what they do and how they do it is incredibly valuable. If not adequately protected this information can be (and is being) exploited.

The purpose of this report is to understand the scope of registration fraud, and how this epidemic is impacting companies and their users. It offers a glimpse into how companies verify and protect their users, and the damage that can be done when fraudulent users and fake accounts are allowed to exist within a user base.

Thanks to a sponsorship from Telesign, We surveyed 584 U.S. and 414 UK individuals who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. Eighty-nine percent of these respondents say their organization considers its user base a critical asset with an average value of $117 million.

However, account fraud is becoming more prevalent because most organizations have a difficult time ensuring bona fide users and not bad actors are authenticated during the registration process. Only 36 percent believe they are able to avoid fraudulent registrations. Moreover, once fake users are registered, they spam legitimate users and often create more fraudulent accounts. Fake users also steal confidential information as well as engage in phishing, social engineering and account takeover.

The findings reveal why companies are vulnerable to the threats of fake users:

• The authentication process is difficult to manage, according to 69 percent of respondents, allowing fake users to infiltrate the user base.

• Fifty-eight percent of respondents say user convenience is most important to their fraud prevention strategy and 42 percent of respondents say ease of use is critical. Only 21 percent say security is important.

• The majority of respondents (54 percent) say a phone number is enough to stop fraudulent registrations and protect account access.

• Companies seem to be unwilling to crack down on fraudulent registrations. Forty-three percent of respondents say their company doesn’t worry about the registration of fake accounts to avoid friction in the registration process. Most companies do not have a formal method for determining whether a potential user is real.

• Only 39 percent of respondents say their company is vigilant in determining that each user account belongs to a real person.

• Only 25 percent of respondents believe the traditional username and password(s) is a reasonably secure authentication method for their users. However, 94 percent of respondents say they use passwords or PINs and 79 percent use email addresses to create an account(s).

To read the rest of the report findings, please download the PDF from Telesign.com

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on.  This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you.  The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him.  That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros.  Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual.  Computer networks are designed so such passwords cannot be retrieved, even by system administrators.  They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course.  That details in the New York Times story could be wrong.  A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor.  Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague.  So be vigilant about your passwords.  And when you change companies, change your password habits.

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder.  New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa.  In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security.  To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system.  Chip cards must be accepted by merchants by the fall deadline, but not PINs.  The so-called “chip & signature” system is a half-measure, according to  Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why?  So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006.  While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared.  Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013.  Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete.  To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said.  “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up.   Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter.