Bob Sullivan

In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels.  Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.

Then came Heartbleed.  The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob.  Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.

What are we supposed to do now?  And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust.  If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.

“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.

To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend.  Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys.  A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.

The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts.  Crisis averted.  This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )

The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe.  Consumers always react to large credit card hacks by saying they will now buy with cash.  Most of the time, data shows, they don’t mean it.  But Target had to admit last quarter that its revenue was materially impacted by the credit card incident.  This is getting serious.

In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.

Trust.

EMV will make shoppers feel better.  That’s not a placebo. Trust is a very real thing.  In fact, it’s the only thing.

If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money.  When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.

In other words, trust is basically the currency of our time.  A tipping point on trust would create the equivalent of a run on a bank during a currency crisis.  Lack of trust can snowball.  With each “withdrawal,” the trust gap only grows.

In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.

We don’t need to plug a hole in the dam with our thumb, we need a new dam.

This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!”  But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead.  Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.

Litan, the Gartner analyst, has some good news about Heartbleed.  Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.

“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK.  There is no evidence that the criminals have used this attack vector yet.  And if these security steps are taken and upgrades are made – they won’t be able to.”

So, there’s no run on the trust bank this time.  But I guarantee that consumer patience is not infinite.  We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes?  Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.

Bob Sullivan

In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels.  Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.

Then came Heartbleed.  The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob.  Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.

What are we supposed to do now?  And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust.  If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.

“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.

To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend.  Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys.  A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.

The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts.  Crisis averted.  This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )

The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe.  Consumers always react to large credit card hacks by saying they will now buy with cash.  Most of the time, data shows, they don’t mean it.  But Target had to admit last quarter that its revenue was materially impacted by the credit card incident.  This is getting serious.

In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.

Trust.

EMV will make shoppers feel better.  That’s not a placebo. Trust is a very real thing.  In fact, it’s the only thing.

If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money.  When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.

In other words, trust is basically the currency of our time.  A tipping point on trust would create the equivalent of a run on a bank during a currency crisis.  Lack of trust can snowball.  With each “withdrawal,” the trust gap only grows.

In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.

We don’t need to plug a hole in the dam with our thumb, we need a new dam.

This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!”  But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead.  Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.

Litan, the Gartner analyst, has some good news about Heartbleed.  Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.

“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK.  There is no evidence that the criminals have used this attack vector yet.  And if these security steps are taken and upgrades are made – they won’t be able to.”

So, there’s no run on the trust bank this time.  But I guarantee that consumer patience is not infinite.  We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes?  Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.

No doubt, you’ve already seen all the complaints from journalists in Sochi about sub-standard bathroom facilities.  Heck, a dear friend was locked *inside* her hotel room on her first day reporting there.   These are funny stories, but can sound a bit like first-world problems.

I’m worried about something much more serious happening during the next three weeks, and I have enough friends there that it’s personal. Not surprisingly, we’ve already learned that visitors to Sochi should expect their entire lives to be hacked. Indeed, the Committee to Protect Journalists cites a Russian government decree published in the state newspaper in November which announces the government’s intention to collect metadata on all telecommunications. (Question: Is that better or worse than what the NSA does?).  And NBC’s Richard Engle demonstrated this week how his cell phones were hacked.

When Russians say they need to pry to keep Sochi safe, they aren’t inventing reasons. There are many credible threats of terrorism at the Games.

• Chechen rebel leader Doku Umarov — some experts call him the Russian bin Laden — called for attacks on Sochi last summer.  Suicide bombings in Vologagrad (formerly Stalingrad) during December that killed 40 people show the threats are real, even if the connection between the attacks and Umarov is tenuous.
• This week, the U.S. Department of Homeland Security warned airlines flying into Russia that bombs might be concealed in toothpaste tubes or cosmetic cases.
• U.S. athletes have been told not to wear U.S. logos outside the Olympic Village. Many athletes chose to leave their families at home
• And there are real threats of kidnappings, too — this week, two Austrian athletes were directly threatened in a letter sent to the Austrian Olympic Committee.

