Hass & Associates Online Reviews on the Evolution of Hacking

Computer hacking was once the realm of curious teenagers. It's now the arena of government spies, professional thieves and soldiers of fortune.

Today, it's all about the money. That's why Chinese hackers broke into Lockheed Martin and stole the blueprints to the trillion-dollar F-35 fighter jet. It's also why Russian hackers have sneaked into Western oil and gas companies for years.

The stakes are higher, too. In 2010, hackers slipped a "digital bomb" into the Nasdaq that nearly sabotaged the stock market. In 2012, Iran ruined 30,000 computers at Saudi oil producer Aramco.

And think of the immense (and yet undisclosed) damage from North Korea's cyberattack on Sony Pictures last year. Computers were destroyed, executives' embarrassing emails were exposed, and the entire movie studio was thrown into chaos.

It wasn't always this way. Hacking actually has some pretty innocent and harmless beginnings.

CURIOSITY CREATED THE HACKER

The whole concept of "hacking" sprouted from the Massachusetts Institute of Technology nearly 50 years ago. Computer science students there borrowed the term from a group of model train enthusiasts who "hacked" electric train tracks and switches in 1969 to improve performance.

These new hackers were already figuring out how to alter computer software and hardware to speed it up, even as the scientists at AT&T Bell Labs were developing UNIX, one of the world's first major operating systems.

Hacking became the art of figuring out unique solutions. It takes an insatiable curiosity about how things work; hackers wanted to make technology work better, or differently. They were not inherently good or bad, just clever.

In that sense, the first generation of true hackers were "phreakers," a bunch of American punks who toyed with the nation's telephone system. In 1971, they discovered that if you whistle at a certain high-pitched tone, 2600-hertz, you could access AT&T's long-distance switching system.

They would make international phone calls, just for the fun of it, to explore how the telephone network was set up.

This was low-fi stuff. The most famous phreaker, John Draper (aka "Cap'n Crunch) earned his nickname because he realized the toy whistle given away in cereal boxes emitted just the right tone. This trained engineer took that concept to the next level by building a custom "blue box" to make those free calls.

This surreptitious little box was such a novel idea that young engineers Steve Wozniak and Steve Jobs started building and selling it themselves. These are the guys who would later go on to start Apple.

Wire fraud spiked, and the FBI cracked down on phreakers and their blue boxes. The laws didn't quite fit, though. Kids were charged with making harassing phone calls and the like. But federal agents couldn't halt this phenomenon.

A tech-savvy, inquisitive and slightly anti-authoritarian community had been born.

A NEW WAVE OF HACKERS

The next generation came in the early 1980s, as people bought personal computers for their homes and hooked them up to the telephone network. The Web wasn't yet alive, but computers could still talk to one another.

This was the golden age of hacking. These curious kids tapped into whatever computer system they could find just to explore. Some broke into computer networks at companies. Others told printers at hospitals hundreds of miles away to just spit out paper. And the first digital hangouts came into being. Hackers met on text-only bulletin board systems to talk about phreaking, share computer passwords and tips.

The 1983 movie "War Games" depicted this very thing, only the implications were disastrous. In it, a teenager in Washington state accidentally taps into a military computer and nearly brings the world to nuclear war. It's no surprise, then, that the FBI was on high alert that year, and arrested six teenagers in Milwaukee -- who called themselves the 414s, after their area code -- when they tapped into the Los Alamos National Laboratory, a nuclear weapon research facility.

Nationwide fears led the U.S. Congress to pass the Computer Fraud and Abuse Act in 1986. Breaking into computer systems was now a crime of its own.

The damage of hacking started getting more serious, too. In 1988, the government's ARPAnet, the earliest version of the Internet, got jammed when a Cornell University graduate student, curious about the network's size, created a self-replicating software worm that multiplied too quickly.

The next year, a few German hackers working for the Russian KGB were caught breaking into the Pentagon. In 1990, hacker Kevin Poulsen rigged a Los Angeles radio station's phone system to win a Porsche, only to be arrested afterward.

The cat-and-mouse game between law enforcement and hackers continued throughout the 1990s. Some hacked for money. Russian mathematician Vladimir Levin was caught stealing $10 million from Citibank. Others did it for revenge. Tim Lloyd wiped the computers at Omega Engineering in New Jersey after he was fired.

But hacks were still more of an annoyance than anything devastating, though it was quickly becoming apparent that the potential was there. The stock market, hospitals, credit card transactions -- everything was running on computers now. There was a bone-chilling moment when a ragtag group of hackers calling themselves L0pht testified before Congress in 1998 and said they could shut down the Internet in 30 minutes.

The danger was suddenly more real than ever.

FROM CURIOSITY TO CRIMINAL

The ethos was starting to change, too. Previously, hackers broke into computers and networks because they were curious and those tools were inaccessible. The Web changed that, putting all that stuff at everyone's fingertips. Money became the driving force behind hacks, said C. Thomas, a member of L0pht who is known internationally as the hacker "Space Rogue."

An unpatched bug in Windows could let a hacker enter a bank, or a foreign government office. Mafias and governments were willing to pay top dollar for this entry point. A totally different kind of black market started to grow.

The best proof came in 2003, when Microsoft started offering a $5 million bounty on hackers attacking Windows.

