Why 2013 was the year of the personal data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcworld.com/article/2082961/why-2013-was-the-year-of-the-personal-data-breach.html

As 2013 winds to a close, it’s time to look back at the biggest security
events and incidents of the year. Here’s hoping there are some lessons to
be learned—something to provide a foundation for stronger protection and a
safer online and mobile world in 2014 and beyond.

With each passing year, the world of technology evolves and improves, and
that includes building stronger defenses against cybersecurity threats.
Unfortunately, cybercriminals are continuously adapting and acquiring new
techniques, too, and successfully exploiting emerging technologies in a
perpetual game of security leapfrog.

Here’s the 2013 security highlight—er, lowlight—reel.

Ransomware

The concept of ransomware is simple: Attackers encrypt your data or lock
you out of your PC or device using malware exploits, and then demand
payment in exchange for restoring your access.

The biggest ransomware threat of 2013 was CryptoLocker. A recent report
from Dell security researchers suggests that the CryptoLocker crooks raked
in $30 million in only 100 days. That’s $300,000 a day on average from
users paying the ransom to get access to their data again.

“2013 saw a significant trend toward ransomware because cyberattackers were
able to utilize Tor and Bitcoin to anonymously blackmail people into paying
for access to their own data,” says Ken Westin, security researcher for
Tripwire.

The CryptoLocker ransom is generally $300. If you don’t have a recent
backup of your data, you don’t have many options—either pay the ransom, or
lose all of your data and start over from scratch. On the positive side,
the criminals do, in fact, follow through on their promise to return your
PC or data once you’ve paid the ransom.

“This trend will accelerate and migrate to mobile devices in 2014,” Westin
says. “There’s an enormous number of consumers to target who are dependent
on the data and services in their mobile device. More than half of
mobile-device users don’t use even the most basic security precautions,
making them easy prey for cyberattackers.”

Wolfgang Kandek, CTO of Qualys, warns that traditional defenses may not
offer much protection against CryptoLocker. The attack does not require any
special access or privileges, so it’s very difficult to prevent using
standard computer security tactics. “XKCD had it absolutely right in its
April 2013 comic strip,” he says. “If all my important data is my user
data, the malware does not need to escalate to administrator to wreak
havoc.”

You really have only one way to protect yourself against ransomware
threats: You mustback up your data on a regular basis. If your system is
compromised by ransomware, you can simply restore your own data from the
backup rather than paying the extortionists.

Mobile malware

The overlap between ransomware and mobile security brings us to the next
security trend of 2013: mobile malware. The volume of mobile malware has
continued to grow exponentially, as cybercriminals try to take advantage of
the fertile new territory.

FortiGuard Labs reported that it logged 50,000 malicious Android samples in
January 2013—about 500 per day. As of November, that number had spiked to
1500 new malware samples per day.

The trend is alarming, but such reports also seem a bit “the sky is
falling” at this point. Security vendors keep telling us that the volume of
mobile malware is growing at a distressing pace, yet we haven’t really seen
a significant malware attack against mobile devices in the real world.

It’s only a matter of time, though, before criminals move beyond the
testing and proof-of-concept phase, and actually plant a malicious payload.
The attack may not be as pervasive or obvious as old-school PC malware,
because attackers have learned that flying under the radar and avoiding
detection is a more lucrative strategy.

FortiGuard says that it has started to see evidence of a threat called
AndroRAT, which attackers can deliver as a Trojan horse buried within an
otherwise normal app. The RAT, or remote application tool, enables the
attacker to send SMS text messages from the infected smartphone, monitor
calls and SMS texts, direct the device’s browser to a specific URL, or
perform a variety of other actions that could serve either to compromise
personal information or to siphon funds from the victim.

We’re still waiting for “The Big One,” but mobile malware will eventually
live up to the hype—probably when users least expect it.

Data breaches

If you didn’t already follow the established practice of changing your
passwords every few months, 2013 probably left you little choice as sites
and services forced users to choose new passwords in the wake of data
breaches. Living Social, Evernote, and Adobe all experienced major data
breaches in which tens of millions of user accounts were compromised, and
passwords were exposed.

“One could argue that 2013 was ‘The Year of Stolen Credentials,’” says
Dwayne Melancon, CTO of Tripwire. “According to DataLossDB, the top five
largest breaches in 2013 affected about 450 million records—that’s a lot of
instances of ‘12345,’ ‘password,’ and ‘monkey.’ The most alarming thing is
that many of these stolen passwords were found to have been stored in
insecure ways despite plenty of warnings about using strong cryptography.”

To cap things off, we found out that Target was the victim of cybercrooks.
Between Black Friday and December 15, hackers collected credit card details
on about 40 million people who had shopped in person at the popular retail
chain.

Cyberespionage

The year kicked off with the Mandiant report on APT1, which offered
undeniable proof that U.S. agencies and companies were being infiltrated by
a group based out of China. But after everyone spent the first half of the
year worried about foreign—possibly state-sponsored—attacks out of China,
Iran, and Syria, Edward Snowden dropped a bomb that would change the
conversation dramatically.

Snowden—a contractor for the National Security Agency—fled the United
States (eventually finding temporary asylum in Russia) and shared with the
world details aboutthe NSA’s spying on just about everything and everyone
around the globe. The ripples from the Snowden revelations are still being
felt, as U.S. citizens, the U.S. government, and the nation’s allies
struggle to find a balance between proactive diligence and overt violations
of privacy and civil liberties.

“What he released essentially proved to the 10th degree that the U.S.
government was itself infiltrating its own corporations and has been
eroding the privacy of millions for years already,” says Andrew Storms, a
security researcher with CloudPassage. “The hundred-pound gorilla in the
room wasn’t China or Iran, but our own U.S. agency called the NSA.”

“Perhaps the only good news from the Snowden leak is that it has forced a
lot of companies to take a serious look at which data is important to them
and how it’s being protected,” Melancon says.

Looking ahead to 2014, the looming threats are essentially the same. The
threat from mobile malware will continue to grow, and we will continue to
strive to protect our personal data—from cybercriminals and from our own
governments.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.