Although the spring of 2011 may be remembered in many corners for the Arab uprising, wicked weather, an unforgettable and – in many cases – overhyped wedding, and the death of one long-sought-after fundamentalist, those in the security industry will likely recall this past spring as the one where it all hit the fan (not to mention rounded out talking points for the vendor’s marketing teams).
As trees and flowers bloomed across the northern hemisphere, so too did stories of massive data breaches affecting some of the world’s largest and most respected organizations, as the details of millions of consumers added fuel to seasonal allergy headaches across the globe. To quote the classic American television series, Law & Order: “These are their stories”.
Big: RSA
In terms of a data haul, the magnitude of the RSA SecurID breach was far from massive. Yet, when compared to the other large incidents of the season, it was perhaps the most disturbing. The reason is simple: A Rolls Royce of the security industry fell victim to the type of crime it has undoubtedly protected others from on countless occasions.
In a March 17 open letter to its customers, RSA executive chairman Art Coviello outlined the preliminary details of what it determined to be “a sophisticated advanced persistent threat” attack that compromised information related to the company’s SecurID two-factor authentication (2FA) product. At the time, Coviello said he was confident that the information taken would not enable a successful direct attack on any of RSA’s customers that used the product, but there were risks that the 2FA could be less effective in preventing a broader attack.
“What RSA customers don’t know is whether the [stolen] data includes seed record information”, commented Andrew Kemshall of SecurEnvoy, who is also a former RSA Europe executive. When the incident first came to light, he told Infosecurity that each token sent out by RSA has an associated secret key, called a seed record. Kemshall said that if this information were compromised, then it would be possible for a hacker “to recreate exactly the same number as the end user token has”.
Kemshall believes that this puts the security of RSA’s SecurID in question, since the seed record must remain a secret to be effective. When asked by Infosecurity whether the seed record database had been compromised, an RSA spokesman declined to comment.
RSA did disclose the method of attack a few weeks later. In a blog post from early April, Uri Rivner, the company’s head of new technologies, said that a targeted phishing – or spearphishing – attack took advantage of an Adobe Flash vulnerability when it was delivered via a malicious Excel file attachment. A batch of emails were sent to two specific groups within RSA’s organization and, being well crafted, managed to dupe one employee into opening the Excel file.
| "Ultimately these breaches are wake-up calls for people who handle consumer data, and in the long run that is a good thing" |
| Chenxi Wang, Forrester Research |
“Applications are the weak link in IT security”, noted Chenxi Wang, VP and senior analyst for security and risk at Forrester Research. When reflecting on the large data breaches of this past spring, Wang said that although many companies employ firewalls, intrusion prevention systems (IPS), and all types of network security measures, the fact is that many companies and the vendors that create the software they use fail to employ secure coding practices or take steps to strengthen and secure their applications. “That’s where the hackers come in”, she added.
Regardless, Wang believes the whole incident has had relatively little impact on RSA: “They have experienced some setbacks, but I don’t think [the breach] has fundamentally altered their brand in a sense that nobody is doing business with them.”
Of course, in the end, RSA's seed record was reveled to be compromised, allowing for a string of data breaches at major US military contractors. This has led the company to consider re-issuing the tokens on a case-by-case basis.
Bigger: Epsilon
If it were not for all of the troubles Sony faced a few weeks down the road, then the data breach affecting marketing firm Epsilon might still be the hottest topic in the security press. The Sony saga, however, will need to wait as we explore the Epsilon compromise that had ramifications for some of the world’s largest corporate brands.
Reports began trickling in from early April about customer details being stolen by hackers from US-based marketing firm Epsilon. While the company attempted to de-emphasize the heist, saying that only names and email addresses were taken, the list of Epsilon’s clients that were affected grew longer and more troubling: BestBuy, TiVo, Walgreens, Marriott, JP Morgan Chase, Lacoste, Barclays, Marks & Spencer – more than 50 brands in total.
