- Email: [email protected]
Hackers steal up to 145 million user records in massive eBay breach
computer FRAUD & SECURITY ISSN 1361-3723 June 2014
www.computerfraudandsecurity.com
Featured in this issue:
Contents
Why governance, risk and compliance projects fail – and how to prevent it
NEWS Hackers steal up to 145 million user records in massive eBay breach
B
UK professionals willingly flout data protections
usiness cases for companies implementing or upgrading their governance, risk and compliance (GRC) tools, tend to focus on reducing the costs of compliance and user administration.
However, to realise the benefits of cost reductions, increased efficiency and
improved controls, the right technology must first be selected and then embedded into the business and compliance process, and the technical aspects must be implemented to a high standard, explains Richard Hunt of Turnkey Consulting. Full story on page 5…
The true cost of being hacked
P
utting a figure on the cost of data breaches is akin to nailing jelly to a wall. Yet as enterprises attempt to insure themselves against losses and CISOs fight for budget, it is increasingly important to work out what a data breach could cost.
Tracey Caldwell reports on how the impact of data breaches is being
calculated and the factors that affect how much a data breach will affect an organisation’s bottom line – ranging from expenses incurred by partners and customers, through bringing in expert help, to installing security technology to prevent data loss from happening again. Full story on page 8…
Safeguarding the future of the Internet
W
ith the Internet becoming so central to our lives, it’s vital that this resource remains open and secure. Yet there are several areas of significant concern, one of the most central being privacy.
This issue has been debated since the Internet’s inception and it remains
a point of focus in the industry today, presenting an undeniable challenge for everyone. Axel Pawlik of the RIPE Network Co-ordination Centre discusses how the debate is evolving, and the steps we can all take to remain private and secure. Full story on page 13…
Hackers steal up to 145 million user records in massive eBay breach
O
nline auction firm eBay has confessed to a breach of its systems in which 145 million user records were compromised – although it’s not known how many were actually stolen. But the firm has come under
fire not just for its failed security, but also because of the poor way in which it handled the incident.
It took eBay more than a week to post a notice on its home page concerning the Continued on page 3
1
International police operation leads to 100 arrests 3 3
FEATURES Why governance, risk and compliance projects fail – and how to prevent it 5 Too many firms feel that simply installing a GRC solution will satisfy all their governance, risk and compliance needs. However, achieving the aims of reducing costs, increasing efficiency and improving controls isn’t as easy as it might seem. Richard Hunt of Turnkey Consulting explains how the solution must be embedded in the organisation’s business and compliance processes. The true cost of being hacked 8 Calculating the financial impact of a data breach is notoriously difficult. While some costs – such as legal expenses, fees to forensic experts and so on – are easy to detail, there are other impacts, including reputational damage, that are much harder to quantify. As CISOs fight for budget and firms look to insure themselves against breaches, Tracey Caldwell looks at the tricky task of putting a number on the damage from hacking. Safeguarding the Internet 13 Among all of our concerns with Internet security, privacy ranks as one of the most pressing. Now that the Internet is central to our lives – and in the wake of revelations about government snooping – Axel Pawlik of the RIPE Network Co-ordination Centre looks at how the debate about privacy is evolving. Taking a preventative approach towards the Bribery Act 16 Proposed new powers could make organisations liable to serious sanctions under the Bribery Act. But by making use of a resource they already have – the data in their systems – there are steps firms can take to protect themselves, explains Phil Beckett of Proven Legal Technologies. Document protection – whatever the weather 19 Recent adverse weather has caused many firms to re-think their business continuity provisions, particularly in the light of regulations that dictate how financial documents and other industryspecific records must be stored for a set length of time. Anthony Pearlgood of PHS Data Solutions looks at how a proper document storage strategy can help keep you compliant even when disaster strikes. REGULARS Editorial
2
News in brief
4
Calendar
20
