Wednesday, May 27, 2015

Hackers would be lucky to get 1% of what a breach costs an organization, but then they can do this hundreds of times.
Cost of data breaches increasing to average of $3.8 million
The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.
The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.
… "Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."
… The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.
… The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

(Related) And don't forget the fine!
Last July – and I missed this one at the time – Stan Diel reported;
A laptop computer including some Sterne Agee Group Inc. clients’ account numbers, Social Security numbers and other personal information has been missing since the end of May and the firm has offered some customers free identity theft protection services as a result, a letter to clients indicates.
In the letter dated June 27 the Birmingham-based investment banking firm indicates that an employee’s laptop went missing on May 29 or May 30, and that it included unencrypted identifying information about Private Client Group customers whose accounts were open as of May 29. It also may have included information about Sterne Agee & Leach clients whose accounts were open between July 1, 1992 and June 30, 2013, the letter states.
It turns out the breach was an even bigger deal than the media knew at the time. Today, Law360 reports:
The Financial Industry Regulatory Authority accepted a settlement Friday requiring Sterne Agee & Leach Inc. to pay a fine and review its security protocols after a technician left in a restroom an unencrypted laptop containing sensitive information about 352,551 clients.
Sterne Agee will pay a $225,000 fine over the allegations. The regulatory agency said the firm had been aware of the need to protect information stored on laptops for years but that measures to do so were delayed twice pending budgetary approval.
So failure to invest in encrypting laptops cost them $225,000 plus the costs of the data breach itself? Ouch.

(Related) Another way to seriously increase the cost of a breach. Ignoring notification but provide the tipster with a receipt!
Oh my. posted some of CISO Darknet Group’s attempts to alert Adult Friend Finder back on March 12 that their data had been stolen and were up for sale. The alert was pretty clear, and they got a read receipt – but not actual acknowledgement.
Note that their alert made it clear that FFN did not have to hire them to get the information:
This is not a hard sell or scare tactic, this is what our organization was built on; CyberHumint methodologies for fraud prevention. This information will be provided to you free and our work pro-bono.
So why didn’t FFN respond?
They would later claim they never got the notification – despite, apparently, the read receipt.
More than two months later, on May 22, CISO Darknet Group claims they tried again to notify FFN:
I was just alerted that Adult Friend Finder Network have recently contacted law enforcement concerning your data breach. As you can see from the email below we tried to alert you 2 months ago. We still have access and profile of the bad-actor behind your breach as well as access to all the records compromised.
We can certainly assist should there be an acknowledgment of this alert this time.
And… wait for it… another read receipt – this time allegedly from Diana Ballou, Vice President, Senior Counsel – Corporate Compliance and Litigation – but again, no personal message or request for information.
Read the emails and see what you think. One disclaimer: I have no way of verifying the accuracy of any of their claims, but I’m betting that when a class action lawsuit is filed (or has one been filed already), these emails are going to come into play. And not only may they come into play by plaintiffs, but FFN’s insurer may try to use them to limit their responsibility to FFN.
We’ll see….
Update 1: Friend Finders Network is standing by their statement that despite the read receipt, the March 12th alert with the subject line “BREACH ALERT! URGENT!” was never read and went to a spam folder.
I don’t see how both things can be true – that they never read it but issued a read receipt (unless they send read receipts for everything, including spam) – but aren’t they still responsible for configuring their spam filters? Does no one actually go thru the spam folder to catch false positives?

For my Ethical Hacking students. This article shows the text that is supposed to crash iPhones, but I'll leave it out of this post since some (one or two) of my loyal readers may use an iPhone.
A new iPhone bug lets you crash other people's phones with a single text message
There's a nasty new iPhone bug doing the rounds: It's a string of characters that, when sent in a message, crashes the recipient's phone.
We first heard about the issue on 9to5Mac, and it apparently affects only iPhone-to-iPhone communication. After receiving a text with the particular string of characters, Messages will reportedly crash repeatedly. It can also force iPhones to reboot in some circumstances.

For my Computer Security students.
Ransomware Keeps Growing – How Can You Protect Yourself?
There are plenty of threats on the Internet, but few can be as scary as ransomware. These particularly nasty bits of malware not only infect a user’s computer, but they end up trying to get money out of them! It’s a despicable thing to do, but sadly, it’s part of the world in which we live.
How does ransomware keep growing? How is it spreading. Everything you’ve every wanted to know about ransomware is on the infographic below! Share it with someone you think might fall victim to it.