As a result, Epsilon’s partners were forced to issue warnings to their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses.
The Epsilon breach, although comprising only names and email addresses, should not be underestimated said Alisdair Faulkner, chief products officer with ThreatMetrix, a firm that provides fraud analysis services. He told Infosecurity that the data from this incident “is a treasure trove for identity theft”, and that Epsilon should never have downplayed what was taken.
| "All customer data is valuable" |
| Alisdair Faulkner, ThreatMetrix |
“This is the exact type of information that enabled RSA to be compromised, one of the largest security companies in the world”, he said, deftly tying the two incidents together. Faulkner said one never knows where stolen data will lead, and how it can be used in a subsequent scam. “All customer data is valuable”, he asserted.
All totaled, Reuters put an estimated $100 million price tag on the incident, which would fall directly on Alliance Data Systems, Epsilon’s parent company. This included cost estimates for the firm to upgrade its information security systems, conduct audits, pay any possible fines, and the indirect cost of potential lost sales.
Alliance issued a statement saying it expected “minimal if any impact” on its financial performance or outlook as a result of the incident, but Forrester’s Wang believes the business ramifications will be calculable. “Many of their business partners are rethinking doing business with them, and they deserve that – they didn’t protect their data.”
Biggest: Sony
Frankly, if we had wanted to, this entire article could have been solely about the troubles facing Sony. As April gave way to May, details surrounding three significant security breaches at the now-beleaguered Japanese electronics firm – and its often-criticized response – peppered the headlines in a near endless onslaught of unflattering press clippings. To sucker punch an already woozy Sony would be pointless, as these types of security lapses can hit almost any organization (remember our friends at RSA?). More than likely, the spring melt of Sony’s consumer confidence will harden into a reinforced security program in the future – it’s just a shame for Sony’s employees, customers and shareholders that so many millions will need to be spent to bring this circus to an end.
Sony acknowledged that between April 17 and 19, its PlayStation Network and Qriocity services were compromised by “an illegal and unauthorized intrusion” into its network. The theft concerned a database of more than 70 million service members, including dates of birth, addresses, user names, passwords, and even reports of limited payment card details.
The electronics firm initially stated that card details were not stolen, but then backtracked to say it could not rule out the possibility. But then Sony claimed that if card details were compromised, they were part of an encrypted card data table. A subsequent report from the New York Times charged that hackers were actively selling the card details on underground forums and that the hackers who perpetrated the initial breach had penetrated much further into Sony’s systems than the company originally let on.
Rubbing more salt into Sony’s wound, the company then admitted to a second breach in early May, with more than 24 million additional members of Sony Online Entertainment having their account information compromised.
With more than 100 million of its customers affected, the incidents could not have been more costly for Sony from a business perspective. Its PlayStation Network was forced to shut down for more than a month, and in an effort to bring back devotees, the company has implemented a customer loyalty program that offers free downloads. After taking steps to beef up its network security, Sony experienced additional hiccups when attempting to restart its PlayStation Network, which it was forced to shut down when a possible identity access flaw was discovered on its password reset page.
All totaled, Sony says the breach incidents from this spring have cost the company $171 million, but acknowledged that the number could push much higher pending lawsuits and possible regulatory fines.
PCI for Consumer Data?
Former White House chief of staff and current Chicago mayor Rahm Emanuel once told a gathering of corporate executives that “You never want a serious crisis to go to waste”. What he meant was that in the wake of a crisis comes an opportunity to put measures into effect that may have been previously unpalatable.
Will we simply see the typical parade of apologies, hearings, and wrist slappings that often accompany incidents like these? Or, as a result of the rather quick succession of massive security breaches, would policies change in any measureable fashion?
“It’s possible, but I don’t think it’s a certainty”, says Eugene Spafford, a professor of computer science at Purdue University. He is also the editor-in-chief of the journal Computers and Security. Spafford testified before a US House subcommittee on May 4 on the issue of data breaches and privacy, and he told Infosecurity that the lack of uniform laws regarding data breach notification present problems for both consumers and companies alike.
| "We have more systems that collect more information into large databases, and so when breaches do occur, they are going to occur with larger numbers" |
| Eugene Spafford, Purdue University |
For consumers, Spafford believes the problem is that they may or may not get notified, and the conditions in which they are notified may differ depending on location. “It’s difficult for the companies”, he adds, “because if they do business in multiple states, then the rules may be conflicting or confusing. For some of them, they would actually prefer a federal standard. Actually, for some of them they would presumably prefer no standard, but a common standard would be preferable for them.”
The Purdue professor has observed that US federal regulations have been “resisted by many companies because they didn’t want too strong a notification law, and because they didn’t want to be put in a position where it would cost them too much” or weigh them down with restrictions. “At the same time, consumers and various [advocacy] organizations didn’t want too weak a law.”
Many proposed bills died, he continued, because of either strong opposition by the business community or the issue’s relative lack of importance in the pecking order of priorities.
He highlighted that there are currently six bills being introduced in Congress, in addition to hearings about online privacy. “The FTC [Federal Trade Commission] already has some authority in this arena, but it is understaffed and underfunded”, he lamented.
In the UK, the Information Commissioner’s Office has confirmed that it is investigating the Sony PlayStation Network breach and it may take action on behalf of the UK’s registered users. In a statement, the ICO said: “We have contacted Sony and will be making further inquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office.”
Experts consulted by Infosecurity acknowledged that the ICO has been reluctant to levy fines for violations of the country’s Data Protection Act, with only four companies being hit with monetary penalties so far in 2011 despite hundreds of reported data breaches. Add to this the rather glacial pace the body has been known to move at. Even if the ICO determines that Sony did violate the Data Protection Act, UK law permits only a maximum fine of £500,000.
Still, Wang and Faulkner both agree that the recent spate of large security breaches could give rise to greater regulation of consumer data and its privacy – a PCI for consumer-based data, if you will.
Wang theorized that hackers are moving away from stealing loads of financial data to that of personal data stores. “PCI has been in existence for some time now, and the general industry protection assurance has really gone up. So it takes hackers more effort now to get any kind of financial data. And since many hackers are looking for an easy way to make a buck, a large database of email addresses can also fetch a fair amount of money on the underground market.”
As for the longer-term policy ramifications of this spring’s breaches, Wang said that we may see the rise of a PCI for consumer privacy. “I think we will see more requirements on the technology side, and on the policy side, for ensuring the privacy and security of customer data. The regulations will take notice from PCI, and similar types of protection guarantees will be required for companies that handle what is deemed ‘private’ customer data.
“PCI is actually a success case”, she added. The PCI Security Standards Council, Wang continued, has done its regulation in a prescriptive way that can be easily measured and verify assurance.
“Ultimately these breaches are wake-up calls for people who handle consumer data, and in the long run that is a good thing”, she concluded.
Faulkner of ThreatMetrix sees the wisdom in such a regulatory framework, although he may not be as totally on board with such an idea as the Forrester analyst. “Generally, legislation tends to complicate matters”, Falulkner argued. But, taken to its extreme, “I can potentially see personally identifiable data going the way of credit card data, where you have PCI compliance. That will just be applied to every business, which will have to have some kind of personal data compliance program they will need to be audited on.”
Purdue’s Spafford says this spring’s breach incidents are hardly anomalous, and should continue going forward. “We have more systems that collect more information into large databases, and so when breaches do occur, they are going to occur with larger numbers.”
Hackers no longer target, for the most part, an individual PC or device he said. “They are going to spend their time going after large organizations that have very big data files. So when breaches are discovered, they are likely to be large data files – as we hear about these, we shouldn’t be surprised if, in fact, they are large data files…one after another.”