Until figure skating and hockey heat up, you will hear more and more about the threat of terrorism in Sochi. So for some level-headed analysis of the real threat, I turned to  Charles Hecker, Director of Global Research and Russia expert at Control Risk, a private global security team.  Here’s what Hecker told me.

“There is this ‘cordon sanitaire’ (secure perimeter – Russians are calling it a Ring of Steel) around the area. There is extensive surveillance—including underwater sonar—and in the air and through the electronic waves, every single move that anybody makes in and around Sochi is going to be monitored and recorded,” he said. “There hasn’t been this sort of peacetime security effort in Russia—or in too many other places, frankly—as we’re seeing now down in the North Caucasus and Southern Russia. This is the ultimate test of Russia’s capability.”

Expect Russia to spare no expense — or at least no civil liberty — while monitoring for potential threats, he said. Any family or employee in Sochi should expect everything they do to be watched.

He did offer this comforting message to those worried about direct attacks on Sochi during the Games.

“The security of the games and the Olympic Games sites should be pretty well taken care of, barring something none of us can anticipate,” he said. ”There is very little—in fact no—precedent in Russia for terrorist attacks being aimed specifically at tourists and visitors. Almost all of the terrorist activity in Russia has been aimed at government targets and at infrastructure targets.”

Islamic separatists believed to be loyal to Umarov have recently attacked train stations and an airport, for example. And while Umarov lifted an alleged ban on attacking civilians in July while calling for attacks on the Olympics, his ability to execute on such threats is unclear. A security report issued by Control Risks in January makes clear that Caucasus Emirate, the group Umarov leads, is “not a military organization with a reliable line of command.”  Any attacks would be planned and carried out “locally and autonomously.”

Russian and Vladimir Putin have every incentive to prevent an embarrassing attack, Hecker noted.

“Forget about it as a sporting event, the Olympics in Russia are far more than that. This is Russia’s attempt at imprinting an entire new image of itself on the world,” he said.

Attacks in other areas of Russia during the Games — in Moscow, St. Petersburg, or other large cities outside Sochi — are more likely, Control Risks says.

But even without an attack, the separatists might be able to claim victory anyway, argues Uval Mond, in an opinion piece that appeared this week in The Times of Israel.

“Before the games even begin, Umarov’s threats have succeeded in generating anxiety to the level of real panic, which has fueled an international debate over the security situation in Russia and the authorities’ ability to guarantee the safety of the visiting athletes and fans,” he wrote. “This arch-terrorist has positioned himself as a geostrategic player whose presence is definitely troubling the sleep of one of the most powerful world leaders. That alone is a victory for Doku Umarov.”

Larry Ponemon

I have been asked to testify about the possibility of identity theft on the Healthcare.gov website and the potential consequences to the American public. Identity theft and medical identity theft are not victimless crimes and affect those who are most vulnerable in our society – such as the ill, elderly and poor.

Beyond doing numerous empirical studies on this topic, this issue that really struck home. Last year my 88-year-old mother who lives in Tucson suffered a stroke. She was rushed to the hospital and admitted. Unbeknownst to her, an identity thief was on the premises and made photocopies of her driver’s license, debit card and credit card she had in her purse. The thief was able to wipe out her bank account and there were charges on her credit card amounting to thousands of dollars. In addition to dealing with her serious health issues, she also had to cope with the stress of recovering her losses and worrying about more threats to her finances and medical records.

The situation with my mother in the hospital and those who are sharing personal information on the healthcare.gov website are not dissimilar. My mother had a reasonable expectation that the personal information she had in her wallet would not be stolen – especially by a hospital employee.  Those who visit and enroll in healthcare.gov also have an expectation that the people who are helping them purchase health insurance will not steal their identity. They also have a reasonable expectation that all necessary security safeguards are in place to prevent cyber attackers or malicious insiders from seizing their personal data.

In my opinion, the controversy regarding security of the healthcare.gov website is both a technical and emotional issue.  In short, security controls alone will not ease the public’s concerns about the safety and privacy of their personal information.  Based on our research, regaining the public’s trust will be essential to the ultimate acceptance and success of this important initiative.

Following are some key facts that we have learned from our consumer research on privacy, data protection and information security:

First, the public has a higher expectation of the protection of their personal information when using or browsing government websites such as the USPS or IRS than when accessing commercial websites such as Amazon.com or ebay.com.

