Posts Tagged ‘financial safety’

Sony …. holding out for a hero!

Posted: December 19, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Intellectual Property, Security Breach, Uncategorized
Tags: , , , , , , , , , , ,

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

Spam Nation!

Posted: December 1, 2014 by IntentionalPrivacy in Books
Tags: , , , , ,

Krebs.2jpgI recently had the pleasure of attending a presentation put on by Brian Krebs, where he also signed his new book, Spam Nation.

I have been reading his blog, KrebsOnSecurity.com, since I did a paper on the Russian Business Network in 2008 for a class I was taking.

His blog is fascinating, and the book is also! The book has everything you’d look for in a thriller—spies, counterspies, theft, drugs, murder, hackers—and it’s all true. Even if you’re not a techie, I highly recommend this book.

And, if you’re buying pharmaceuticals from an online pharmacy that doesn’t ask for a doctor’s prescription, I hope this book will convince you to stop. It’s a really dangerous practice because you don’t know what you’re ingesting.

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

Jimmy Johns isn’t the only breach … Signature Systems PDQ point-of-sale systems

Posted: September 28, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach
Tags: , , , , , ,

According to KrebsOnSecurity.com, Jimmy Johns aren’t the only restaurants to get caught in this breach, which lasted from June 16 through mid-September (dates vary at some locations). Many small restaurants use Signature Systems PDQPOS point-of-sale systems. A total of 216 Jimmy Johns and 108 other restaurants are affected because “an authorized person gained access to a user name and password that Signature Systems used to remotely access POS systems.” This access allowed the attacker to install malware to steal payment card data, containing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.

I wonder if Signature Systems changed their passwords on a regular basis? Probably not. Did they use two-factor authentication? Long and strong passwords? Did they conduct employee training on anti-phishing techniques?

Unfortunately, as of October 28, 2013, PDQPOS was only acceptable for pre-existing deployments. So it’s possible that some of these restaurants may receive fines if the system was installed after that date.

Payment cards that are Near Field Communication (NFC) are experiencing charging errors in the UK

Posted: May 19, 2013 by IntentionalPrivacy in Financial vulnerabilities, Privacy, Vulnerabilities
Tags: , ,

Payment cards that are Near Field Communication (NFC) are experiencing charging errors in the UK

What is NFC you say? It’s a card that is intended to work without it having to touch the card reader. The problem is some people are getting charged twice even though they didn’t take the card out of their wallets or purse. It’s a good idea to get a RFID-shielding cover for your debit / credit cards and your passport. Or you can make a cover from aluminum foil, instructions here http://www.rpi-polymath.com/ducttape/RFIDWallet.php

Note: the cover might not keep the card or passport from being read entirely, but it will cut down on the distance that the contents can be read at.

I do not recommend trying to damage the RFID chip.

This story is a timely reminder to keep an eye on your financial transactions!

April Fool! But who’s the joke on …?

Posted: May 2, 2013 by IntentionalPrivacy in Vulnerabilities
Tags: , , , ,

Bitcoin is an open-source, peer-to-peer digital currency, using an MIT license. The site http://bitcoin.org/en/ explains what Bitcoin  is and how to use it. It’s a very cool idea …

So what’s the downside you ask?

All you have to do is Google “Bitcoin issues” and a bunch of hits will come up dated within the last month:

But maybe one of the worst problems of all is an article published on May 2,2013 by Parity News: http://paritynews.com/web-news/item/1034-esea-league-stuffed-bitcoin-mining-code-inside-client-software. It started as an April Fool’s joke, where the E-Sports Entertainment Association (ESEA) League mined Bitcoins from their users by inserting code in their client software. At least, one of their administrators took responsibility for the “joke,” which wasn’t very funny in the end. Several users even claimed that their video cards were damaged because of overheating caused by the ESEA malware.

A cool idea, but maybe not a mature enough technology to use yet. Sometimes it’s a good idea to wait and see, especially if it involves your money or your privacy.