Townsend Security Data Privacy Blog

Cyber hackers have repeatedly victimized US businesses, resulting in a widespread movement to increase cyber security in many US organizations. Due to this influx of security, hackers have recently turned to European companies in an effort to attack weaker targets. The most recent target, Gamigo—a German gaming company—was breached resulting in the loss of over eight million user names passwords. The breach was first reported by data breach watchdog service PwnedList.com, which has been vigilant in informing the public of particular breaches. Due to the great number of accounts hacked, some are referring to this particular breach as a world record. PwnedList’s founder Steve Thomas remarked, “It’s the largest data breach I’ve ever actually seen.”

Gamigo is currently going through the motions of damage control by offering reassurance to its customers. In fact, Gamigo automatically reset its users passwords immediately after the hack was discovered. However, the real danger to Gamigo’s clientele lies in the fact that so many people use a single password for many different websites. The password a person used on Gamigo could be the same password they use for their email or bank account. Even more concerning is that this sort of password breach (e.g. LinkedIn) has revealed that many people use extremely weak passwords such as “password” and “123456”.

Another blow is that Gamigo may ultimately lose is its clients and its client’s trust. Should Gamigo sustain any financial penalties from European security standards organizations, the losses it could experience may not be easily absorbed.

The recent data breaches of LinkedIn, eHarmony, and Last.FM may not have been well publicized overseas, but the Gamigo breach should put all European companies on full alert. Organizations asking for user names and passwords should always use the most up-to-date hashing technology and require stronger passwords. It is also not enough for a company to require strong passwords if their users’ personal information is stored on a database. If sensitive information is being stored on hardware, AES standard encryption and key management must be implemented. To learn how to protect your sensitive stored data, read our blog on how to protect databases that contain email addresses and passwords.

Download our podcast "How LinkedIn Could Have Avoided a Breach" to hear even more about Patrick’s take on the LinkedIn data breach and ways you can keep this from happening to your organization.

In May 2012, the Commodity Futures Trading Commission (CFTC) was the victim of a fairly high profile security breach. The breach occurred when a CFTC employee opened a suspicious email that turned out to be part of a “phishing” scheme. Phishing is a type of cyber crime where a hacker, posing as a legitimate company, gains access to a user’s private information when that user opens the fake email.

These emails often appear to be messages from large, well-known organizations that you may or may not be affiliated with or a customer of, such as cellular service providers, banks, or insurance agencies. The messages often contain fake bill statements with requests for payment, or requests for password or address changes. Once a user clicks on the email or the links provided in the email, the hacker gains access to personal information that can then be used for identity theft and other kinds of fraud.

In an official statement by the CFTC, chief information officer John Rogers revealed that the personal information stolen by the phishing scheme was largely social security numbers. However, Rogers asserted that CFTC operations would not be affected by damages due to the breach. This is, in general, is true for large organizations and corporations who can often afford to absorb the high cost of these setbacks. Rarely will these breaches affect them in the long run. Smaller and mid-sized organizations, on the other hand, often have difficulty rebounding from data breaches and are always at a greater risk to phishing schemes and other types of data loss.

Here at Townsend Security we recommend to everyone who has a personal or work email to take care that they are sending and receiving messages from reliable sources. Red flags to look for include emails with offers that seem “too good to be true”, receiving a bill you don’t expect, unsolicited offers from any organization, or requests to change any type of personal information through a link provided in the email.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Danger looms large in Iran, as the flame virus has been unleashed. Experts say that this is far worse than Stuxnet, and that the world could be on the brink of a new kind of warfare. The emergence of cyber-weaponry over the last few years has alarmed the world with its capabilities and uncertainty. It definitely seems like this is the wave of the future in terms of international conflict and the training in espionage. Just 50 years ago, spies were being trained to tap phones and take incriminating photos. Now that computers virtually run the whole world, the focus, of course, is to invade private hard drives to intercept secure information or to make it inaccessible to the party that controls it.

According to a Kaspersky Lab, a security firm headquartered in Moscow, the Flame virus is capable of recording conversations and accessing microphones built into the computer it has infiltrated. It also can retain screenshots and record keystrokes. Just about any activity one does on the computer can be recited to those who let the flame virus loose in a play-by-play manner.

At the moment, it appears that computers outside the Middle East are safe, as it seems to be localized within the realm, particularly in Iran. But one of the reasons it can be so devastating is just how easy it is to intercept information that is password protected. Passwords hidden by asterisks are completely susceptible to being read by the Flame virus, and even if the computer is off, a nearby Bluetooth device can easily be the key to accessing an unplugged hard drive.

The United Nations International Telecommunications Union is on alert for the virus so people should be safe for the time being. But as more of these develop, it is important to make sure you are taking proper precautions to protect your data. When viruses are released, they swarm the prey they were designed to feed on. They can so easily catch people off guard, and it doesn’t pay to have to worry about what might happen. Proper safety precautions go a tremendous way in securing a business and piece of mind. The flame virus seems reasonable enough to control, but there could be real problems if something is developed called the hydrogen bomb virus.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

The United States Department of Health and Human Services (HHS) is cracking down on HIPAA violators. Now, more than ever, there is just about zero mercy shed on any practice, large or small, if they are discovered to have made an error in patient confidentiality. On April 17, the HHS made an example out of a physician’s office in Phoenix, Arizona. The practice has only five doctors, but despite being what some may call a small business, they must pay the hefty fine of $100,000 for violating HIPAA privacy and security rules. While this sanction may seem unreasonable for such a small practice, it is simply demonstrating the zero tolerance policy that HHS has regarding HIPAA violations.

A complaint was filed against the practice retroactive to discovering an online calendar that the public had access to. On this calendar were patients’ appointment schedules and even a list of scheduled surgeries. After an HHS investigation took place, it was discovered that employees of the firm were grossly misinformed when it came to knowing the rules and regulations of HIPAA. A second red flag was shown when investigating the amount of effort the company put forth on their policy protecting patient information.

While these two violations are most alarming, there were many other conduct errors found including a failure to obtain a legal business associate agreement in reference to scheduling and email services, and there was no report of risk analysis. All of these violations resulted in the aforementioned six-figure fine.

The message sent here is clear: Follow the bylaws of HIPAA, or suffer major financial consequences. Leon Rodriguez, director of the HHS Office of Civil Rights was quoted in saying  “This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.” He went on to discuss his desire for companies to comply with the changing rules of HIPAA no matter the size or prominence of the practice.

It is imperative to educate yourself and your staff about the current HIPAA rules.  For more information on HIPAA compliance, view our webinar “Protect PHI & Manage Risk – HIPAA/HITECH Compliance” and learn more about managing your risk of a data breach, achieving breach notification safe-harbor status, and encryption and key management best practices.

The security breach involving Global Payments, a US credit card processing company is still in complete disarray months after the breach took place. A little over a month ago, it was reported that a maximum of a staggering 10 million credit card numbers could have been apprehended during a five week period starting in late January. Global Payments reluctantly admitted to being the victims countering with a figure of 1.5 million credit card numbers stolen. While there isn’t any reason why any company should have this happen to them, it is a growing trend to claim a bit of ignorance on the matter, or at least try to redistribute the blame.

When these breaches happen, many business owners and executives are blindsided by the blow. Of course they have security software, and in most cases, if they have it, the word “breach” shouldn’t have any place inside the walls of these businesses. But, as we’ve seen, credit card numbers and other personal information that should be safe, sometimes isn’t. Having strong passwords is the first step an organization should be doing to keep unauthorized individuals from accessing sensitive information.

Make sure that any passwords that you choose to enter are not what as known as “default passwords.” It seems logical enough, but a default password is one of most common flaws in a security system that leads to a breach. Hackers have databases full of default passwords, and those can be typed in at a rapid pace. Some of these include the obvious “1-2-3-4-5” or “a-s-d-f.” Any sequence of characters that in some universe make sense in a logical order should be completely abandoned. Also, birthdays or dates that can be easily discovered should be the last passwords that are selected. It is far better to come up with something so outrageous, and take the extra time to completely type it out then to use simple passwords that are already on databases. Also, use different passwords for different accounts. That way, if one is discovered, the rest are still secure.

