Hacking

SPOTLIGHT ON SECURITY

Hackers Home in on Health, Education, Government Sectors

A New York healthcare provider, California's higher education system and the Department of Energy have become the latest targets of data bandits. The latest massive data breach at a healthcare provider reportedly took place at Excellus BlueCross BlueShield, which last week revealed that the personal data of more than 10 million people was at risk due to an attack that dates back to December 2013.

A New York healthcare provider, California’s higher education system and the U.S. Department of Energy have become the latest targets of data bandits.

The latest massive data breach at a healthcare provider took place at Excellus BlueCross BlueShield, which last week revealed that the personal data of more than 10 million people was at risk due to a penetration of its computer systems that dates back to December 2013, according to a report in The Hill.

Although there’s no evidence that the attackers robbed or have used any of the information, they were able to peek at customer’s names, birth dates, Social Security numbers, mailing addresses, and financial and claims information, the paper noted.

The intrusion is among the top 20 worst healthcare breaches of all time.

Caution Still in Order

Some folks may sigh with relief at the absence of evidence any data was pinched from Excellus, but Adam Kujawa, malware intelligence leader at Malwarebytes, isn’t one of them.

Since the attackers had administrative privileges, they probably could access files on the system in unencrypted form, he told TechNewsWorld.

“With an attack of this magnitude, being done over the course of more than a year, cybercriminals probably stole information by simply copying and pasting it from its unencrypted form on the secure network to their own systems, or utilizing built-in tools to parse the information for the most valuable data,” Kujawa explained.

“At the end of the day, this is just another example of the weak cybersecurity measures we currently have in place for sensitive information,” he added.”While many industries, such as banking, are stepping up to the plate, there’s still slow adoption from industries such as healthcare,” he said.

Deja Vu Strikes Again

If the Excellus breach appears familiar, it’s with good reason, according to Eric Chiu, president and founder of HyTrust.

“There’s a striking similarity between the breach at Excellus and other recent incidents at Anthem, the Office of Personnel Management, Sony and Ashley Madison,” he told TechNewsWorld.

“The attacks are happening on the inside, where cybercriminals are leveraging [advanced persistent threats] and stolen credentials to gain access to corporate networks. From there, the attackers look like any other employee, making them difficult to detect,” Chiu explained.

“This is a critical situation,” he continued. “We need to turn our security paradigm around from an ‘outside in’ threat perspective, which has proven inefficient and largely ineffective, to an ‘inside out’ view that addresses both insider and outsider advanced threats.”

Turning the security paradigm inside out is going to take time, though — time that many healthcare organizations don’t have.

“Data breaches, especially in the target-rich healthcare industry, should no longer be considered front-page news,” said Jeff Hill, channel marketing manager for Stealthbits.

“Excellus is just the latest,” told TechNewsWorld.

“How many attackers are currently operating without detection on the networks of other healthcare companies, as we speak?” Hill asked.

Cal State Breach

Meanwhile, another popular target for hackers — education — also fell to a data breach of note.

Some 80,000 students in the California State University system were informed that personal information they entrusted to a contractor providing the system with a class on sexual harassment was at risk, the Los Angeles Times reported last week.

Cal State had few details for the students other than to say that the breach was caused by a “vulnerability in the underlying code.”

Passwords, usernames, email addresses, and gender, race and relationship status information was compromised, Cal State said, but not high-value data like Social Security, credit card and driver’s license numbers.

The Cal State breach is another example of an organization’s supply chain becoming low-hanging fruit for hackers.

“This illustrates the need for organizations to question and verify the security practices of their vendors, particularly when their systems will be housing personal information,” said Ken Westin, a senior security analyst with Tripwire.

“In addition to ensuring that vendors regularly run vulnerability scans and follow system-hardening best practices,” he told TechNewsWorld, “questions also need to be asked regarding how sensitive information is stored on their systems.”

Bad Password Hygiene

If Cal State had reviewed the security practices of the breached vendor, We End Violence, it would have discovered some less-than-best practices.

“I verified with We End Violence by phone that the passwords being stored in these systems were not encrypted,” Westin said. “Not following this simple practice exponentially increases the risks for those students. This is particularly true if they use those same passwords for email, banking, social media and other services.”

Password hygiene is a problem at universities in general.

Of the 10 schools with the worst security postures, password exposure was the only category in which they all received a grade of F grade, SecurityScorecard found in a report released last week.

“In general, this means that students, faculty, and employees of these colleges and universities are using easy-to-remember password combinations and are eschewing the security of these schools for the convenience of access,” the report notes.

Energy Department Breach

A government agency also made data breach news last week.

The U.S. Department of Energy’s computer systems were compromised 159 times between 2010 to 2014 — that’s 11 percent of the 1,131 hack attacks launched against the agency during the period — according to USA Today, which obtained the information through a Freedom of Information Act request.

DoE officials declined to comment on whether any sensitive data on the security of the national power grid or stockpile of nuclear weapons was stolen, the paper said, or if any foreign governments were behind the attacks.

Fifty-three successful forays against the agency were “root” compromises, meaning the raiders obtained administrative privileges for the DoE’s systems, which gave them an enormous amount of freedom to move through the systems and examine data, USA Today reported.

There’s some heartening news written between the lines of the DoE story, however.

“What differentiates high-performing organizations is not necessarily the absence of intrusions, but the speed of response and recovery,” observed Stephen Boyer, CTO of BitSight.

“The very fact that DoE has detected the issues and marked them as losses,” he told TechNewsWorld, “is a signal that they have a process in place for detection, response, recovery and reporting.”

Breach Diary

  • Sept. 8. California State University system reveals that personal information of some 80,000 students was compromised by data breach of systems of company providing sexual harrassment courses to students.
  • Sept. 9. Venafi releases results of survey of 300 IT security professionals taken at 2015 Black Hat USA revealing 90 percent of the respondents believed there would be a data breach of a major certificate-issuing authority in the next two years.
  • Sept. 9. Excellus Blue Cross Blue Shield in Rochester, N.Y., reports personal information of more than 10 million customers may have been compromised in cyberattack on its computer systems in December 2013.
  • Sept. 9. Gemalto releases global Breach Level Index for first half of 2015. Company found 888 breaches compromised 246 million records, a 10 percent increase in breaches, but a 41 percent decline in records stolen compared to the same period in 2014
  • .

  • Sept. 9. Attorney for former Ashley Madison CTO Raja Bhatia threatens to sue cybersecurity blogger Brian Krebs for his report that Bhatia hacked into a competitor’s computer systems while working at the infideltiy website.
  • Sept. 10. Cynosure Prime reports blunders in encryption of passwords by Ashley Madison has enabled it to decrypt 11 million of the passwords in 10 days.
  • Sept. 10. Pulse, an operator of a national network of ATMs, releases survey results finding that 90 percent of U.S. financial institutions either had begun issuing chip (EMV) debit cards or planned to do so by the end of 2015.
  • Sept. 10. SecurityScorecard releases analysis of cybersecurity at universities in the United States. Topping list of 10 schools with strongest security posture was Merced Community College in California; among the top 10 schools with weakest posture: MIT in Massachusetts.
  • Sept. 11. CVS sends email to customers of CVSPhoto.com alerting them that some of their personal information may have been compromised in data breach of the operator of the company’s photo site, PNI Media.
  • Sept. 11. USA Today reports that between 2010 and 2014 the U.S. Department of Energy’s computer systems were comproimised more than 150 times.

Upcoming Security Events

  • Sept. 16. Unlock the Key to Repel Ransomware. 2 p.m. ET. Webinar sponsored by Kaspersky Lab. Free with registration.
  • Sept. 16. Secure Networks Mean Secure Revenue. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 16. George Washington University Cyber Academy Open House. George Washington University, Virginia Science and Technology Campus, Enterprise Hall, 44983 Knoll Square, Ashburn, Virginia. Free with registration.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: US$695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 17. 6th Annual Billington Cybersecurity Summit. Ronald Reagan Building and International Trade Center, 1300 Pennsylvania Avenue Northwest, Washington, D.C. Registration: corporate rate, $595; academic, $145; military and government, free.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 24. 110 Bitcoin or Else! 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31 — member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1 — member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Sept. 30. What Happened Next? Detecting an Attack in Real Time. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 30-Oct. 1. Privacy. Security. Risk. 2015. Conference sponsored by IAPP Privacy Academy and CSA Congress. Bellagio hotel, Las Vegas. Registration: Before Aug. 29 — member, $1,195; nonmember, $1,395; government, $1,045; academic, $495. After Aug. 28 — member, $1,395; nonmember, $1,595; government, $1,145; academic, $495.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 6. UK Cyber View Summit 2015. 6 a.m. ET. Warwick Business School, 17th Floor, The Shard, 32 London Bridge, London, UK. Registration: 550 euros plus VAT.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26 — member, $1,395; nonmenber, $1,595.
  • Before Oct. 14 — member, $1,595; nonmenber, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: Before Sept. 8 — member, $895; nonmember, $1,395; CISO, CSO, CIO, $300. After Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Sept. 18 — end users, Pounds 1,699 plus VAT; solution providers, Pounds 2,699 plus VAT. Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels