Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

Posted on October 14, 2011 by Colin J. Zick

 

By Michael V. Dowd

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.

Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks. 

How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach

If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.

This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.

Tags: , , , , , , , , , , , , , , ,

Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened

Posted on May 8, 2011 by Colin J. Zick

By Michael V. Dowd

The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.

Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an additional 24.7 million Sony Online Entertainment (SOE) accounts were compromised during the same timeframe. In the SOE breach, Sony confirmed that the compromised information included the bank account, credit card and debit card numbers of thousands of non-U.S. account holders.

It is now up to account holders to deal with the consequences. Sony’s response to the SOE breach has been to engage a third-party email distributor to send a Customer Service Notification. The notice places the onus on account holders to look out for email and other scams, to obtain credit reports, to consider contacting U.S. credit bureaus in order to place a “fraud alert” on their credit file, and to contact various federal and state agencies for information about preventing identity theft. This repeats Sony’s previous advice to its PlayStation and Qriocity users.

Meanwhile, the House of Representatives is seeking information from Sony about the situation. The Subcommittee on Commerce, Manufacturing, and Trade sent a letter to Sony with thirteen questions about the data breach. The letter primarily focuses on post-breach information, such as Sony’s delay in first notifying customers and authorities, and Sony’s investigation of the breach.

The public is still waiting for information about how consumer data was (or was not) protected by Sony. In its notice to SOE users, Sony stated that it does not believe that its main credit card database has been compromised because it is in a “completely separate and secured environment.” This begs the question: in what sort of “environment” was the remainder of the information (name, mail and email addresses, birthdate, gender, phone number, login name, etc.) stored? The notice also states that there is an “outdated database from 2007” that contains the bank account and credit and debit card numbers that were compromised.

Among all of the bad news, there was one encouraging development. Sony originally reported that the PlayStation and Qriocity breach include account passwords, which were not encrypted. This was particularly concerning, as on-line users may use the same password for different accounts, including those for on-line banking or shopping. In a blog post this week, Sony clarified that the account passwords, while not encrypted, were in fact “hashed.” Although different than “encryption,” hashing can be a reliable method of protecting password information. When a user first selects a password, the password is transformed by a function into a coded, or hashed, version of the password. Later, when the user attempts to log-on, the newly entered password is transformed by the same hashing function. The web site verifies that the result matches the coded version already stored on its server. In this way, the web site never needs to store the actual password. In addition, hashing is intended to be a one-way process, meaning that while hashing functions can transform a password into a coded version, they cannot transform the coded version back into its original form. This suggests that the hackers should not be able to determine users’ actual passwords, even if they have the hashed versions.

There has been much public discussion about what Sony knew, when it knew, and how soon it went public. Real progress will be made when measures to prevent such data losses are strengthened. Perhaps lessons learned from these events will help in those efforts.

Timeline:

April 16 to 19 – Hackers access PlayStation and Qriocity and Sony Online Entertainment account data

April 20 – Sony takes PlayStation and Qriocity services off-line

April 26 – Sony announces the hacking of 77 million PlayStation and Qriocity accounts

May 2 – Sony announces that 24.6 million Sony Online Entertainment accounts were also breached
Tags: , , , , , , , , ,

You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time

Posted on February 23, 2011 by Colin J. Zick

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)." 

This result comes as no real surprise.  These conclusions build on prior studies which have repeatedly shown that password strength is weak.  It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.

The study also noted that "the files in [the] sample used the default weak encryption methods. Therefore, an adversary had two different ways to extract the PHI: by attacking the weak algorithm itself or by attacking the weak password."

The study's recommendations?  Fairly simple:  "use the built-in password protection capabilities available in tools for common file formats (such as WinZip and Microsoft Office) and then transmit the encrypted files" and "using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions)."

Tags: , , , , , ,

Incident of the Week: Patents Help Crack Encryption Used in Cordless Telephones

Posted on February 11, 2010 by Gabriel M. Helmer

This week cryptographers Karsten Nohl from University of Virginia and Erik Tews of the Darmstadt University of Technology announced that they had broken the DECT encryption standard.  Who cares, you ask?  The Digital Enhanced Cordless Telecommunications or DECT standard is what prevents someone parked outside your house from being able to listen in on telephone conversations you are having on your 1.9 GHz DECT cordless phone.  (So, that's what that label on the receiver means.) 

Nohl told Dan Goodin from The Register that he cracked the code by putting the DECT chip under the electron microscope and then comparing his findings with information disclosed in the published patent(s).  According to Nohl, it might take him 4 hours of monitoring to listen in on a particular telephone call, but only 10 minutes to crack the DECT encrypted credit card transmissions at a restaurant.  Even more worrisome, is Nohl's expectation that better hackers are likely to be able to decode these transmissions even more quickly.  "We expect that some smarter cryptographers than ourselves will find better attacks, of course. . . We found the algorithm and then implemented the first attack. It's almost guaranteed that this is not the best attack."

Tags: , , , , , , ,

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

Posted on January 13, 2010 by Colin J. Zick

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach.  AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees.  AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.  

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Tags: , , , , ,

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

 

Tags: , , , , , , , , , , ,

Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database

Posted on May 5, 2009 by Colin J. Zick

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password."  Neither the Wikileaks site nor the Virginia site is not accessible as I write this.  A spokesman for the FBI's Richmond, Virginia office said today that the agency was investigating a referral from the Virginia Information Technologies Agency.  Assuming this breach is real, it carries with it a certain amount of irony, in that encryption is being used as part of the extortion plot. Could this breach have been prevented? It is also hard to believe that hackers would be able to access the backup files as well. There are more questions than answers at this point, but there will surely be lessons to be learned.

Tags: , , , ,