Data Breaches are Not Just About Credit Card Details Anymore!

This article has also now been published in theconversation.com: [here]

Introduction

Much of the focus on Cyber security, in the past, has been on credit fraud, but increasing it is data that is providing a target for intruders, and its value often relates to how sensitive it is. For the HeartBleed vulnerability, Bruce Schneier was quoted as saying that on a scale of 1 to 10, it was an 11. So in terms of data loss, the Ashley Madison breach is an "11", and possibly highlights a new type of Hacktivism:

moralism

While nation-state hacks and Hacktivism do exist, many of the data breaches are still motived by financial gain or by insiders. A credit card number, for example, with full details, can gain $100, and can be seen from the Home Depot hack which resulted in a large number of credit and debit card appearing on the credit card clearing house site: rescator.cc. 

The new wave of data breaches, though, are now focused on gaining access to sensitive information, such as from HR records, sensitive personal information and health information, either for financial gain or to address a political or moral agenda. The recent breach at Ashley Madison seems to hint towards a moral agenda, and which adds another dimension to the motivation factors that organisations need to worry about when handling data.

As Figure 1 shows, there are many details that can be gained from social media, such as for a date-of-birth and an address, but at the other end we have credit card details and sensitive health information.

Figure 1: Spectrum of sensitivity

Please note, I have tried to avoid the term "hacker" in this article, as it is not a good general definition for intruders and adversaries.

It doesn't come more sensitive than this...

There is a spectrum of sensitive personal details from low-level sensitivity, such as someones email address, up to someone's hidden and private secrets. So the alleged hack of the Ashley Madison databases, with over 37 million users (of which around 1.2 million of the users are from the UK), must rank as one of the most sensitive troves of data ever gained. Within there, there is likely to be financial data, along with highly sensitive private details. There have been few breaches ever which such scope for future follow-up for gain.

The breach was reported by Brian Krebs and confirmed by Noel Biderman, who is the CEO of Avid Life Media (ALM), and which owns Ashley Madison and two other companies: Cougar Life and Established Men. In this case the breach seems to be more morally motivated than a similar hack of Adult FriendFinder (AFF), where the intruder - ROR[RG] - demanded $100,000 for the return of the personal details and sexual preferences of over 3.5 million people.

For ALM, an organisation named The Impact Team has since claimed responsibility, and is said to be holding ALM to random over the breached data. It has since been quoted that the team have issues with the types of customers that use the site, and have asked for their Web sites to be taken offline or they will release:

all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails

The Impact Team's motivation, in this case, seems to be more morally focused than financial, and have focused on ALM's business practices (such as charging $19 for someone's record to be deleted) and against the practices of ALMs customers. In 2014, for example, ALM made $1.7 million purely from the full delete service. The Impact Team has since outlined that the "full delete" service actually was untrue, as some of the most highly sensitive details of the credit card information and purchases were still stored on the site. 

While the perception is that many hacks are caused by external parties, as with many breaches, the focal point for the source of this breach is around either an insider or at least a trusted contractor. Overall the hack is embarrassing for ALM who aimed to raise $200million this summer on the London Stock Exchange, having previously tried a failed flotation in Toronto in 2010 (where investors were cautious around some of the associated moral issues).

The company has since removed all the posts related to the incident from their Web site, along with all of the on-line Personally Identifiable Information (PII).

Sensitive documents

Although the recent Sony hack was blamed on North Korea many have seen Sony battling against Anonymous, Lulzsec and Lizard Squad over the years, especially on their stance on breaches of copyright. Again insider access within Sony is the most likely source of the breach, especially through a disgruntled employee. This has now resulted in many documents being posted on Wikileaks.

The analysis of Sony emails on Wikileaks gives an insight in how C-level executives need to watch their electronic mail communications. It provides an insight into a company which has some strange going-ons within senior management. A particular focus is on Amy Pascal (Chairperson at Sony Pictures), who writes an email in an almost illegible form:

And then signs of executives setting up the kids of friends to get jobs within Sony. Michael Lynton, for example, received this email outlining some background plans to overcome employment laws:

Sony's trouble with hacking organisations can be traced by to their court case against George Holtz (geohot), who published root encryption keys for the PlayStation console and for whom Sony initiated litigation action. Overall Sony demanded the usernames and IP addresses of the people who had visited Geohot's social pages and videos from social media (inc YouTube) and were even granted access to George's GeoHot PayPal account. The judge of the case eventually granted Sony permission to view the IP addresses of everyone who visited geohot.com. In April 2011, Sony settled the lawsuit out of court with the statement of… “No more hacking of Sony products”, but since then they have faced a wide range of data breaches.

Sensitive data in organisations

Within organisations the most highly sensitive information, as outlined by a recent survey by Thales on what data organisations typically encrypt, relates to Employee/HR data (Figure 2). The recent OMP breach highlights the difficulty that a breach like this can cause and where over 20 million records of government employees were breached.