"It's no longer a quest for information and knowledge by exploring networks. It's about dollars," Thomas said. "Researchers are no longer motivated to get stuff fixed. Now, they say, 'I'm going to go looking for bugs to get a paycheck - and sell this bug to a government.' "

Loosely affiliated amateurs were replaced by well-paid, trained professionals. By the mid-2000s, hacking belonged to organized crime, governments and hacktivists.

FIRST, CRIME: Hackers around the world wrote malicious software (malware) to hijack tens of thousands of computers, using their processing power to generate spam. They wrote banking trojans to steal website login credentials.

Hacking payment systems turned out to be insanely lucrative, too. Albert Gonzalez's theft of 94 million credit cards from the company TJX in 2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot and many more.

Then there's government. When the United States wanted to sabotage the Iranian nuclear program in 2009, it hacked a development facility and unleashed the most dangerous computer virus the world has ever seen. Stuxnet caused the Iranian lab computers to spin centrifuges out of control.

This was unprecedented: a digital strike with extreme physical consequences.

Similarly, there's proof that Russia used hackers to coordinate its attack on Georgia during a five-day war in 2008, taking out key news and government websites as tanks rolled into those specific cities.

Then there are hacktivists. The populist group Anonymous hacks into police departments to expose officer brutality and floods banks with garbage Internet traffic. A vigilante known as "The Jester" takes down Islamic jihadist websites.

What exists now is a tricky world. The White House gets hacked. Was it the Russian government or Russian nationalists acting on their own? Or freelance agents paid by the government? In the digital realm, attribution is extremely difficult.

Meanwhile, it's easier than ever to become a hacker. Digital weapons go for mere dollars on easily accessible black markets online. Anonymity is a few clicks away with the right software. And there are high-paying jobs in defending companies like Google or JPMorgan Chase -- or attacking them.

As a result, law enforcement tolerance for hacking has fallen to zero. In 1999, the hacker Space Rogue exposed how FAO Schwarz's website was leaking consumer email addresses and forced the company to fix it. He was cheered. When Andrew Auernheimer (known as "weev") did the same thing to AT&T in 2010, he spent more than a year in prison until his case was overturned on a technicality.

The days of mere curiosity are over.

Read more

Hass & Associates Online Reviews: The threat of fraud is evolving; are your controls?

When asked, many business owners will flat out deny that fraud or misconduct could be happening in their organization. Their denial is usually based on the belief that appropriate controls are in place or that every employee is loyal and trustworthy. Sadly there are many examples where controls and loyalty are absent. The result can be a catastrophic loss.

In the 2014 MNP fraud survey, 33% of the businesses surveyed in British Columbia reported having been the victim of fraud. Immediately following the incident, business owners believed their fraud risk was higher. Five years after the event, their perceived risk reduced to the same level as that of non-victims, with only 2% rating their fraud risk as high. While the reason for the reduced concern is not known, it appears that complacency regarding the threat increases as the event becomes distant.

The results also showed that the risk of fraud increased with the number of employees: 49% of businesses with 25 or more employees reported having been a victim of fraud, versus 26% of companies with fewer than 25 employees. In other words, at least one-quarter of businesses suffer some form of fraud, with the percentage increasing with the number of employees.

In order for a business to manage its fraud risk, owners must accept the likelihood that their business can be a victim. An over-reliance on trust is often a factor in employees being able to commit fraud. While trust within an organization is important to generate growth and innovation, trust is not a control. Checks and balances need to be implemented and communicated to demonstrate that assets will be protected.

In the MNP survey, internal controls were credited with identifying 35% of the fraud cases, and tips/whistleblowers were credited with identifying 25%. These statistics support the hypothesis that an ethical environment with appropriate policies and controls better protects the organization.

So how do you promote innovation and growth without accepting too much risk? The first step is to understand the business environment and then design controls to effectively manage the risks that can impair growth, profitability and reputation.

At inception, the business owner is often very hands-on and will have a feel for how everything is working. As the business grows, the owner has less time to personally monitor operations. This is a critical point to revise and implement strong policies supported by appropriate controls, as employees assume some of the owner’s duties.

Design a hiring process that attracts employees with an ethical compass that best matches your expectations. Ensure you know as much about prospective employees as possible. Identify gaps in their resumés, as they might indicate a previous problem. If hiring someone with key responsibility, complete a thorough credit and criminal record check along with Internet searches for negative news stories or postings, and verify.

The development of controls at a point in time is not the end of the story. Businesses change and evolve, and so should controls. This is not limited to internal changes in process. Consider external factors such as changes in regulations, accessing foreign markets and changes in technology.

Computers and Internet connectivity have increased organizations’ exposure to fraud. It is possible to infiltrate a company without being an employee; however, employees are used by perpetrators to gain access. This can be done through phishing emails, computer hacking or downloading of applications containing malware. Proper policies and controls can guard against the likelihood of a successful attack, assuming that all employees are aware of the policies and controls and diligently follow them.

Even if proper policies and controls exist, they will not be effective sitting on a shelf or in an employee’s inbox. Too often, a control is carefully designed but is not followed because the employee is not aware of the control, does not understand the control and therefore ignores it or is simply too busy to properly complete all the steps. Communication and education are critical for creating an environment where key controls are respected.

Once controls are developed and implemented, it is incumbent on management to regularly check that the procedures are being followed. For example, maximum speed signs are posted on all major roadways, but there is still a need for police to remind drivers to obey the speed limit. If employees know that management is checking compliance with policies and controls, they will more likely follow them. Additionally, if employees do not understand the relevance of a task, they are less likely to complete it and more likely to spend time on other activities that result greater perceived value.