Second, the loss of one’s identity can destroy a person’s wealth and reputation.  Further, the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for Americans to procure goods and services.

Third, medical identity theft negative impacts the most vulnerable people in our nation. Beyond financial consequences, the contamination of health records caused by imposters can result in health misdiagnosis and in extreme cases could be fatal. Because there are no credit reports to track medical identity theft, it is nearly impossible to know you have become a victim.

Based on our Institute’s research, I would like to recommend a three-part approach to raising the trust and confident of Americans when using healthcare.gov.

• First, is accountability. It is important to demonstrate to the public that the government is accountable for the security of the information and can be trusted. This translates into standards that do not just meet basic practices but exceeds them to ensure the website is safe and secure. As an example, one requirement should be to encrypt all personal data at rest in backend systems.
• Second, is ownership by the CEO. In this case it is the president of the United States who should take ownership of the website and ensure good security and privacy practices are met as a priority.
• Third, is independent verification or audit of the website to ensure all areas and underlying systems meet high security standards.

This is an excerpt of Congressional testimony Larry Ponemon recently gave before the House Committee on Science, Space and Technology

Lancope, Inc., a leader in network visibility and security intelligence, today announced the results of a Ponemon Institute report entitled, “Cyber Security Incident Response: Are we as prepared as we think?” Findings show that while security threats are imminent, CEOs and other members of the management team are in the dark about potential cyber-attacks against their companies. The research also shows that, as a result, Computer Security Incident Response Teams (CSIRTs) often lack the resources necessary to fend off the continuous onslaught of advanced threats facing today’s organizations.

Commissioned by Lancope, the Ponemon Institute research surveyed 674 IT and IT security professionals in the United States and the United Kingdom who are involved in their organization’s CSIRT activities. The study concludes with key recommendations for organizations looking to improve their incident response process.

Key findings from the study include:

Security incidents are imminent – Sixty-eight percent of respondents say their organization experienced a security breach or incident in the past 24 months. Forty-six percent say another incident is imminent and could happen within the next six months.
Management is largely unaware of cyber security threats – Eighty percent of respondents reported that they don’t frequently communicate with executive management about potential cyber-attacks against their organization.
Organizations are not measuring the effectiveness of their incident response efforts – Fifty percent of respondents do not have meaningful operational metrics to measure the overall effectiveness of incident response.
Breaches remain unresolved for an entire month – While most organizations said they could identify a security incident within a matter of hours, it takes an entire month on average to work through the process of incident investigation, service restoration and verification.
CSIRTs lack adequate investments – Half of all respondents say that less than 10 percent of their security budgets are used for incident response activities, and most say their incident response budgets have not increased in the past 24 months.
Network audit trails are the most effective tool for incident response – Eighty percent of respondents say that analysis of audit trails from sources like NetFlow and packet captures is the most effective approach for detecting security incidents and breaches. This choice was more popular than intrusion detection systems and anti-virus software.
“The findings of our research suggest that companies are not always making the right investments in incident response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy.”

“If 2013 is any indication, today’s enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders,” said Mike Potts, president and CEO of Lancope. “Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis.”

Results to be presented at RSA Conference 2014 and via webinar

Dr. Larry Ponemon will join Lancope, The Coca-Cola Company, General Motors and Viewpost executives in an RSA Conference 2014 panel discussion to explore the results of the study and share insights on how to build a great CSIRT with the executive support and respect it needs. The panel, “Why Cyber Incident Response Teams Get No Respect,” will take place on Wednesday, February 26, at 9:20 a.m. U.S. Pacific time in Room 3009 at the Moscone Center in San Francisco.

The results will also be presented via a free webinar on January 29, 2014 at 8:00 a.m. U.S. Pacific time. Participants can join Dr. Ponemon and Lancope’s director of security research, Tom Cross, to hear about the key mistakes organizations are making when it comes to incident response, and how the right mix of people, processes and technology can dramatically improve incident response efforts. Those interested can register at: http://www.lancope.com/company-overview/webinar/ponemon-cyber-security-incident-response/.

