Hot Data – Has Your Data Been Compromised?

Blog » Hot Data – Has Your Data Been Compromised?

Mankind’s search for a meaningful identity in an often confusing world is as old as our species itself. But on the Internet, matters of identity are less about discovering who you might be than they are about protecting who you already are. Identity theft cost consumers over $18 billion in 2012 alone, and with identity theft claiming a new victim every three seconds, data security has become both a major concern for consumers and a very profitable business for the credit industry.

Of course, it’s not just identities that are being nicked or bank accounts that are compromised. Major corporations—including Gawker Media, Verisign, Twitter, and more—have all experienced major security leaks. While many of these leaks (some due to malicious attacks, some due to exploitation of existing weaknesses, and some due to human error) were “minor” compared to more serious ones, in some cases usernames, email addresses, and sensitive financial or account details were exposed.

In addition to security vulnerabilities or malicious attacks from domestic hackers, international attacks are also a concern for private citizens, corporate behemoths, and government institutions. Operating with both anonymity and impunity in the often murky jurisdiction of the Internet, hackers can steal identities, commit insurance or other fraud, or even hack into financial institutions to empty bank accounts and other holdings.

In 2012, U.S. companies reported estimated losses of more than $300 billion from cybertheft and other infiltration efforts originating from China alone. Threats to financial and personal information aside, these attacks have also strained international relations between the U.S. and China, leading to concerns about full-out “cyber warfare” within the coming decades.

Regardless of their source, threats to information security—for individuals, for businesses, and for governments—will likely remain an unfortunate fact of life in the digital age. As technology advances, so too will the methods used to compromise databases and pilfer identities, and the business of finding ways to review, minimize (or even eliminate) “hot data” is sure to remain a booming one.

Hot Data: Has Your Data Been Compromised?

Just how private is our “private information” online? Data security is a growing concern, and rightfully so. Data breaches are often blamed for identity theft – a crime that affects about 8 -12 million people every year, cost $18 billion in 2012, and is helping fuel a $3.5 billion credit monitoring industry. Just in 2013 alone we have seen a several data breaches across some of the most widely used services on the web, fueling concerns regarding data security.

Evernote

Online note-taking site Evernote.com was hacked in 2013, compromising the security of its nearly 50 million users’ data. Some user data was accessed including usernames, email addresses, and encrypted passwords, but Evernote said that all passwords are hashed and salted, making them less easy to crack.

The company had no evidence that payment details were collected nor was any user data “accessed, changed, or lost” despite the intrusion.

The Weakness:

Evernote used the MD5 cryptographic algorithm to hash passwords before storage.

Most security experts consider MD5 to be a poor choice for securing passwords, because it’s relatively easy to crack.

The Solution:

In response, the company reset all of its users’ passwords and blocked suspicious activity on its network by adopting two-factor authentication, a security process in which the user provides two means of identification – a physical token and something typically memorized.

A growing number of companies have adopted two-factor authentication recently including Amazon Web Services, Dropbox, Facebook, Google and Gmail, LastPass, Microsoft SkyDrive and Xbox Live, PayPal, Yahoo Mail, and a number of financial services websites.

Apple

In February of 2013, Apple identified malware which infected a limited number of Mac systems used by employees.

It was the widest known cyber attacks targeting Apple computers used by corporations. The malware was spread through a website for software developers and attacked other companies as well, including Twitter and Facebook. There was no evidence that any data left Apple. Security firm F-Secure claimed that the attackers might have been trying to get access to the code for apps on smartphones, seeking a way to infect millions of end-users.

The Weakness:

The malware, designed to attack Mac computers, was spread through a website for software developers and detected through a vulnerability in Oracle’s Java plug-in for browsers.

Massachusetts-based RSA Security Inc. dubbed the tactic a “waterhole” attack, because victims are attracted to the source of the infection like animals attracted to a waterhole on the savanna.

Soon after the attack, Oracle announced the release of a Java 7 Update 13 to address 50 vulnerabilities.

The Solution:

Apple immediately identified a small number of systems within Apple that were infected and isolated them from their network. They released a software to identify and repair Macs infected with the malware.

Apple was attacked again in July of 2013, but this time the attack was directed at the company’s developer website. Sensitive personal information was encrypted and could not be accessed, but some developers’ names, mailing addresses, and/or email addresses may have been accessed.