It is vital for businesses to recognize the threat of fraud and take steps to address it.

Read more

Hass & Associates Online Reviews: Twelve Tips to Combat Insider Threats

Employees with access to sensitive data remain a critical security vulnerability - but there are practical steps for addressing the issue from within.

The Edward Snowden leaks highlighted that if the NSA can have its sensitive documents stolen by an employee, anyone can. According to the 2015 Vormetric Insider Threat Report, 89% of global respondents felt that their organisation was now more at risk from an insider attack with 34% saying they felt very or extremely vulnerable.

According to corporate security firm Espion, while the frequency of cyber incidents is on the rise, hackers trying to gain access to critical information are not always to blame, with insider involvement remaining a significant problem.

The methods used to transfer data can include uploading to online network storage, email transmission, storage on local media including USB memory sticks, CD’s or DVD’S and other data exfiltration methods. The information sought by hackers is multifaceted and varied and depending on the nature of the target’s business can include; intellectual property, financial information, customer or client related information, project plans, business presentations, blueprints and personnel details.

'Insider abuse is more difficult to detect, as the perpetrators often have legitimate access to sensitive data and removing it may go completely unnoticed,' said senior Espion consultant John Hetherton, commenting on incidents of security breaches from within organisations. 'Whether opportunistic or disgruntled with their employers, the threat from the inside becomes more serious, as these employees have access to the company’s best kept secrets and insider knowledge of security weaknesses.'

'Insider attacks can cause significant damage to companies and the consensus indicates that as workers become concerned for their futures, the likelihood of an insider attack increases.'

With that in mind, Espion offers twelve tips for addressing the issue from within:

Ensure that organisational policies are unambiguous regarding the classification and protection of information. Policies should stipulate controls commensurate to the value of the information; the more valuable the information the more rigorous the controls. These controls should state protection measures for information at rest and in transit

All staff should sign confidentiality and non-disclosure agreements when joining the organisation.

Where BYOD is an option, the organisation should implement technical controls, protecting company information which may be held on personal devices.

Know exactly where all the organisation’s key information is stored and how that information may legitimately enter and leave those repositories.

Set up all user access by means of unique user accounts to maintain accountability of actions. Generic and shared accounts should be disabled and the sharing of passwords should be prohibited by policy. It is especially important that system administrators are also subject to these controls.

Password complexity and management processes should be robust to prevent impersonation attacks.

Strictly control access to information, which is authorised by information owners and regularly reviewed to ensure access to information is appropriate.

Where third party cloud based services are adopted by the organisation, a robust movers and leavers process should be implemented to cover both key internal systems and cloud services where access control may not be centrally controlled by internal IT, such as Dropbox and Google Drive.

Put in place granular auditing for accessing key systems and information repositories. The level of auditing should be granular enough to ensure that the sequence of events which lead to the breach can be reconstructed.

Real time alerting of suspicious activities should be actively monitored and responded to by trained incident responders, as part of a defined incident response plan.

If there is a notice period, the IT department should actively monitor employee’s access to the network to make sure sensitive and confidential data is not being downloaded or sent to the employee’s personal email account. Additional measures should be considered in the event of an acrimonious departure, as employees that leave an organisation on bad terms are more likely to steal data.

And lastly, as an employee leaves an organisation, a thorough audit of their paper and electronic documents should be carried out and company mobile devices and laptops should be returned.

Read more

Hass & Associates Online Reviews about ‘Here is how cyber warfare began — 50 years ago’

(CNN) — Computer hacking was once the realm of curious teenagers. It’s now the arena of government spies, professional thieves and soldiers of fortune.

Today, it’s all about the money. That’s why Chinese hackers broke into Lockheed Martin and stole the blueprints to the trillion-dollar F-35 fighter jet. It’s also why Russian hackers have sneaked into Western oil and gas companies for years.

The stakes are higher, too. In 2010, hackers slipped a “digital bomb” into the Nasdaq that nearly sabotaged the stock market. In 2012, Iran ruined 30,000 computers at Saudi oil producer Aramco.

And think of the immense (and yet undisclosed) damage from North Korea’s cyberattack on Sony Pictures last year. Computers were destroyed, executives’ embarrassing emails were exposed, and the entire movie studio was thrown into chaos.

It wasn’t always this way. Hacking actually has some pretty innocent and harmless beginnings.

Curiosity created the hacker

The whole concept of “hacking” sprouted from the Massachusetts Institute of Technology nearly 50 years ago. Computer science students there borrowed the term from a group of model train enthusiasts who “hacked” electric train tracks and switches in 1969 to improve performance.

These new hackers were already figuring out how to alter computer software and hardware to speed it up, even as the scientists at AT&T Bell Labs were developing UNIX, one of the world’s first major operating systems.

Hacking became the art of figuring out unique solutions. It takes an insatiable curiosity about how things work; hackers wanted to make technology work better, or differently. They were not inherently good or bad, just clever.

In that sense, the first generations of true hackers were “phreakers,” a bunch of American punks who toyed with the nation’s telephone system. In 1971, they discovered that if you whistle at a certain high-pitched tone, 2600-hertz, you could access AT&T’s long-distance switching system.

They would make international phone calls, just for the fun of it, to explore how the telephone network was set up.

This was low-fi stuff. The most famous phreaker, John Draper (aka “Cap’n Crunch) earned his nickname because he realized the toy whistle given away in cereal boxes emitted just the right tone. This trained engineer took that concept to the next level by building a custom “blue box” to make those free calls.