Your credit card company should be monitoring all activity on your accounts, so that if anything suspicious is going on, you will be notified about it instantly. You don’t want to be on this list of companies that have allowed breaches, so make sure to be smart about your passwords. If you ever had a tree house and the bully next door successfully guessed “peanut butter” as the password, you would have to, begrudgingly, let him in. But, he probably wouldn’t guess “138927491AsmaraEritrea53211” so taking the smart choice would pay off.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

An alarming number of security breaches have occurred in the last decade victimizing families of military personnel, who belong to TRICARE. Since the fall of 2009, over 400 breaches have occurred. At least 500 people have been directly affected and another 50,000 smaller scale breaches have been reported to the government. The community of Palo Alto, California was hit closest to home, when over 20,000 names of emergency room patients were available on an online public forum before the list was discovered by authorities. For several months, all these people were susceptible to a profusion of afflictions such as identity theft, credit card fraud or fraud against Medicare and Medicaid programs. Just one move can financially ruin a family.

One major cause of the breach was that security tapes were stolen from the car of a TRICARE employee, and these backup tapes had people’s private information on them. The big problem of course, was that after these tapes were stolen, the information was readily available to pirates. Any encryption didn’t exist, so the information was just there for the taking.  If the data on these tapes was encrypted, TRICARE wouldn’t have to worry about the tapes being stolen and you wouldn’t be hearing about this problem – HIPAA grants a breach notification safe harbor to organizations who are encrypting their sensitive data.

If you aren’t familiar with HIPAA (The Health Insurance Portability and Accountability Act), it was established in 1996 and its main focus is to protect the rights to health insurance for families when the wage earner was to change or lose a job. It’s second objective focuses on standards for electronic health care transactions. With HIPAA, there are legal regulations that the government has put in place to protect our Personal Health Information (PHI).  While there is no encryption requirement, it is strongly considered a best practice.

The largest concern when a story like this breaks is for the victims. The Federal Trade Commission (FTC) has published a few tips for individuals who are affected from the TRICARE breach:

• Don’t willingly give out personal information over the phone unless you know exactly whom you are dealing with.
• Increase the frequency at which you check over your medical records to make sure nothing looks out of the ordinary.
• Any fraudulent report you notice should be reported to the police immediately.

The TRICARE breach should be an example of why encryption should be mandatory for organizations that deal with PHI.  Not only does it protect the privacy of your customers, when a breach does happen, HIPAA grants you a breach notification safe harbor.

Learn more about encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

Hundreds of thousands of Medicaid recipients are up in arms about a recent security breach that saw their personal information abducted by hackers. Originally it was reported that 181,000 had their information stolen including 25,000 who actually had their social security numbers taken as well. Currently the report has been updated to a staggering 900,000 and 280,000 respectively. Over a quarter million people on Medicaid had their social security numbers exposed, and many of these victims don’t have the means to hire private investigators or attorneys to right their personal situations. 

As many organizations that suffer a breach do, the Utah Department of Health is offering free credit monitoring services for one year to those who had their social security numbers compromised. Other than that, there isn’t much to be done for the breach victims.  Unfortunately, many are still concerned their identities could be stolen among other potential hardships.

To prevent security snafus such as this, the Utah Department of Health should have been protecting their sensitive data with encryption and key management.  Encryption would have rendered the breached data useless. The Utah Department of Technology holds millions of its citizen’s personal information and, unfortunately, didn’t take proper precautions to protect it. Alliance Key Manager, our encryption key management HSM, could have provided exactly what they would have needed to avoid a breach.  With on-board encryption, sensitive data can be sent to the HSM, encrypted, and then sent back to where the data needs to live. Additionally, Alliance Key Manager also meets regulatory requirements - a hurdle for many companies trying to pass an audit around encryption key management.

When you see a situation like this in Utah, its naive to think that hackers can’t access your information in your own home state. But just ask a Medicaid recipient from Utah, and it is clear that these dangers aren’t so far from home. Utah’s governor spoke on behalf of its citizens saying "Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised."

It’s a difficult situation, but as they try to mend the fences, it is important to audit your own encryption and key management processes to ensure that what happens in Utah stays in Utah.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Former Mayor Daley’s goal of having a camera on every street corner in Chicago is slowly becoming a reality. The idea behind cameras at intersections is to create additional revenue and increase safety. The cameras take a quick snapshot of your car if you decide to make your trip quicker by zooming through a red light.  Current Mayor Emanuel has continued the initiative by blanketing close to half the city with cameras to catch prospective speedsters. With the extra cameras, the Chicago police department is now able to track an automobile by taking a picture of the license plate and following it throughout the city.  If proper data encryption practices are not implemented, this could result in a dangerous violation of the average person’s right to privacy.