ISSN 1361-3723/14 © 2014 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from front page breach. The firm said it notified affected customers by email, but it didn’t enforce a password reset. And when users came to set their passwords, the advice given by eBay about how to choose a password was very poor. The attackers used a “small number of employee log-in credentials”, according to eBay. The firm also said that there was no evidence that the hackers had gained access to financial data, which is kept encrypted on a separate system. The attack took place between late February and early March, but it wasn’t until early May that eBay discovered it, and it took the firm another two weeks to alert users. It claimed it had detected no increase in fraudulent activity on the site. A number of US states, including Connecticut, Florida and Illinois, have said they will co-operate on an investigation into the breach. In the UK, the Information Commissioner’s Office also said it was considering a formal investigation. Meanwhile, someone claiming to be the hacker dumped a sample of 12,000 records on eBay and offered to sell the complete database for 1.453 bitcoins (around $750). It was later confirmed by eBay that the proffered data had nothing to do with the hack of its systems and security researchers speculated that it was probably from another breach. Other firms have suffered major breaches, too. Czech security software firm Avast fell victim to hackers. The firm revealed that 400,000 user accounts for its online forum had been compromised. In this case, the attackers purloined nicknames, real names, usernames and hashed passwords. Avast didn’t say how the passwords were hashed, but did warn of the possibility of them being recovered by the attackers, which suggests they may not have been salted. The firm temporarily closed the forum. UK shoe retailer Office also had its systems breached. Unlike so many other firms, it took the sensible step of resetting all users’ passwords, forcing them to choose new ones the next time they logged in. However, although the company emailed customers to let them
June 2014
know of the breach, it failed to mention it on its site. The email said that passwords had been taken, but there was no mention of any hashing or encryption having been used.
International police operation leads to 100 arrests
C
o-operation between law enforcement units in Europe, the US and Asia recently has resulted in more than 100 arrests connected to the use of a Remote Access Trojan (RAT) known as Blackshades.
The operation, led by the FBI, led to arrests in the UK, Netherlands, Belgium, Finland, Austria, Estonia, Denmark, Canada, Chile, Croatia and Italy. Blackshades was a popular piece of malware, often being bought by people with no significant programming or hacking skills of their own. Recently, licences were being sold via cybercrime forums for several hundred euros a time although earlier it was selling for $50100. The malware allows the operator to spy on victims through their webcams, access files and account information, encrypt files in order to blackmail the victim, and log key strokes. The FBI said the malware had been deployed on more than half a million computers, having been purchased by several thousand people in more than 100 countries. One of the alleged co-creators of Blackshades is Michael Hogue, known as ‘xVisceral’, who was arrested in June 2012 following the FBI’s creation of a fake cybercrime forum, CarderProfit. He has plead guilty to a number of cybercrime-related charges and is awaiting sentencing. Hogue has also been indicted in this operation. One infamous use of Blackshades (along with another RAT, Darkcomet) was that by Jared Abrahams who used it to grab compromising photos and video of 150 young women via their webcams. He used the images to blackmail them – an activity for which he received an 18-month prison sentence earlier this year.
UK professionals willingly flout data protections
A
third of UK professionals who have access to customer data are likely to consider risky behaviours that endanger or undermine data protection, according to research by Courion.
Much of this stems from a lack of awareness of basic data protection policies, the research concludes. However, while those people surveyed were happy to characterise hackers as criminals, many of them were also willing to engage in behaviour such as snooping on sensitive personal information and sharing work login details with colleagues. A fifth of those polled also feel that hackers do a worthwhile job by exposing security defects that should have been fixed by organisations. Notably the younger generation holds this view more than their older counterparts with a quarter of 18-24 year-old respondents supporting this view. This age gap is significant throughout the findings with the younger ‘Millennial’ generation sometimes twice as likely to be more cavalier with their access habits, said Courion. For example, 30% of the 18-24 year-old respondents would snoop on sensitive customer data at work compared to only 12% of employees in the 45-54 bracket. The research also revealed that men are more reckless than women when it comes to breaching their employer’s data protection policies. Male employees are twice more likely to access the database of an old employer if they still have access rights and more likely to pass on confidential information for money or if they feel they’ve been treated unfairly (36% of men against 21% of women). Other findings include: 30% of employees would pass on confidential information about their employer if they suspected they were involved in illegal activity; 39% of people share work login details with colleagues despite the regular warnings about protecting passwords; a third (33%) of UK professionals would consider accessing a previous employer’s data to help them with a new job.