Twitter

Twitter suffered a breach in January of 2013 which comprised up to 250,000 accounts. The company reported that the attackers were “extremely sophisticated” and may have accessed limited user information such as usernames, email addresses, session tokens, and encrypted/salted versions of passwords.

The Weakness:

The same Java plug-in vulnerability found in the attack on Mac computers.

The Solution:

The “live attack” was shut down within moments of discovering it. Twitter reset passwords and revoked session tokens for those accounts it believed were affected. The company has warned users to pay attention to an advisory by the U.S. Department of Homeland Security that encourages users to disable Java on their computers.

Facebook

Facebook was also attacked in February of 2013, most likely by the same perpetrators that attacked Apple and Twitter using the Java exploit. The attack occurred when a handful of employees visited a mobile developer website that was compromised. There was no evidence that user data was compromised.

The Solution:

As soon the malware was discovered, Facebook remediated all infected machines, informed law enforcement, and began a significant investigation.

Microsoft

In February of 2013, Microsoft was attacked by a similar — and most likely the same — malware used in the attacks against Facebook and Apple in the same month. The investigation turned up a “small number” of infected computers, including some in the Mac business unit. There was no evidence of affected consumer data.

The Weakness:

The malware was perpetrated by utilizing a zero-day Java vulnerability injected into an iOS developer website without the owner’s knowledge.

The Solution:

Microsoft reported that it continually re-evaluates its security posture and deploys additional people, processes, and technologies as necessary to help prevent future unauthorized access to its networks.

Zendesk

In February of 2013, a hacker gained access to Zendesk support information, affecting 3 clients: Twitter, Tumblr, and Pinterest. No other Zendesk customers or their users were affected.

Zendesk is used by online companies to store, organize, and answer emails to companies’ support departments. Zendesk suspected that the intruder downloaded email addresses and subject lines of users seeking support from three of its customers.

The Solution:

As soon as Zendesk learned of the attack, the company patched the vulnerability and closed the access that the hacker had. The company reported that it took steps to improve its procedures and will continue to build even more robust security systems. After the attack, Zendesk hired Ryan Gurney as VP of Security, doubling from a two to four-person team focused full-time on security. Zendesk also installed new dedicated intrusion-detection gear from Sourcefire, alongside existing systems from Cisco and Palo Alto Networks. Among the new functions that will be visible to Zendesk users are:

Digital signatures on emails from the service so users are able to check for authenticity.
More detailed logs of activity.
The ability to turn off access to suspicious devices.
Email alerts for potential security issues.
More complex login settings for customer-service agents and admins.

Attacks From Abroad

U.S. companies suffered estimated losses of more than $300 billion in 2012 due to the theft of trade secrets, much of it the result of Chinese hacking. A quarter of companies that are members of the American Chamber of Commerce in China have been victims of data theft.

Ties between Beijing and Washington have become increasingly strained over the threat of cyberattacks.
26% of Chamber members who responded to an annual survey said that their proprietary data or trade secrets had been compromised or stolen at their China operations.
U.S. computer security company Mandiant said that a secretive Chinese military unit was likely behind a series of hacking attacks targeting the U.S. and stealing data from more than 100 companies.

The New York Times

For 4 months in late 2012, Chinese hackers persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

The timing of the attacks coincided with the reporting for a Times investigation that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.
The hackers tried to cloak the source of the attacks by first penetrating computers at U.S. universities and routing the attacks through them.
Security experts found evidence that the hackers gained access to the personal computers of 53 employees through stolen corporate passwords.
No customer data was stolen.

The Wall Street Journal

The Wall Street Journal has undergone similar attacks by Chinese hackers.

A number of computers were totally controlled by outside hackers who had broad access across the Journal’s computer networks.
Some evidence suggested that the hacking was conducted largely by one group that focused on media companies.
Cyber-specialists said the goals of these attacks could include industrial espionage, insider trading, and tracking potentially damaging information.
The investigation couldn’t determine the full extent of the information that was spied on by the hackers.
Among the targets were a handful of journalists in the Beijing bureau, including Jeremy Page, who wrote articles about the murder of British businessman Neil Heywood in a scandal that helped bring down Chinese politician Bo Xilai.