Further Information

For media inquiries related to the Ponemon Institute incident response study, or to schedule briefings with Lancope and Dr. Larry Ponemon at RSA Conference 2014, please contact Lesley Sullivan or Kendra Dorr at Lancope@SchwartzMSL.com. For a full copy of the study, “Cyber Security Incident Response: Are we as prepared as we think?” please visit: http://www.lancope.com/ponemon-incident-response/.

With all the screaming about the NSA hacking into our lives, Americans have kind of missed the point.  We’ve voluntarily given our lives to private companies for years.  Government agents don’t have to hack us. They can simply ask any of these companies for everything they have. The Supreme Court says so.  It’s known as the “third-party doctrine.”  Give your data to a private company, and you lose your rights to any expectation of privacy. Even if it’s illegal for the Feds to spy on us directly (whatever that means now), it’s perfectly legal for the Feds ask private companies for whatever data they have and use it against us. Data given voluntarily by you to any company can be given voluntarily to the Feds. This odd three-step process is often a mere inconvenience. And if you don’t think it happens, just ask Nico Sell.

Sell is co-founder and CEO of Wickr, a company that enables private messaging.  At a recent conference, she told the audience that Wickr was upgrading to better encryption for more privacy.  As she tells Max Eddy of PC Mag, Sell was barely off the podium before a Fed walked up to her and casually asked for back-door access to Wickr so the FBI could access users’ secret messages.  He said it the way you and I might invite someone to coffee.

“I was surprised the agent asked me because if he had done any homework, he would have known the answer was no.  Doesn’t he use surveillance?:)  Or at least Google?  I think he was trying to intimidate me,” Sell told me.  ” If this was the first time I had dealt with the FBI, I would have been scared.”

Sell says she turned the tables on the agent. She started asking for official documentation, asked who his boss was, and so on.  He slunk off, tail between his legs. But you and I know many companies are star-struck by the business card with the FBI logo, and say yes. Others fear they don’t have a choice, or don’t know better. Sell even admits that she might have caved when she was younger. After all, who doesn’t want to help catch bad guys?

That’s how this works.  As a reporter, I’ve had plenty of encounters with agents who asked me to share what I know.  In fact, once, I was even summoned before a grand jury.  Fortunately, I had a boss named Merrill Brown who forcefully explained to me that reporters don’t do cops’ work for them.

The Edward Snowden disclosures are fascinating because they demonstrate the radical steps our government will take to make sure that no one, no where, can keep a secret.  Note that in Sell’s story, the agent was not hot on the trail of a terrorist.  He was just looking to open a one-way communication channel for future fishing expeditions. As anyone who’s ever interfaced with the FBI or other three-letter agencies in this manner knows, the agency wants to suck up every piece of information in the world, but doesn’t want to share a thing about what it’s doing.  It wants to make sure there are no secrets. Often, all that requires is a simple question.

It’s great we are all engaged in the dialog now – for now.  But I fear we’ve lost sight of the real problem. Americans share everything about themselves with hundreds, even thousands of companies every day. And those companies often have casual relationships with law enforcement to rat us out.  By the time all the hearings and lawsuits are over, I’m sure there will be strict new “procedures” limiting when the  NSA can and can’t hack into Google’s computers and hijack our digital lives. But that won’t matter much if agents can keep making their casual sales pitches to people like Nico Sell.

We are pleased to announce the release of our 2013 Survey on Medical Identity Theft. This is the fourth year of the study and as in previous years we find that medical identity theft continues to be a costly and potentially life-threatening crime. However, unlike other forms of identity theft, the thief is most likely to be someone the victim knows very well. In this study of more than 700 victims of this fraud, most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission.
We believe that individuals, healthcare organizations and government working together can reduce the risk of medical identity theft. First, individuals need to be aware of the negative consequences of sharing their credentials despite possible good intentions. They should also take the time to read their medical records and explanation of benefits statements to ensure that their information is correct. Second, healthcare organizations and government should improve their authentication procedures to prevent imposters from obtaining medical services and products.
Sponsored by the Medical Identity Fraud Alliance (MIFA), with support from ID Experts, the report can be found at http://medidfraud.org/2013-survey-on-medical-identity-theft.