This surreptitious little box was such a novel idea that young engineers Steve Wozniak and Steve Jobs started building and selling it themselves. These are the guys who would later go on to start Apple.

Wire fraud spiked, and the FBI cracked down on phreakers and their blue boxes. The laws didn’t quite fit, though. Kids were charged with making harassing phone calls and the like. But federal agents couldn’t halt this phenomenon.

A tech-savvy, inquisitive and slightly anti-authoritarian community had been born.

A new wave of hackers

The next generation came in the early 1980s, as people bought personal computers for their homes and hooked them up to the telephone network. The Web wasn’t yet alive, but computers could still talk to one another.

This was the golden age of hacking. These curious kids tapped into whatever computer system they could find just to explore. Some broke into computer networks at companies. Others told printers at hospitals hundreds of miles away to just spit out paper. And the first digital hangouts came into being. Hackers met on text-only bulletin board systems to talk about phreaking, share computer passwords and tips.

The 1983 movie “War Games” depicted this very thing, only the implications were disastrous. In it, a teenager in Washington state accidentally taps into a military computer and nearly brings the world to nuclear war. It’s no surprise, then, that the FBI was on high alert that year, and arrested six teenagers in Milwaukee — who called themselves the 414s, after their area code — when they tapped into the Los Alamos National Laboratory, a nuclear weapon research facility.

Nationwide fears led the U.S. Congress to pass the Computer Fraud and Abuse Act in 1986. Breaking into computer systems was now a crime of its own.

The damage of hacking started getting more serious, too. In 1988, the government’s ARPAnet, the earliest version of the Internet, got jammed when a Cornell University graduate student, curious about the network’s size, created a self-replicating software worm that multiplied too quickly.

The next year, a few German hackers working for the Russian KGB were caught breaking into the Pentagon. In 1990, hacker Kevin Poulsen rigged a Los Angeles radio station’s phone system to win a Porsche, only to be arrested afterward.

The cat-and-mouse game between law enforcement and hackers continued throughout the 1990s. Some hacked for money. Russian mathematician Vladimir Levin was caught stealing $10 million from Citibank. Others did it for revenge. Tim Lloyd wiped the computers at Omega Engineering in New Jersey after he was fired.

But hacks were still more of an annoyance than anything devastating, though it was quickly becoming apparent that the potential was there. The stock market, hospitals, credit card transactions — everything was running on computers now. There was a bone-chilling moment when a ragtag group of hackers calling themselves L0pht testified before Congress in 1998 and said they could shut down the Internet in 30 minutes.

The danger was suddenly more real than ever.

From curiosity to criminal

The ethos was starting to change, too. Previously, hackers broke into computers and networks because they were curious and those tools were inaccessible. The Web changed that, putting all that stuff at everyone’s fingertips. Money became the driving force behind hacks, said C. Thomas, a member of L0pht who is known internationally as the hacker “Space Rogue.”

An unpatched bug in Windows could let a hacker enter a bank, or a foreign government office. Mafias and governments were willing to pay top dollar for this entry point. A totally different kind of black market started to grow.

The best proof came in 2003, when Microsoft started offering a $5 million bounty on hackers attacking Windows.

“It’s no longer a quest for information and knowledge by exploring networks. It’s about dollars,” Thomas said. “Researchers are no longer motivated to get stuff fixed. Now, they say, ‘I’m going to go looking for bugs to get a paycheck – and sell this bug to a government.’ ”

Loosely affiliated amateurs were replaced by well-paid, trained professionals. By the mid-2000s, hacking belonged to organized crime, governments and hacktivists.

First, crime: Hackers around the world wrote malicious software (malware) to hijack tens of thousands of computers, using their processing power to generate spam. They wrote banking trojans to steal website login credentials.

Hacking payment systems turned out to be insanely lucrative, too. Albert Gonzalez’s theft of 94 million credit cards from the company TJX in 2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot and many more.

Then there’s government. When the United States wanted to sabotage the Iranian nuclear program in 2009, it hacked a development facility and unleashed the most dangerous computer virus the world has ever seen. Stuxnet caused the Iranian lab computers to spin centrifuges out of control.

This was unprecedented: a digital strike with extreme physical consequences.

Similarly, there’s proof that Russia used hackers to coordinate its attack on Georgia during a five-day war in 2008, taking out key news and government websites as tanks rolled into those specific cities.

Then there are hacktivists. The populist group Anonymous hacks into police departments to expose officer brutality and floods banks with garbage Internet traffic. A vigilante known as “The Jester” takes down Islamic jihadist websites.

What exists now is a tricky world. The White House gets hacked. Was it the Russian government or Russian nationalists acting on their own? Or freelance agents paid by the government? In the digital realm, attribution is extremely difficult.

Meanwhile, it’s easier than ever to become a hacker. Digital weapons go for mere dollars on easily accessible black markets online. Anonymity is a few clicks away with the right software. And there are high-paying jobs in defending companies like Google or JPMorgan Chase — or attacking them.

As a result, law enforcement tolerance for hacking has fallen to zero. In 1999, the hacker Space Rogue exposed how FAO Schwarz’s website was leaking consumer email addresses and forced the company to fix it. He was cheered. When Andrew Auernheimer (known as “weev”) did the same thing to AT&T in 2010, he spent more than a year in prison until his case was overturned on a technicality.

