A day after two million passwords were hacked from several social network sites–Facebook, Twitter, LinkedIn, Google–it’s clear reporters who covered the breach have parroted bad advice. More alarming, that advice came from an industry expert that discovered the malware.
Most journalists appear to be ignorant about how to prevent breaches and what the best course of remediation would be after an attack occurs.
Incredible as that might seem, on President Obama’s first inauguration in 2009, Heartland Payment Systems, Inc., suffered the world’s biggest data breach of 130 million users at a cost of $140 million, which doesn’t include a class action lawsuit settlement still pending.
Trustwave, the Qualified Security Assessor (QSA) that performed the audit for Heartland eight months prior to the massive breach, was the company that identified the latest theft of two million passwords.
In the view of Heartland’s CEO Robert Carr, who was interviewed by CSO online in August 2009, he said: “The audits done by our QSAs were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem… The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”
Heartland wasn’t Trustwave’s first client to be breached after one of their audits. Near the same time, another payment card processor in RBS Worldpay was hacked, resulting in a $9 million heist. It’s not that the breached happened, but that Trustwave finished its audit four days before the attack occurred and had found RBS to be in compliance.
According to an industry insider, Trustwave’s audits cost less, “because they perform them in a third or quarter of the time compared to much bigger QSAs like Verizon or Coalfire.” It means their deep dives on risk gaps and vulnerabilities in corporate ecosystems don’t go deep enough. Companies, like people, get what they pay for. Cheaper doesn’t mean better.
None the above stopped Trustwave Holdings, Inc., (TWAV) from filing an IPO in 2011 and going public.
Bad Advice Continues to Un-Educate Users
In a CNN article on the breach (Dec. 4): “We don’t have evidence they logged into these accounts, but they probably did,” said John Miller, a security research manager at Trustwave. “Of all the compromised services, Miller said he is most concerned with ADP. Those log-ins are typically used by payroll personnel who manage workers’ paychecks. Any information they see could be viewed by hackers until passwords are reset.”
From ABC News: “But even the most secure password wouldn’t have been safe from the Pony malware. To that end, John Miller said to practice good browsing habits. ‘Keep your anti-virus software up to date and make sure your browsers are updated and patched to the latest version,’ he said.”
From Reuters: “Graham Cluley, an independent security expert, said it is extremely common for people to use such simple passwords and also reuse them on multiple accounts, even though they are extremely easy to crack… ‘People are using very dumb passwords. They are totally useless,’ he said.”
What is useless is the advice coming from security experts like Cluley and Miller. It’s the same advice other industry experts gave after the 2009 breaches. Nothing has changed. That means hackers are still stealing information with not-so-technical, off-the-shelf malware products. And third party applications like Adobe and Java will continued to be exploited by the hackers as the attack vector of choice.
Not satisfied with the recycled answers coming from the experts interviewed or the reporters who echoed their words, I reached out to other security experts.
Views from StrikeForce and VigiTrust
“I was driving back from Connecticut, listening to CNN radio about the data breach, when the reporter said, ‘Just reset your password with a stronger one and you’ll be fine.’ I almost hit the roof,” said George Waller, EVP and marketing director of StrikeForce Technologies, Inc. “Resetting your password is useless if the malware that scraped it is still infecting your computer or if a new keylogging virus is downloaded. In either scenario the hacker would be able to spy on the user entering the new password the next time.”
He added, “The keylogger (malware) will get the next password. The bit about anti-virus being updated as a sound solution just doesn’t get it done anymore. Dedicated resources are needed to prevent keyloggers from stealing your data. So people, such as reporters need to stop giving people bad information.”
With new breaches making headlines each week it’s obvious that anti-malware doesn’t work as advertised. There is no single bullet solution. But there are tools in the market that appear few people outside of IT are aware of.
In a separate discussion with Mathieu Gorge, CEO of VigiTrust, an eLearning and PCI compliance company, he said, “The problem with these types of breaches start with education and awareness. The media jumps on data breaches as an opportunity to talk about technology they may not understand. So I question whose responsibility is it to know? The security software providers? The media? Should it be like driving a car? Each user with PCI compliance needs a license to operate?”
Gorge underscored the point, “Security is the underlying root cause. In plain English, keyloggers are spying on your hands what you type. You won’t even know it. So sitting at home on your laptop is no longer private if someone is watching your every stroke.” He paused, adding, “Changing your password won’t do it. Your data will still be vulnerable. So it must be a combination of three elements. Keystroke encryption, patch management, and anti-malware products.”
“What about this latest breach?” I asked.
“The rise in attacks should be a wake up call for the industry to educate consumers and users. Today, with mobile devices, the risk surface is much bigger. The responsibility to educate users belongs to the industry,” Mathieu Gorge said.
Keystroke Encryption is the Solution
Since writing about StrikeForce in this column earlier this year, I got an update on what new products the IT security company is offering.
“We were just awarded a new patent,” George Waller said.
From the StrikeForce press release (Oct. 22): “This keystroke encryption patent has ground breaking implications for our company, and Cyber Security. This new patent is comprehensive; it covers computers, smart phones and tablets, with any type of keyboard. This patent also adds to our growing patent portfolio of three patents, with four more pending. We now own two of the most significant patents (Keystroke Encryption and Out-of-Band Authentication) in the Cyber Security space.”
On the mobile front, StrikeForce will rollout MobileTrust. It’s a mobile security solution that is built on three main features. An AES-256bit encrypted password vault, a one-time password generator for two-factor authentication, and a keystroke encrypted keyboard and browser.
From an earlier press release (Sept. 24): “We are very excited about having the Apple and Android developer community build our one-of-a-kind Keystroke Encryption technology into their mobile applications,” says Mark L. Kay, CEO of StrikeForce. “Keystroke Encryption is an extremely critical security technology, which plays a major role in preventing the most widespread malware from stealing confidential information from mobile devices.
“The exponential rise and usage of mobile applications is almost immeasurable. However, it also comes at a tremendous cost, according to a recent Juniper Report, mobile malware has skyrocketed 614% from March 2012 thru March 2013, and it looks as if it’s only going to continue beyond our imagination,” says Kay.
Added Waller: “With GuardedID Mobile SDK, Apple and Android app developers can embed keystroke encryption into mobile apps… There’s nothing like it on the market.”
From the looks of it, cloaking data entry at the keyboard will be critical for users to put a dent in the malicious attacks that are growing in breadth and frequency.