Information Security LapsesTop 10 Security Breaches
Kyle ChaseRevati Kailasam
Kelly Walker
Information Security Lapses
Since 2005, more than 3,000 data breaches have been reported.
Over 545 million records compromised as a result of these data breaches.
-Privacy Rights Clearinghouse
Top 10 Information Security Failures in Recent History
What happened? ◦A summary of the breach
How did it happen?◦Attack Methods◦Control Failures
How could it be prevented or minimized?◦Preventative IT security
Financial Impact◦Cost of the breach
TJX (2005)
Parent company of TJ Maxx, Marshalls, Home Goods, and more
Reported data breach potentially affecting thousands of consumers
Masterminded by Albert GonzalezHackers gained access via store wireless networks
◦Outdated WEP securityGained access to corporate servers housing
sensitive information◦Including CC Information
TJX (2005)
PCI compliance issues◦In compliance with only 3 of 12 standards◦Failure to upgrade systems in timely manner
Too much information stored◦CC #s, PINs, CVV #s
Lack of encryptionLack of fraud detection
◦Breach lasted 18 monthsResult: 45.7 Million credit card numbers
stolen
AOL (2006)
Intentionally released search logs◦Contained-
SSN’s Bank account information Demographic information
Exposed 650,000 users to identity theftIT Security/Control IssuesViolation of Electronic Communications
Privacy ActLawsuits averaged $5,000 per victim
7-Eleven (2007)
Links to TJX Case◦Albert Gonzalez – connected to cases involving TJX,
Heartland, Hannaford, 7-ElevenSQL injection attack to access ATM and Point of Sale
systemsInjected malware to intercept user inputs in real-time
◦Also were able to access historical data◦PINs stolen in electronic transmission
$2 million in damagesBetter encryption and fraud detection systems could
have decreased the loss
Sony (2011)
Already bad reputation for protecting consumer data◦ Rootkit Incident
Reported breach to PlayStation Network and Qriocity music service◦ Immediate shutdown of the PlayStation Network
Affected:◦ 77 million PlayStation Network users◦ 25.4 million Sony Online Entertainment users
Released:◦ Customer Names◦ Addresses◦ Email◦ Log-Ons◦ Credit card information
Sony (2011)
Access to system administrator PC containing sensitive information◦Malicious Email to gain access◦Masked by Anonymous DDOS attack
Slowed Fraud Detection Anonymous denies involvement
“Sony probably did not pay enough attention to security when it was developing the software that runs its network.” – Reuters
Monster.com (2007)
Monster was created in 1999
Monster.com is one of the largest employment website in the
world
Hackers broke the password protected resume library
Information from 1.3 million users were stolen
Information stolen were limited to names, addresses, phone
numbers and email addresses
Monster.com (2007)
Hackers sent phishing emails and made extortion based
threat
Monster waited five days to inform it’s users about the
security breach
Monster put a notice on its website and also posted letters
to the affected users about the breach
As per monster the estimated cost for upgrading it’s site
was 80 million
Epsilon (2011)
Epsilon created in 1969, is the world’s largest permission based
email marketing service company
Epsilon has more than 2400 A-list clients and sends more then
40 billion emails annually on behalf of its clients
On march 30, 2011 epsilon detected “ an unauthorized entry”
into its email system
Nearly 75 of Epsilon’s clients were affected
60 million email addresses were stolen
Data compromised were limited to email addresses and names
Epsilon (2011)
Some of the clients under attack were financial
institutions; (Capital One, US Bank, JPMorgan Chase, Citi
and Barclays Bank of Delaware) retail chains (best buy,
Home Shopping Network, Walgreens, Brookstone, New
York & Company and Kroger, TiVo), hotel chains (Ritz-
Carlton Rewards and Marriott Rewards), McKinsey, The
College Board, Disney Destinations and many more.
Epsilon (2011)
Hackers sent spam and phishing emails to the victims of
breach
Epsilon reported about the breach on April 01, 2011 to both
customers and clients
Epsilon announced that it was going to enhance its data
security system
Epsilon could have faced a price tag as high as 4 billion for
data breach
Operation shady RAT (2009-2011)
In 2009 McAfee client , a U.S. defense contractor,
identified suspicious programs running on its network
Forensic investigation revealed that a spear phishing
email containing a link to web page that when clicked
automatically downloaded a remote access tool or
“RAT” onto the victim’s computer
McAfee while investigating command-and-control
operation in 2009 discovered about the cyber
espionage “operation shady RAT”
Operation shady RAT (2009-2011)
McAfee traced the activity back to 2006
The widespread cyber-espionage campaign dubbed
“Operation shady RAT” infiltrated the computer
systems for national governments, global corporations,
non profit and other organizations
Fourteen countries were victims
Forty nine of the seventy two organizations
compromised were from United States
Operation shady RAT (2009-2011)
Data compromised were email archives, sensitive corporate
documents and other intellectual property
McAfee is working closely with U.S. government agencies,
law enforcement and others in hopes of eventually shutting
down shady RAT’s command-and-control server
Most of the targets have removed the malware from the
system
TriCare (2011)
Department of Defense health care program
SAIC – business partner of TriCareSeptember 14, 2011 breach of patient
information affecting approximately 4.9 million patients
Largest Federal breach to date
TriCare (2011)
Unencrypted computer backup tapes stolen from SAIC employee’s car
Tapes contained patient information TriCare states that risk is low Breach caused 3 lawsuits totaling $4.9
billion
HBGary (2011)
Company that provides tools and services to protect assets and information