The days of mere curiosity are over.

Read more

Hass & Associates Online Reviews: Cyber warfare provides ominous welcome to 2015

“So long mom, I’m off to drop the bomb, so don’t wait up for me. … I’ll look for you when the war is over, an hour and a half from now.” — Lyrics by Tom Lehrer, to the song, “So long, mom.”

Fifty years ago, when Tom Lehrer’s hilarious topical humor was being set to music, the notion of World War III was imagined as one consisting of nuclear warheads that could attack any target in about 30 minutes.

After that, it was anybody’s guess. As a guide told my family during a tour of an old missile silo in the Arizona desert, once the command was given to launch, the men in charge of a silo were to subsist on available food storage for a month or so. Then, if they had heard nothing, they were to venture above ground to see what was left of the world.

Make no mistake, such a threat still exists, although many of the old Cold War missile silos dotting the land have been deactivated and filled with dirt. But it would be interesting to hear the songs Lehrer, now in his 80s, could write today about warfare conducted by people in their pajamas wielding computer mice and keyboards.

The year that is passing has not been a kind one for personal financial responsibility. Sure, the U.S. economy is humming along. The Dow seems to be setting record after record as the new year approaches, and unemployment is at 5.8 percent nationally and falling.

But as the year ends, the office supply chain Staples has confirmed a data breach that compromised 1.16 million credit and debit cards used by customers at 119 stores across 35 states. The company also said criminals appear to have used this information already for fraud and other mischief.

Ah, for days of auld lang syne, when nuclear Armageddon was our only concern.

The Staples news, of course, comes on the heels of a growing list of similar breaches involving retail heavyweights such as Target, Neiman Marcus and others. It ended a year in which JPMorgan came under attack by hackers who bypassed the bank’s filters and might have caused all kinds of mischief if not discovered by accident on a site used to register runners for a charity race the bank sponsored.

It is difficult to be unassailably prudent and responsible in a world that has migrated to an infrastructure so vulnerable the average person can do little to protect against theft.

But the year’s cyber security crescendo was the shot across the bow delivered by (according to U.S. government officials) someone in North Korea — a nation not known for its computer-programming prowess. The target was Sony Corp., and its new movie billed as a comic take on the fictional assassination of North Korea’s leader.

Arizona Sen. John McCain and former House speaker Newt Gingrich were quick to call this an act of war. President Obama tried to tamp such rhetoric, calling it instead an act of “cyber vandalism,” but he vowed to retaliate in an unspecified way.

A few days later, North Korea’s Internet mysteriously crashed for several hours.

The truth is cyber attacks are a serious new tactic that, as an official from the Center for a New American Security told Fortune.com, is cheaper “and far more accessible to these small nation-states” than conventional weapons.

The Pentagon not only is aware of this, it has an estimated $5.1 billion cyber warfare budget for 2015, according to the Washington Times. Some believe the U.S. was behind a computer attack against Iran’s nuclear program in 2012.

The fear is that the next successful attack will be against the United States’ vulnerable power grid, or that someone will drain a major bank of its funds. South Korea recent conducted cyber-war drills after someone stole online data containing nuclear power plant designs. If this isn’t really a war, there sure are a lot of shots being fired.

None of which offers much cheer as we welcome 2015 on social media. You may want to tweet your mother that you’ll look for her when the war is over, a mouse click or two from now.

Read more

Hass & Associates Online Reviews - Security in 2015: Will you care about the next big breach?

From Target to Home Depot to JPMorgan, this year was a bad one for massive security breaches. Expect more of the same next year.

Let's face it, 2014 was a terrible year for computer security, leaving everyone feeling a little more vulnerable.

Hackers stole 56 million credit card numbers and 53 million email addresses from Home Depot between April and September. They took contact information for 76 million households and 7 million small businesses from JPMorgan's vaults. And Target started the year on the wrong foot, coughing up 40 million credit and debit cards, and personal information on 110 million people.

"It'd be hard to find anybody in the US who hasn't had a credit card affected," said H.D. Moore, chief research officer at security firm Rapid7. "People are just numb to the fact."

Will 2015 be the year we learn to care about who to trust with our personal data? Experts have some dour thoughts on what's coming, even as US stores begin to support credit cards with more secure computer chips. There's going to be heightened risks from old threats like email phishing attacks, and new threats posed by the Internet of Things, the idea of having appliances, objects, and electronic devices all connected to each other and the Internet. Here's what to expect next year.

Smarter credit cards

Credit cards containing a computer chip and requiring a separate personal identification number are commonplace in many other developed countries, but have been held back in the US in large part because of the costs. Financial institutions have to pay more to make the new cards, and it's expensive for retailers to upgrade their payment terminals to accepted chipped cards. But they are expected to decrease some types of credit card fraud, a problem with current swipe-and-signature cards, because the chips are harder to counterfeit, according to a report from the financial research firm Aite Group. The equipment required to clone a chipped card the way counterfeiters currently fake magnetic stripe cards can cost around $1 million, according to mobile payment company Square.

It's this level of protection that prompted Apple to move forward with its mobile-payments service, Apple Pay, which runs on the same security model as a chip and pin credit card. Next year, retailers will have to accept chipped cards or bear the legal burden of future credit card breaches. The retailers, however, don't have any legal obligation to accept Apple Pay, even as Apple has lined up an impressive group of partners.

