Saturday, July 19, 2014

The 11 scariest digital security stories of 2014 (so far)

http://www.pcworld.com/article/2364275/the-8-scariest-security-stories-of-2014-so-far.html

1. Bad moon rising

Barely halfway through 2014, the year's already poised to become the scariest yet for digital security—topping even 2013's massive Target breach. We’ve seen hacks against big-name retailers like eBay, Michael’s, and Neiman Marcus—plus hotels, online forums, and numerous other websites. The current tally of compromised credit cards from major breaches is closing in on 5 million, and online accounts?—half a billion.
Beyond active attacks, go-to encryption tool TrueCrypt was lost, and we've suffered through the single biggest web security lapse ever. As we close in on the halfway point for 2014, here are the 10 biggest security stories so far.


2. Heartbleed bleeds the web

Thousands of major websites worldwide scrambled in April after a nasty little flaw turned up in OpenSSL—a widespread tool for securing online communications, including HTTPS websites. Dubbed Heartbleed, this devastating bug threatened to expose usernames and passwords, user data, and even the SSL keys sites use to securely identify themselves. The problem was widespread: affected sites included Instagram, Netflix, and Tumblr.
Although it was a serious flaw, Heartbleed also inspired several major tech companies to fund poorly-supported open source projects. The first group to receive assistance—surprise!—was the OpenSSL Software Foundation.

3. TrueCrypt shuts up shop

In May, customers were shocked to be suddenly rerouted from the TrueCrypt encryption software's website to the project’s SourceForge page. There, they found this message: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”
At first, it looked like a hoax or a hack, because TrueCrypt's advice to switch to Microsoft’s closed-source BitLocker encryption tool was diametrically opposed to the project's ideals. Several weeks later, however, TrueCrypt’s demise appears to be real. There are attempts to resurrect the project under new management, even as rumors about hidden Latin messages from TrueCrypt's developers swirl.

4. Breaches, breaches, and more breaches

A security review wouldn’t be complete without a roundup of major data breaches. EBay is the most notable victim: In May, the site announced a devastating data breach that included names, email and home addresses, phone numbers, dates of birth, and encrypted passwords. Reports put the number of affected users around 145 million.
Hobby retailer Michael’s joined eBay in the data breach Hall of Shame, along with AOLAvast's online forumsHoliday Inn and Marriott Hotels, and Neiman Marcus. Restaurant chain P.F. Chang’s recently announced it was also investigating a data breach. And oh yeah, another 360 million usernames and passwords surfaced on hacker forums in February. Ugh.


5. La Oops

But sometimes, a breach deserves individual recognition—like the hack that Seagate-owned LaCie announced in April. The hard drive and peripheral storage maker said its online storefront had endured a whopping year-long data heist from March 27, 2013 to March 10, 2014. LaCie said it wasn’t sure what kind of data had been pilfered, but it may have included customer names, email addresses, credit card numbers, and card expiration dates. Crazy.

6. Ransom goes rampant

If 2013 was the year of the personal data breach, then 2014 is shaping up to be the year of digital hostages and ransomware. Malicious software that threatens to ruin your PC if you don’t pay a certain amount of money is an old game, but hackers upped the stakes in the early part of 2014. In late May, iOS users around the world woke up to find their iDevices locked via Apple's Find My iPhone service, with hackers demanding money to restore them. Then in June, security firm ESET found the first example of file-encrypting ransomware on Android. Sites like project-management web app Basecamp were also held ransom unless they paid up to stop distributed denial of service (DDoS) attacks.

7. GnuTu Fail

Heartbleed wasn’t the only significant SSL/TLS bug in 2014. In February and March, both Apple and the Linux community were scrambling to fix flaws in their implementations of online security protocols. In Apple’s case, someone had mistakenly included an extra 'goto fail' programming statement that left encrypted data sent via SSL/TLS open to capture by hackers.
In the Linux case, the GnuTLS library had a programming flaw exposing user data to potential breaches, similar to Apple’s 'goto fail' problem. In the case of GnuTLS, however, it’s suspected the programming flaw existed for as long as 10 years—prompting Linux community leaders to say, “Huh, Gnu knew?” ( Groan —Ed.)

8. Pliable crypto-currency

Bitcoin security hit a road bump in February: A flaw dubbed “transaction malleability” led to attacks against several Bitcoin exchanges, according to Bitcoin news site Coindesk. The flaw could theoretically allow an attacker to substitute a phony transaction for the original one, thus redirecting Bitcoins from the intended recipient to the attacker.
Transaction malleability was serious enough that it was an early theory as to why embattled Bitcoin exchange Mt. Gox closed its doors. Mt. Gox’s problems were later revealed to go deeper than a software bug, however, and a fix addressing transaction malleability was issued in March.