Computer Fraud & Security
3
www.computerfraudandsecurity.com
Featured in this issue:
Contents
Why governance, risk and compliance projects fail – and how to prevent it
NEWS Hackers steal up to 145 million user records in massive eBay breach
B
UK professionals willingly flout data protections
usiness cases for companies implementing or upgrading their governance, risk and compliance (GRC) tools, tend to focus on reducing the costs of compliance and user administration.
However, to realise the benefits of cost reductions, increased efficiency and
improved controls, the right technology must first be selected and then embedded into the business and compliance process, and the technical aspects must be implemented to a high standard, explains Richard Hunt of Turnkey Consulting. Full story on page 5…
The true cost of being hacked
P
utting a figure on the cost of data breaches is akin to nailing jelly to a wall. Yet as enterprises attempt to insure themselves against losses and CISOs fight for budget, it is increasingly important to work out what a data breach could cost.
Tracey Caldwell reports on how the impact of data breaches is being
calculated and the factors that affect how much a data breach will affect an organisation’s bottom line – ranging from expenses incurred by partners and customers, through bringing in expert help, to installing security technology to prevent data loss from happening again. Full story on page 8…
Safeguarding the future of the Internet
W
ith the Internet becoming so central to our lives, it’s vital that this resource remains open and secure. Yet there are several areas of significant concern, one of the most central being privacy.
This issue has been debated since the Internet’s inception and it remains
a point of focus in the industry today, presenting an undeniable challenge for everyone. Axel Pawlik of the RIPE Network Co-ordination Centre discusses how the debate is evolving, and the steps we can all take to remain private and secure. Full story on page 13…
Hackers steal up to 145 million user records in massive eBay breach
O
nline auction firm eBay has confessed to a breach of its systems in which 145 million user records were compromised – although it’s not known how many were actually stolen. But the firm has come under
fire not just for its failed security, but also because of the poor way in which it handled the incident.
It took eBay more than a week to post a notice on its home page concerning the Continued on page 3
1
International police operation leads to 100 arrests 3 3
FEATURES Why governance, risk and compliance projects fail – and how to prevent it 5 Too many firms feel that simply installing a GRC solution will satisfy all their governance, risk and compliance needs. However, achieving the aims of reducing costs, increasing efficiency and improving controls isn’t as easy as it might seem. Richard Hunt of Turnkey Consulting explains how the solution must be embedded in the organisation’s business and compliance processes. The true cost of being hacked 8 Calculating the financial impact of a data breach is notoriously difficult. While some costs – such as legal expenses, fees to forensic experts and so on – are easy to detail, there are other impacts, including reputational damage, that are much harder to quantify. As CISOs fight for budget and firms look to insure themselves against breaches, Tracey Caldwell looks at the tricky task of putting a number on the damage from hacking. Safeguarding the Internet 13 Among all of our concerns with Internet security, privacy ranks as one of the most pressing. Now that the Internet is central to our lives – and in the wake of revelations about government snooping – Axel Pawlik of the RIPE Network Co-ordination Centre looks at how the debate about privacy is evolving. Taking a preventative approach towards the Bribery Act 16 Proposed new powers could make organisations liable to serious sanctions under the Bribery Act. But by making use of a resource they already have – the data in their systems – there are steps firms can take to protect themselves, explains Phil Beckett of Proven Legal Technologies. Document protection – whatever the weather 19 Recent adverse weather has caused many firms to re-think their business continuity provisions, particularly in the light of regulations that dictate how financial documents and other industryspecific records must be stored for a set length of time. Anthony Pearlgood of PHS Data Solutions looks at how a proper document storage strategy can help keep you compliant even when disaster strikes. REGULARS Editorial
2
News in brief
4
Calendar
20
ISSN 1361-3723/14 © 2014 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from front page breach. The firm said it notified affected customers by email, but it didn’t enforce a password reset. And when users came to set their passwords, the advice given by eBay about how to choose a password was very poor. The attackers used a “small number of employee log-in credentials”, according to eBay. The firm also said that there was no evidence that the hackers had gained access to financial data, which is kept encrypted on a separate system. The attack took place between late February and early March, but it wasn’t until early May that eBay discovered it, and it took the firm another two weeks to alert users. It claimed it had detected no increase in fraudulent activity on the site. A number of US states, including Connecticut, Florida and Illinois, have said they will co-operate on an investigation into the breach. In the UK, the Information Commissioner’s Office also said it was considering a formal investigation. Meanwhile, someone claiming to be the hacker dumped a sample of 12,000 records on eBay and offered to sell the complete database for 1.453 bitcoins (around $750). It was later confirmed by eBay that the proffered data had nothing to do with the hack of its systems and security researchers speculated that it was probably from another breach. Other firms have suffered major breaches, too. Czech security software firm Avast fell victim to hackers. The firm revealed that 400,000 user accounts for its online forum had been compromised. In this case, the attackers purloined nicknames, real names, usernames and hashed passwords. Avast didn’t say how the passwords were hashed, but did warn of the possibility of them being recovered by the attackers, which suggests they may not have been salted. The firm temporarily closed the forum. UK shoe retailer Office also had its systems breached. Unlike so many other firms, it took the sensible step of resetting all users’ passwords, forcing them to choose new ones the next time they logged in. However, although the company emailed customers to let them
June 2014
know of the breach, it failed to mention it on its site. The email said that passwords had been taken, but there was no mention of any hashing or encryption having been used.
International police operation leads to 100 arrests
C
o-operation between law enforcement units in Europe, the US and Asia recently has resulted in more than 100 arrests connected to the use of a Remote Access Trojan (RAT) known as Blackshades.
The operation, led by the FBI, led to arrests in the UK, Netherlands, Belgium, Finland, Austria, Estonia, Denmark, Canada, Chile, Croatia and Italy. Blackshades was a popular piece of malware, often being bought by people with no significant programming or hacking skills of their own. Recently, licences were being sold via cybercrime forums for several hundred euros a time although earlier it was selling for $50100. The malware allows the operator to spy on victims through their webcams, access files and account information, encrypt files in order to blackmail the victim, and log key strokes. The FBI said the malware had been deployed on more than half a million computers, having been purchased by several thousand people in more than 100 countries. One of the alleged co-creators of Blackshades is Michael Hogue, known as ‘xVisceral’, who was arrested in June 2012 following the FBI’s creation of a fake cybercrime forum, CarderProfit. He has plead guilty to a number of cybercrime-related charges and is awaiting sentencing. Hogue has also been indicted in this operation. One infamous use of Blackshades (along with another RAT, Darkcomet) was that by Jared Abrahams who used it to grab compromising photos and video of 150 young women via their webcams. He used the images to blackmail them – an activity for which he received an 18-month prison sentence earlier this year.
UK professionals willingly flout data protections
A
third of UK professionals who have access to customer data are likely to consider risky behaviours that endanger or undermine data protection, according to research by Courion.
Much of this stems from a lack of awareness of basic data protection policies, the research concludes. However, while those people surveyed were happy to characterise hackers as criminals, many of them were also willing to engage in behaviour such as snooping on sensitive personal information and sharing work login details with colleagues. A fifth of those polled also feel that hackers do a worthwhile job by exposing security defects that should have been fixed by organisations. Notably the younger generation holds this view more than their older counterparts with a quarter of 18-24 year-old respondents supporting this view. This age gap is significant throughout the findings with the younger ‘Millennial’ generation sometimes twice as likely to be more cavalier with their access habits, said Courion. For example, 30% of the 18-24 year-old respondents would snoop on sensitive customer data at work compared to only 12% of employees in the 45-54 bracket. The research also revealed that men are more reckless than women when it comes to breaching their employer’s data protection policies. Male employees are twice more likely to access the database of an old employer if they still have access rights and more likely to pass on confidential information for money or if they feel they’ve been treated unfairly (36% of men against 21% of women). Other findings include: 30% of employees would pass on confidential information about their employer if they suspected they were involved in illegal activity; 39% of people share work login details with colleagues despite the regular warnings about protecting passwords; a third (33%) of UK professionals would consider accessing a previous employer’s data to help them with a new job.
Computer Fraud & Security
3