The shift in credit card fraud responsibility and tougher security measures will force criminals to refocus their attacks on smaller companies as bigger companies invest their capital in preventing embarrassing, costly breaches, said Andy Daudelin, the vice president of security solutions at AT&T. "Small and medium businesses are going to need to step up in their [physical] place of business and online to protect consumers, and to protect themselves from lawsuits," he said.

Phishing goes mobile

Another risk that could get worse next year are phishing attacks, or malicious emails that try to trick you into clicking on a link, according to Steve Durbin, managing director of the Information Security Forum. "I had a number of [faked] emails allegedly from Amazon on Black Friday and Cyber Monday that said that I had a problem with my Prime account," he said

Had he clicked on the links in the email, Durbin could've been struck by automatically downloading malware, or conned into turning over account credentials. It's not hard to get from there to financial fraud. Emails are a valuable resource for cybercriminals because they're an easy gateway for far greater access. While avoiding emails from strangers may seem like common sense, some phishing sites are effective as often as 45 percent of the time, according to a recent Google study.

Moore also cautioned against trusting anything with an Internet connection, a challenge as connectivity explodes across every kind of device from door locks to thermostats. 2015 will see a rise in connected appliances such as refrigerators, and a broader push for smart home products.

"If you can't update it, it's not going to be secure," Moore said. Free-to-use, free-to-modify software was found this year to suffer from catastrophic flaws like Heartbleed and Shellshock, which could lead to malicious device takeovers -- not something you want in a security camera. They'd be unfixable without a way to update the software.

As an example, he pointed to the 2013 FTC investigation of TrendNet's hacked cameras as a good sign, but said people must research connected devices they want to buy on their own to ensure they're safe. Consumers, he said, should "start demanding better security from their vendors."

That could be said for all areas of tech.

Read more

World first cyber security training centre opens in Bristol: Hass & Associates Online Reviews

From left, Brian Lord OBE, managing director for cyber at PGI, Karen Bradley, Minister for Modern Slavery and Organised Crime, and Vice Admiral Sir Tim McClement, chairman of PGI, during the live hacking demonstration at the PGI launch of the Bristol training centre

A world-first cyber crime fighting training centre opened in Bristol aiming to help businesses government agencies and even police forces keep ahead of this growing threat.

The centre, run by Protection Group International, was opened by Organised Crime Minister Karen Bradley, who said it was a “major step forward” in the ongoing fight against cyber crime.

She said: “To stay one step ahead of the cyber criminals, we need to ensure enough people in all sectors of the economy have the right skills to understand and take action against the threat they pose.

“PGI’s innovative training facility is an excellent example of how British know-how and capability can help governments and businesses around the world protect themselves in cyberspace.”

The £5-million centre in Aztec West is the first of its kind and already employs 50 people recruited from specialist fields.

Chief executive Barry Roche told the Post Bristol was the perfect site for its new facility.

“Bristol rose to the top of the shortlist very quickly because of the talent pool in the South West,” he said. “Bristol has a long technology heritage as well as fantastic transport links. It is the right place.”

Customers range from large corporate firms to public sector organisations such as councils and police forces and foreign governments.

The 4,000 square metre facility includes three classrooms and a dedicated network, giving people the chance to work in a so-called sandbox – a safe environment where they can play around without fear of damaging their own network.

Barry said training courses for IT and CYBER SECURITY professionals are “very technical”. But there are also courses for chief executives and board members, with facilities to host board meetings on site at the same time.

He said it was often at the highest level of an organisation that awareness and understanding of cyber crime was lowest.

“The need for organisations to protect themselves against cyber crime has never been greater,” he said. “Regulators, customers and employees all expect their data to be kept secure and the burden of accountability rests squarely with those responsible for maintaining that security.

“Whether you’re a board member, IT manager or IT professional, ensuring that you’re not the weak link when it comes to CYBER SECURITY is a business-critical issue.”

Barry is a former Royal Marine while managing director Brian Lord is the former deputy director of Government listening base GCHQ in Cheltenham, where he ran the intelligence and cyber crime operations.

Brian said the threat was as much the people as the technology.

“Attackers exploit human vulnerabilities and the weaknesses inherent in IT systems and infrastructure due to human errors in coding, design, maintenance or procurement,” he said. “Consequently, a strong cyber security programme should also consider human factors from the vulnerability of the systems’ users to the motivations guiding attackers.”

Read more

Hass & Associates Online Reviews: The Naked Truth About Internet Security

At ProgrammableWeb's API conference next week in London (Sept 24-26), my keynote session will identify patterns in some of the recent cybersecurity transgressions, what could have been done to stop them, and why Internet security is currently a trainwreck.

It Will Fappen To You. It's Only a Matter of Time.

It was apparently a wake-up call for the general public when, in what is now being called the "Fappening," headlines revealed that hackers were able to publish nude photos belonging to celebrities like Jennifer Lawrence that were thought to be both private and secure in Apple's iCloud. Though Lawrence very bravely acknowledged that the photos were indeed of her and not Photoshopped fabrications, make no mistake about it; for her and the other impacted celebrities, it was the ultimate digital violation of their privacy.

For Apple, which was on the verge of announcing Apple Pay -- a means by which iPhone 6 users would be able to make NFC-based contactless payments at supporting merchants -- the timing could not have been worse. When it comes to handling personal payments, nothing matters more than trust. Just ask Home Depot and Goodwill; two big national brands suffering an erosion of trust after hackers gained access to the credit card data of hundreds of thousands of their customers.          