9. Outlook snoop

Government agents aren’t the only snoops who might be plundering your Outlook.com inbox. Microsoft might also take a peek…at least if you’re up to no good. In March, Microsoft ‘fessed that it snooped on the personal email of both a blogger and a former employee, seeking evidence that the employee was leaking proprietary company information to the blogger. (To its credit, Microsoft revamped its privacy policy after the backlash.)
The case highlights how American digital due-process is woefully inadequate. After all, private emails sitting on third-party servers should be considered just as private as those love letters stashed in the back of your closet.

10. Gameover for Gameover botnet

Two positive stories offer some hope.
In June, a global law-enforcement coalition temporarily disrupted a nasty botnet called Gameover ZeuS. Infected Windows PCs were harvested for personal data and also used to distribute Cryptolocker ransomware.
Gameover includes a peer-to-peer component, as well as online proxy servers and strong encryption, according to Krebs on Security. Gameover affects an estimated 500,000 to one million PCs worldwide, and the disruption—dubbed ‘Operation Tovar’—only served as a chance to clean up infected PCs. U.S authorities indicted Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia, on several criminal charges related to operating the botnet.

11. Google's end-to-end revenge

Revenge is a dish best served cold, and Google made sure its vengeance pie was well and truly cooled before serving it up to the National Security Agency. As the fallout over Edward Snowden's NSA revelations continues, Google announced it wanted to make end-to-end encryption for webmail easier to use with a new Chrome extension. Called End-to-End, the extension is currently in a public alpha phase and not yet ready for wide release. When it goes live, however, it will be one of several new projects promising to keep your most private emails secure from prying eyes and snooping government agencies.

The 5 biggest data breaches of 2014 (so far)


http://www.pcworld.com/article/2453400/the-biggest-data-breaches-of-2014-so-far.html

The 5 biggest data breaches of 2014 (so far)

In the battle to keep your personal information private, it’s not just hackers you have to worry about but lax security and stupidity.
A survey of data breaches in the first six months of this year shows an increasing number of incidents in which data, including names and addresses, credit card and Social Security numbers, and medical records was lost to criminals or exposed.
More reading: The 8 scariest security stories of 2014 (so far), which examines the greater security landscape.
In many of the cases, the breaches were put down to poor data security practices or simple errors: like St. Vincent Breast Center in Indianapolis sending 63,000 letters containing information on upcoming appointments to the wrong people, or Stanford Federal Credit Union accidentally attaching a file with information on 18,000 customers to an email, or the thousands of paper medical records dumped at a public incineration site in York, Pennsylvania.
In other cases, laptops or thumb drives containing information were stolen—in some cases with apparently nothing more than the login password to protect the data.
One of the biggest such cases involving laptop theft occurred at the Torrance, California, office of Sutherland Healthcare Solutions, which lost eight laptops in a February break-in. The laptops contained medical information on almost 400,000 people in California, and their theft has sparked lawsuits.
new data breach graphic IDGNS

Data breaches on the rise

According to the Identity Theft Resource Center, there have already been 395 data breaches in the U.S. this year that have been reported to regulators or covered by media outlets, a 21 percent increase over the same period last year.
Here are the top five data breaches of the first half of 2014, with an extra entry for eBay. That breach appears to be one of the largest yet, but the exact extent of the problem has not yet been divulged by the company, so it’s difficult to quantify how big it actually was.
eBay
The online retailer suffered one of the biggest data breaches yet reported by an online retailer. Attackers compromised a “small number of employee log-in credentials” between late February and early March to gain access to the company’s network and, through it, compromised a database that contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members, and many were asked to change their passwords as a result.
Michaels Stores
The point-of-sale systems at 54 Michaels and Aaron Brothers stores “were attacked by criminals using highly sophisticated malware” between May 2013 and January 2014. The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack. The company received confirmation of at least some fraudulent use.
Montana Department of Public Health and Human Services
Triggered by suspicious activity, officials conducted an investigation in mid-May that led to the conclusion that a server at the Montana Department of Public Health and Human Services had been hacked. The server held names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people, although the department said it has “no reason to believe that any information contained on the server has been used improperly or even accessed.”
Variable Annuity Life Insurance Co.
A former financial adviser at the company was found in possession of a thumb drive that contained details on 774,723 of the company’s customers. The drive was provided to the company by law enforcement as the result of a search warrant served on the former adviser. The thumb drive included full or partial Social Security numbers, but the insurance company said it didn’t believe any of the data had been used to access customer accounts. It’s not the first time the company has lost data on a thumb drive. In 2006, it wrapped up a lawsuit against a former financial adviser for downloading “confidential customer information” onto “a portable flash drive.”
Spec’s
A 17-month-long “criminal attack” on the Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. The intrusion began in October 2012 and affected 34 of the company’s stores across the state. It continued until as late as March 20 this year, and the company fears hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.
St. Joseph Health System
A server at the Texas health care provider was attacked between Dec. 16 and 18 last year. It contained “approximately 405,000 former and current patients’, employees’ and some employees’ beneficiaries’ information.” This included names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information. As with many other hacks, an investigation wasn’t able to determine if the data was accessed or stolen.
Correction: A chart attached to this story was updated at 4:58 PM to correct a labeling error.