Along with this financial data and IP protection are top of the list for protecting. While customer details are a little way back, they are still important to encrypt, but anything to do with payments is often encrypted. What is disappointing is that the HR encryption is not nearer 100%, and perhaps something needs to change to push this forward.

IP (Intellectual Property) is a definite target within organisations, and the loss of source code and secret information on products is one of the key reasons that companies try and protect their sensitive data. In the past this has focused on logical scanning (or in the US this is defined as "dumpster diving"), where sensitive information was left on disks.

Andy Jones and Prof Andrew Blyth from the University in Glamorgan, recently found that an analysis of 300 discarded disk showed that 34% of the disks still had personal information, which included health care and banking information (including a 50 billion Euro currency exchange). One of the disks even contained details of the test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system, which is a system designed to destroy long-range intercontinental missiles.

As much as possible organisations should have a predefined plan on how they discard of their equipment, especially for electronic media (normally USB sticks) and for hard disks. The term used in the US for logical scavenging is dumpster diving.

Figure 2: What is the most sensitive information for organisations to encrypt [1]

Health Care Data

Increasingly data on individuals is often worth more than their credit card details. Stealing medical records, for example, is an attractive criminal business, as the data gained could be worth at least ten times the value of credit card data on the black market. The number of healthcare data breaches rises at a worrying pace. Since last year, medical identity theft incidents increased 21.7%, and there are forecasts that healthcare breaches will keep increasing in the near future, due to the potential economic gain and the digitization of records. Forbes, too, have recently reported, that, in less than one year there has been nearly 96 million records were stolen (Community Health Systems (4.5 million), Anthem (80 million), and Premera (11 million)).

And last week, Darren Grayson, chief executive of the East Sussex NHS Trust, announced that they had lost non-encrypted memory stick containing the details of over 3,000 patients. There was no mention of the person involved, and the reasons that had led to the breach of policy. With health care data worth at least ten times the value of credit card data on the black market, the Chief Executives of health trusts have other things to worry about than their budgets, their staff and their patients.

The rise of Hacktism and moral agendas

Along with the financial motivation of data breaches, we also see other agendas being addressed. For example, as a protest against St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, and which brought down the site for several days. Overall it made a strong statement, and which the authorities could do little about it. The group responsible, who declared links to Anonymous, outlined that they had also hacked into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.

Organisations need to understand that there are new risks within the Information Age and there are new ways to distribute messages, especially from those who are skillful enough to be able to disrupt traditional forms for dissemination. Thus Hacktivism can become a threat to any nation state and organisation (Figure 3).

Figure 3: Security is not just technical, it is also Political, Economic, and Social

The important thing to note about Hacktivism is that the viewpoint on the Hacktivist will often be reflected on the political landscape of the current time, and that time itself can change this viewpoint. While Adolf Hitler and Benito Mussolini are still rightly seen as terror agents, Martin Luther King and Mahatma Gandhi are now seen as freedom fighters. This viewpoint often changes and for some the Hacktivist can have the image of a freedom fighter.

Figure 4: Hacktivism

The Internet supports a voice for all, and there are many cases of organisations and national states upsetting groups around the World, and where they have successful rebelled against them. In 2012, Tunisian Government web sites were attacked because of WikiLeaks censorship, and in 2011, the Sony PlayStation Network was hacked after Sony said they would name and shame the person responsible for jail breaking their consoles (Figure 5). It can be seen that just because you are small on the Internet, doesn’t mean you cannot have a massive impact. Sony ended up losing billions on their share price, and lost a great deal of customer confidence.

Figure 5: A few examples

So, on the back of the Ashley Madison breach, Hacktivism perhaps has a new sub-class ...

moralism

Conclusions

Increasing it is data that is the focus for targeted attacks, and companies often build up strong defences against external intruders, but if the intruder has trusted access, there is often little they can do about limiting access. With SD Cards now supporting 100s of GBs of data, and with encrypted tunnels, it is not too difficult for an adversary to leak massive amounts of data off-site.

For companies a few key rules must be: 

1. Encrypt sensitive data.
2. Control and limit access to senstive data.
3. Make sure the controls on data work.
4. Check who has access to the data.
5. Integrate multi-factor authentication for the access to sensitive information.
6. Watch where you back-up your data and protect that too.
7. Different encryption keys are used for every record in a database.

and finally ... don't upset people! Companies too need to understand that security is not just around the technical nature of their network, but also around economic, social and political issues, of which moral issues play an important part.

If you are interested, we have a conference on Data Loss Prevention here.

References

[1] 2015 Global Encryption & Key Management Trends Study, Thales e-Security and Ponemon Institute, April 2015, https://www.thales-esecurity.com/company/press/news/2015/april/2015-global-encryption-and-key-management-trends-study-release