Specializes in computer forensics and malware analysis tools
February 6, 2011 Anonymous hacks into computer system in retaliation
Compromised web server and cracked passwords
HBGary (2011)
Used Barr’s administrative password to change password for Greg Hoglund’s email
Greg operated rootkit.comHackers used social engineering to
gain control of rootkit.comDefaced HBGary’s website and
accessed 71,000 emails
HBGary (2011)
Published some emails that revealed immoral and illegal activities that company was involved in
Since the breach – Aaron Barr has resigned
March 6, 2012 Hector Xavier Monsegur – member of anonymous pled guilty
RSA SecurID (2011)
Authentication mechanism developed by Security Dynamics
Token generates a code at fixed intervalsUses random key known as seed record – key
to generating a one time passwordUsed in combination with password user
creates – the server has real time clock and a database of valid cards that can validate code
RSA SecurID (2011)
Difficult to hack – need both pieces of information March 17, 2011 victims of attack costing the
company $66.3 million Sent phishing emails with malware attached Malware exploited a back door in Adobe Flash Hackers used Poison Ivy Remote Administrative
Tool Attack is known as APT – Advanced Persistent
Threat
RSA SecurID (2011)
Replaced 40 million tokensBreach resulted in attacks on three U.S
Defense contractors ◦L-3 Communications◦Lockheed Martin◦Northrop Grumman
Could be tied to cyber espionage from China
The financial impact
Costs directly associated with the breach include:
Cost of replacing stolen devices
Cost of recovering lost information
strengthening IT security and in some cases Premise’s security
Other costs include:
Expenses related to informing and providing credit monitoring
service for the victims
Expenses related to lawsuits
The financial impact
Other monetary impacts are:
Fall in share prices
Increased marketing expenses
Cost of hiring and training new employees
Accounting and Security
AICPA listed in its Personal Competencies ◦Accountants need to address “privacy,
intellectual property rights and security issues related to electronic communications” as element of Leverage Technology to develop and enhance personal competencies.
Statements on Auditing Standards (SAS) 94◦Requires auditors to take an in depth look at how IT
controls affect internal controls.
References
Anderson, H. (2011, October 14). TRICARE Hit With $4.9 Billion Lawsuit. Damages Sought for Privacy Violations in Breach Incident. Retrieved March 6, 2012, from Bank Info Security: www.govinfosecurity.com/p_print.php?t=a&id=4158Anderson, M. (2012, March 6). Anonymous hackers identified, including one tied to HBGary hack. Retrieved March 6, 2012. http://www.bizjournals.com/sacramento/news/2012/03/06/anonymous-hackers-identified-hb-gary.htmlArrington, M. (2006, August 6). AOL Proudly Releases Massive Amounts of Private Data. Retrieved March 19, 2012.http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/ Baker, L. B. & Finkle, J. (2011, April 26). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved March 15, 2012.http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426 Beard, D., & Wen, H. J. (2007). Reducing the Threat Levels for Accounting Information Systems. The CPA Journal , 7.Bright, P. (n.d.). Anonymous speaks:the inside story of the HBGary hack.Garrison, C. P., & Posey, O. G. Computer Security Awareness of Accounting Students. Jewell, M. (2007, September 7). Encryption Faulted in TJX Hacking. Associated Press. http://www.msnbc.msn.com/id/20979359#.T30M9KsV3dI Kantor, A. (2005, November 17). Sony: The Rootkit of All Evil. USA Today. Retrieved March 15, 2012.http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm Mills, E. (2011, June 6). China Linked to New Breaches Tied to RSA. Retrieved March 7, 2012, from CNET News: news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/?tag=mncol;txt6 Worst Data Breaches Of 2011 by By Mathew J. Schwartz December 28, 2011http://www.informationweek.com/news/security/attacks/232301079Monster.com Hit With Possible Monster-Sized Data Breach By Thomas Claburn January 26, 2009http://www.informationweek.com/news/security/attacks/212902664Epsilon Data Breach Hits Banks, Retail Giants By: Fahmida Y. Rashid April 2011http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/http://en.wikipedia.org/wiki/Monster.comAnalysis: Is the Epsilon data breach a watershed for the marketing industry? Tuesday 05 April 2011http://www.computerweekly.com/news/1280097340/Analysis-Is-the-Epsilon-data-breach-a-watershed-for-the-marketing-industryThe real cost of a security breach By David Hobson August 12, 2008http://www.scmagazine.com/the-real-cost-of-a-security-breach/article/113717/Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks by Tony Bradley Apr 4, 2011http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.htmlMonster.com Admits Keeping Data Breach Under Wrapshttp://www.foxnews.com/story/0,2933,294471,00.htmlReport on ‘Operation Shady RAT’ identifies widespread cyber-spying By Ellen Nakashima, August 2, 2011http://www.washingtonpost.com/national/national-security/report-identifies-widespread-cyber-spying/2011/07/29/gIQAoTUmqI_story.htmlExclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza ByMichael Joseph Gross August 2, 2011http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109Panko, R. (2010) Corporate Computer and Network Security. 2nd Edition. Prentice Hall Publishing. Rashid, F. Y. (2011, March 01). HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack. IT Security & Network Security News .SecurID. (2012, January 10). Retrieved March 2012, from Wikipedia: en.wikipeida.org/w/index.php?title=SecurID&printable=yesZetter, K. (2010, March 26). Hacker Sentenced to 20 Years for Breach of Credit Card Processor. Wired.com. Retrieved April 1, 2012.http://www.wired.com/threatlevel/2010/03/heartland-sentencing/