What happens if the data collected by these cameras is un-encrypted and gets into the wrong hands? What if a hacker gains access to a live stream from the cameras? A whole wealth of personal information could be exposed – creating a huge liability to the city of Chicago.  Currently, little information is being released regarding what data is stored and how the data is protected. Being in the security industry, we hope there is an annual audit that focuses on encryption and monitoring system logs.

AES encryption, key management, and system logging are the best ways to make sure the camera feeds and your personal privacy are kept safe. Encryption would make it impossible for someone to misuse the personal information collected.  Additionally, monitoring system logs would alert administrators if an unauthorized person is trying to gain access.

Chicago citizens with a “need for speed” may be unhappy about the increased surveillance across their city, but without proper security practices in place, a speeding ticket should be the least of their worries.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

It is increasingly apparent how much smaller the world is getting. As long as there has been human civilization, technology has decreased the vast uncertainty of our universe. We are a far cry from the 15^th century, when the European elite didn’t know North America existed. Bell invented the telephone, and suddenly months of correspondence could be condensed into a five minute chat. Then came the personal computer and opportunities for seemingly everything in the world were endless. As the complete paradigm shift to cyber data happened, the increasing dependability on what is put on the net became a way of life.

Recently, The National Security Administration (NSA) began construction on what is plainly named the “Utah Data Center” in Salt Lake City, Utah.  The “Utah Data Center” is going to be a one-million square foot, state-of-the-art data center designed for the purpose of intercepting, deciphering, analyzing, and storing communications from all over the world.

NSA’s security director General Keith Alexander has been under a constant barrage of questions from the American public regarding the security and privacy of the information that is being collected.  Concerns include:

• Does the NSA have access to Americans’ emails?
• Does the NSA have access to Americans’ Google searches?
• Does the NSA have access to Americans’ text messages

All of these questions have been answered by Alexander with a flat “no.”

I think we can assume that the NSA doesn’t have outright access to these private details from our lives, but many are concerned about their right to privacy and if the NSA infringing on it. It is understandable when places like the “Utah Data Center” are created to intercept and store personal information. As a company that deals with protecting private information, we have to trust this new facility has the absolute best security in place.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

In June 2010, a computer worm called “Stuxnet” made worldwide news when it infiltrated Iranian science labs. Many of Iran’s industrial facilities including Natanz, were seriously harmed as a result of this worm. Uranium enrichment is a project that many global nuclear outfits are working on. The idea is to create a higher concentration of the Uranium isotope U-238 to make for a more reactive metal. The source codes for all of these machines are stored on computers, so they are run by what the computers are instructing them to do. When the bug hit, the sophisticated centrifuges began spinning too fast causing the machines to self-destruct.

The dials and gauges looked like they were functioning correctly, so the Iranian officials knew that an external virus or bug must have invaded their computer, with the specific instructions to destroy their appliances. After investigation, it was discovered that it wasn’t a virus, but a worm. A virus will corrupt individual files on a computer, but a worm is malicious software that spreads through a computer network. For a computer to avoid contracting a bug, computer security is paramount.

Having proper encryption and key management possibly could have prevented a disaster like this from happening. It really shouldn’t have had a chance. The Iranian government was running programs that needed the highest level of security and they could have done more to prevent this from happening.

We help our customers deal with security issues all the time. Alliance Key Manager, our encryption key management Hardware Security Module (HSM), has built-in encryption and decryption services. With an HSM, the encryption key never leaves the appliance, keeping the encryption key separate from the data it protects. By using encryption and key management, Iran could have possibly prevented Stuxnet from modifying the source code that caused their servers to self-destruct.

The effects of the Stuxnet worm were devastating for Natanz and other industrial facilities in Iran. Their nuclear projects were setback an estimated four months. This is of course, an extreme case with intended malice toward the government. This worm was specifically designed only to harm Iran’s centrifuges. Ralph Langner, an independent computer security expert and the man who discovered the intent of Stuxnet said, “The attackers took great care to make sure that only their designated targets were hit. It was a marksman’s job.”

 Hopefully, there isn’t a company or organization out there that will feel the need to specifically target your company. But there was some collateral damage to other computers caused by Stuxnet, and encryption and Key Management can prevent the effects or other worms. Take a look at the program!

For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.