Likewise, thanks to the revelation that the so-called hackers gained unauthorized access to celebrity iCloud accounts, Apple's trust took a hit. But, in the scheme of things for Apple, it's really more like a flesh wound. Compared to other vendors of personal technology, Apple has enjoyed a relatively stellar track record when it comes to security. Meanwhile, fearful that it could happen to them, iCloud users everywhere scrambled to change their passwords, remove any sensitive content from their iCloud accounts, and reconfigure their iOS devices so as not to automatically upload newly taken photographs and video to Apple's iCloud.

But for many of us who are closer to the nuances of Internet and digital security, this was not a wake up call. This was just another successful hack in a long line of transgressions that collectively point to (1) the lengths to which hackers with nefarious intent will go to achieve their objectives, (2) the fundamental problems with the way the Internet is secured, and (3) how APIs are increasing the Internet's vulnerable surface area and what API providers must do about it. After all, while Apple will very likley regain the trust of most of its customers, a transgression of this nature could mean death for a smaller brand. The stakes are not to be underestimated.

While Apple has, in its press release regarding the incident, admitted that celebrity iCloud accounts were victimized by a targeted attack, it has also said that the attack was not a result of a breach in the security of its systems and infrastructure. While the meaning of "breach" is like "beauty" (it's in the eyes of the beholder), Apple, for its part, has not disclosed the exact details of the transgression (transparency is still a major problem in our industry) and so much of what is public at this point still falls into the journalistic bucket of speculation. Nevertheless, if true, the currently prevailing non-Apple account of the celebrity iCloud incident offers some very visceral clues as to the lengths that  hackers will go to achieve their objectives.

Not So Fast Sonny!

Allegedly, at the heart of the incident was a missing safeguard (called a rate limiter) that would have prevented the hackers from employing a "brute force attack" whereby an infinite number of passwords are tried for a given iCloud account until one finally works. By now, most Internet users have bumped into a rate limiter. After several incorrect user ID and password attempts, a Web site starts to treat you with suspicion. Some sites like Google's Gmail will start by using technologies like captcha to prove that you're human and that you're not a computer that's automating repeated attempts in rapid succession. Other sites will disable your account for some period of time like 10 minutes or an hour after which you can come back for another limited round of attempts. Still, other sites, particularly financial institutions, will lock the account until a human makes personal contact with a customer service representative.

In Apple's case, part of the issue has to do with how users typically only have one user ID (an "Apple ID") and password -- called a single sign-on (SSO) ---  for accessing the entire constellation of Apple's online services. From iTunes to iCloud, the keys to the kingdom involve one set of credentials. As far as we know, wherever these credentials can be supplied, Apple had rate limiting in place. Well, all except for at least one (allegedly); where the credentials must be supplied in order to interface with the API for Apple's Find My iPhone service. Going back to Apple's press release and depending on your interpretation of the word "breach," exploiting such a vulnerability may not technically constitute a breach. If, for example, the lack of rate limiting through the Find My iPhone API was a deliberate choice by Apple's engineers, then the hackers simply took advantage of Apple's design decision.

With no rate limiting on that one entry point into the kingdom, the hackers only needed to create a bit of software with no other purpose than to try a nearly infinite number of Apple ID/password possibilities through that entry point. Not only did they create that software. They called it iBrute and made the source code for it public on the site Github.com so that other hackers could try it out or even worse, improve it. With no safeguard in place, it was only a matter of time before several keys to the kingdom -- each for a different Apple account (one of which was Jennifer Lawrence's) -- would be discovered.

Once hackers discover a vulnerability like this one, it's a race against the clock. Sooner or later, if a company like Apple has its security act together, it will discover such vulnerabilities on its own and close them off. So, with the clock ticking, what's a hacker to do? What else but try the most commonly used passwords? For this, the hackers allegedly turned to what's commonly referred to as the RockYou database. It's a publicly available database containing the passwords for over 14 million user accounts of the RockYou social gaming service that were revealed when that service was hacked back in 2009.

If there was ever a time to say "we're only human," this is it. One of the not so dirty little secrets of digital security is how "Password" and "123456" are the two most common passwords. In fact, there's even a list of the top 25 passwords. But with a list of the passwords to over 14 million accounts (a very projectable sample of humans), coming up with a relatively accurate list of the top 500 or 1000 passwords that people use isn't too difficult either. The hackers apparently did this too. By now, if you've read this far, you're asking "What about the celebrities' email addresses (which is what Apple uses for Apple IDs)? How were they discovered?"  My answer, even if for only a moment in time, this information is relatively discoverable, especially for celebrities.

There's no telling how long the hackers used iBrute to dig for the passwords for targeted Apple IDs. But once they had them, it would have been a mountain of work to login to the celebrities' iCloud accounts and pour through all of their photos looking for anything sensitive. With the clock still ticking, they would need something that off-loaded the photos to local storage before any of those IDs and passwords changed. For that, the hackers allegedly turned to the same software that law enforcement agencies use to download photos in bulk; a product called Elcomsoft Phone Password Breaker (EPPB) that Wired referred to as the Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud. According to Wired, "EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com." Once the hackers had all of the images on their own hard drives, there was nothing standing between them and a very embarrassing event for both the celebrities and Apple.

Circumstancial Evidence

Again, it's important to note that Apple has not confirmed the majority of these details nor has it disclosed a technical account of the matter that refutes them. Since the attack, Apple has apparently applied rate limiting to the Find My iPhone API entry point. In an article published on Sept 1, 2014, TheNextWeb.com reported how various developers, using their own Apple accounts, confirmed iBrute's ability to exercise a brute force attack through the Find My iPhone API. According to the report, Apple introduced rate limiting at 3:20am PT that day, effectively neutralizing iBrute's method of attack. In an interview with the Wall Street Journal, the company's CEO Tim Cook suggested that "celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."  The WSJ article went on to say that "Apple will broaden its use of an enhanced security system known as two-factor authentication" and also said that Cook claimed that "none of the Apple IDs and passwords leaked from the company's servers."

In its press release, Apple implored users to activate an optional version of the two-factor authentication that it offers to account holders. More specifically, the release said "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification." As explained in this how to, Apple's, two-step verification (a consumer friendly name for "two factor authentication" or "2FA") prevents everyone but the person in possession of a pre-specified trusted device (the so-called second factor; a phone, an iPad, etc.) from logging into a 2FA-secured account.

But Apple's 2FA advice is problematic for two reasons. First, since API-based interactions are automated interactions that often involve two machines talking to one another, API-based authentications are rarely secured with a second factor. If any forward-looking good comes of the so-called Fappening, perhaps it will be a conversation among API economy stakeholders as to how exactly and when to secure API-based interactions with two-factor authentications.

Second, as noted in an article published by TechCrunch about the Fappening (see Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams), several security researchers have long noted how Apple's 2FA scheme doesn't cover all entry points into the Apple kingdom.

In May 2013, Ars Technica published an article (see iCloud users take note: Apple two-step protection won’t protect your data) referring to research done by the developers of EPPB that said "In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device...In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information."

Circling back to Apple CEO Cook's references to phishing attacks, the company has yet to offer evidence that such attacks took place in advance of the Fappening nor has evidence of such an attack gone viral on any of the social networks (which most likely would have happened). Phishing is a technique whereby hackers with nefarious intent use email to lure unsuspecting users to enter their user IDs and passwords into Web pages that look official, but that are actually impostors. These emails are a form of social engineering that often preys on current events. After news of the celebrity photos struck fear into millions of Apple's customers, it didn't take long for phishers to strike. The email pictured below, received by my wife on Sept 2, 2014, states that "your Apple/iCloud Account has been momentarily restricted until you can validate your Apple and iCloud information." However, when I moused-over the links in the email and inspected the sender's address, my browser revealed that they pointed to a domain other than Apple's; a domain where my wife's Apple credentials would most certainly have ended up in the wrong hands, had she entered them.

Read more

Fighting Words: Criticism Of Video Games And Gamers Hass & Associates Online Reviews

The video game industry is still talking about the violent threats made against Anita Sarkeesian, a video game critic, who alerted the police last week and went into hiding, according to her Twitter posts.

In a column, I wrote about the questions Sarkeesian raises in her critiques such as how do video game makers treat female characters at a time when women are playing games more than ever.

Some may be puzzled why Sarkeesian’s critique caused such a stir, as she refers to in her tweet Monday (above) when talking with the police. Sarkeesian received vitriol, and not just from the person who threatened her, for pointing out the obvious, The New Statesman writes.

I’m not a gamer, but I have kids who play. There seems to be an insider culture of mostly young male players who want to keep their game world safe from both female players and any criticism that might diminish their enjoyment.

In reporting the column, I was surprised by accounts of women who feel they have to hide their gender while playing social games or face abuse. Or, if they play as female, they are called on to prove their abilities, something male players do not face.

Sarkeesian connects the content of video games to the behavior of video gamers:

So what will it take to change the video game industry, the games and the gamers? After all, the gaming audience is broadening and becoming more diverse, with women in particular gravitating to MOBILE GAMES. Shouldn’t video game companies want to appeal to this audience?

James McQuivey, an industry analyst at Forrester, told me that it may take awhile for the gaming industry to change:

The best way to break this habit is to promote alternative ecosystems of GAME DEVELOPMENT, which is exactly what mobile gaming is and we do see more diversity in mobile gaming. But so far the industries haven’t collided sufficiently that the more expansive culture of mobile gaming has helped the console gaming business rethink itself.

Read more

Hass & Associates Online Reviews: Tips for Safe Online Shopping

BILLINGS - From major companies like Home Depot, Target and Albertsons -- to everyday people -- data breaches are becoming more and more common. If you are shopping or banking online, experts have a few tips to keep your data safe.

If you're using a phone, start by assigning a passcode, and turn off your Bluetooth and Wi-Fi when you're not at home. Using different passwords for every account is also a good idea, according to CNN Money. Before entering your card details online, make sure there is a lock symbol in the task bar, which ensures the connection is secure.

Stockman Bank Vice President of Operations Rhonda Moore says if fraud is involved in online purchases, with a debit card, the money in your account becomes unsafe, but with a credit card, the money belongs to the credit card company.

"If you're going to be shopping online with your debit card, you should also have online access to your bank account, so you can make sure the charges are all valid and they're all yours," she said.

Staysafeonline.org suggests the following tips:

"Keep a clean machine: Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats.

Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

Unique account, unique password: Separate passwords for every account helps thwart cybercriminals.

When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it's best to delete or if appropriate, mark as junk email

Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine."

If you notice something suspicious on your statement, immediately call your bank or credit card company, Moore said.

Next, delete emails and personal messages with any banking information, and change all of your passwords.

Read more