So it's not that they won't share the data, it's that they take too long when they do?
John Leyden reports:
Skype has been called to appear before a court in Belgium after refusing to hand over customer data following a request for assistance in a criminal investigation.
A court in Mechelen near Brussels wanted “data from messages and calls exchanged on Microsoft-owned Skype”, a regulatory requirement that a Belgian telecoms operator would be required to comply with.
The Microsoft-owned firm declined, Reuters reports.
Read more on The Register.
[From the Register article:
Willems said that police tell him that the time spent by Skype processing these law enforcement requests is becoming a problem.
"It takes for them too long to wait for an official answer from Skype," Willems said. "It's clear that they want to create a precedent as the computer crime units don't want to miss valuable information in the future."

Curious. Is there a “designated driver” exemption?
Joe Cadillic has a justified rant about police going into bars with breathalyzers. The story started in Sacramento before Memorial Day weekend, but there’s also a bill in the California legislature that would expand testing.
Joe writes, in part:
How long before police nationwide will go into bars and force people to blow into breathalyzers and check for possible public inebriation or use ‘Drug Breathalyzers’ on innocent people?
California’s ‘Drug Breathalyzer’ bill is set to do just that:
A California lawmaker introduced a bill that would allow law enforcement to use new ‘Drug Breathalyzers’ on people suspected of driving under the influence of marijuana and other drugs.
Like breathalyzers used to test drivers for alcohol consumption, Assembly Bill 1356 would allow police to use oral fluid devices to check drivers for drug impairment.
Read more on MassPrivateI.
[From the article:
Don't forget DHS is paying police to set up DUI checkpoints. [DHS, It's not just for terrorists! Bob]
… These 'Drug Breathalyzers' can't detect if you've ingested a poppy seed bagel but will alert police that you tested POSITIVE for drugs!
… Obviously the site of several armed officers walking into a bar with breathalyzers in hand is a buzz kill, to say the least.
One of the bar patrons who’s been exposed to the program explains, “Admittedly we were a bit put off when we were gonna walk in and saw a bunch of cops with breathalyzers.”
A “bit put off” is an understatement!
While these officers are promising not to “test and arrest,” the very idea of police entering bars & restuarants and 'asking' people to submit to breathalyzer tests is appalling!

For my Firefox using students. Remind me to opt out in a few months? And with every new version?
Mike Flacy reports:
In an attempt to sell advertising space in a user’s new tab page within the Firefox browser, Mozilla is launching a new platform called “Suggested Tiles” specifically for advertisers. Similar to Google using your Web search history to load related advertisements within Google Adsense placements, Mozilla will look through your visited sites within Firefox to suggest an advertiser site to visit and display it on the new tab page.
Read more on Digital Trends, and if you’re a Firefox user, do note the opt-out provisions.
[From the article:
However, there are user protections built into the new feature as detailed on Mozilla’s Advancing Content blog. Users will be able to flip off the Suggested Tiles function by toggling a check box within the browser’s settings. Users can also completly avoid site suggestions by opting for a blank page when opening up a new tab within Firefox.
… Regarding the launch of Suggested Tiles within Firefox, Mozilla is expected to launch the new feature within the Beta version of the browser relatively soon. The full launch of the feature to the most current version of Firefox will likely occur later in the summer.

Internet used by 3.2 billion people in 2015
Nearly half of the global population will be using the internet by the end of this year, according to a new report.
The International Telecommunication Union (ITU), a United Nations body, predicts that 3.2 billion people will be online. The population currently stands at 7.2 billion.
… There will also be more than 7 billion mobile device subscriptions, the ITU said.
It found that 78 out of 100 people in the US and Europe already use mobile broadband, and 69% of the world has 3G coverage – but only 29% of rural areas are served.

Keeping up with the Social Networking industry. Have we reached the “consolidation phase” so soon?
Snapchat planning for IPO
… The four-year-old company, which offers a smartphone app that is popular with teens, declined Facebook's $3 billion acquisition offer in 2013.

Twitter Reportedly in Talks to Buy Flipboard

Google, Yahoo Have Had Talks to Buy Flipboard

For our Criminal Justice stuents.
Sunlight Foundation – Opening Criminal Justice Data
by Sabrina I. Pacifici on May 26, 2015
“As part of a new initiative, the Sunlight Foundation has begun amassing an inventory of public and privately-produced criminal justice data. The spreadsheet on this page is a work in progress but we’re publishing it now with hopes that people can use it for research or reporting and even contribute to it. Please go through the spreadsheet — so far we have an inventory started with information from 26 states and the federal government. When we’re done, we’ll have an inventory of data from all 50 states and the District of Columbia. You can read more about this project, submit your own work and feedback [here].”

So I can communicate with my students.
You won't believe the words Merriam-Webster dictionary just added
“Clickbait” has arrived -- in Merriam-Webster’s unabridged online dictionary.
The dictionary announced Tuesday that it has added that word along with about 1,700 other entries, including “emoji” (small images used in email and text messages), “jegging” (a legging that looks like tight jeans), “photobomb” (to jump into a photo as it is being taken) and “NSFW” (not safe for work).

No comments: