Hacking the Presidency: Will Data Breaches Help Decide the 2016 Presidential Election?

The 2016 presidential election hasn’t been without controversy. Both candidates have blemishes on their records that have left many Americans with a bitter pill to swallow when voting comes in November, and cybersecurity has been put front and center in a way never before seen in a U.S. election. Email hacks, data breaches, cybersecurity ineptitude — they’re not just conversation topics among infosec wonks; but major campaign talking points.

Cybercrime has already infiltrated many facets of our everyday lives. Account information, payment card information, trade secrets, and more are regularly obtained and sold like merchandise on underground markets. Cyber-espionage also remains a huge threat as organizations and governments attempt to secure their precious secrets. With such a divided nation over who will become our next president, could the recent data breach of Democratic National Committee (DNC) data be a sign of what’s to come in this election?

More importantly, could this be the first presidential campaign ultimately swung by leaked information obtained in a data breach?

The information released by WikiLeaks from the DNC email breach caused an uproar from American citizens as the emails released showed a clear bias for Hillary Clinton over Bernie Sanders — a claim made by the Sanders campaign months before the DNC data breach. While none of the DNC information shows correspondence from Hillary Clinton directly, the DNC breach– along with other related cybersecurity issues — has had a big impact in Clinton’s polling numbers. However, the latest polls show Clinton above Trump by a favorable margin.

Clinton isn’t out of hot water yet. WikiLeaks founder Julian Assange told PBS’s Judy WoodRuff in a recent interview there would be more information released that will negatively affect Clinton’s campaign:

It’s a wide range of material. It covers a number of important issues. There’s a variety of natural batches and some thematic constellations that we’re working on.

It’s interesting material. We have done enough work now that we are comfortable with the material’s authenticity. And so now it’s a matter of completing the format, layout to make it easy and accessible and so that journalists can easily extract material from it, extract stories from it, and also the general public.

DNC Fallout from Breach

DNC chairwoman Debbie Wasserman Schultz announced her resignation as national party chair following the leak of the stolen DNC emails. Since the Democratic National Convention has wrapped up, more high-profile DNC officials have announced their resignation as well.

Chief Executive Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director Luis Miranda have all resigned just days after a new chair took over for Schultz. Luis Miranda was one of the key figures whose email account was breached and leaked by WikiLeaks.

The rest of the DNC members whose accounts were hacked have not resigned, including National Finance Director Jordon Kaplan, Finance Chief of Staff Scott Comer, Finance Director of Data & Strategic Initiatives Daniel Parrish, Finance Director Allen Zachary, Senior Advisor Andrew Wright, and Northern California Finance Director Robert Stowe.

Donald Trump in the Mix

During the DNC breach investigation, evidence was discovered linking Russia to the cyber-attack. Based off of this information, Trump called for Russia to conduct cyber-espionage against Hillary Clinton:

“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said referencing Clinton’s email scandal. “I think you will probably be rewarded mightily by our press.”

Trump later said he was kidding about his comment.

Not every politician found his remarks funny. Democratic Senators Chris Coons of Delaware and Sheldon Whitehouse of Rhode Island recently petitioned Senator and former Presidential candidate Ted Cruz to conduct an investigation into Trump’s support of involvement from Russia in U.S. elections. The Senators wrote the letter to Cruz because he chairs the Senate Judiciary Subcommittee on Oversight, which potentially could have jurisdiction in the matter. Cruz has not responded to the letter and his involvement in the matter is not likely.

Still, the damage has been done to Trump as the Clinton campaign is alleging him of having ties with Russian President Vladimir Putin, which makes his “joke” no laughing matter.

The data breach of the DNC, the controversy surrounding Clinton’s emails, accusations that Russia is trying to directly influence the election — this is the first time a presidential election cycle has been so heavily dominated by cybersecurity events.

The effects, at least for the candidates, have been relatively mild so far, but with WikiLeaks promising more leaks painting Hillary Clinton in a bad light, there is the potential that a close election in November could ultimately be decided based on cybersecurity.

No matter the outcome, cybersecurity has gained a national stage and everyone should take notice. Understanding cyber threats and the potential consequences of those threats is vital, whether you’re an employee, an executive, or a presidential candidate.

OurMine Hacking Group Trending, What Are They After?

As we mentioned in a previous post, hacktivism activity has been down in 2016 — with the exception of Anonymous. However, there is a new hacktivist group that has been showing up in SurfWatch Labs’ data — OurMine.

Over the last two months, OurMine has been the top trending hacktivist group.

2016-08-02_hacktivist

OurMine made multiple headlines over the past month after successfully hacking the LinkedIn and Pinterest accounts of billionaire Facebook CEO Mark Zuckerberg. The hack provided some embarrassment for Zuckerberg, as it was discovered that the password he used for both accounts was “dadada.”

The group’s latest target was the CEO of Pokemon GO, John Hanke. OurMine hacked into Hanke’s Twitter account, saying that the hack was “for Brazil.”

Here are the top trending targets associated with the OurMine hacking team over the last two months.

2016-08-02_ourminetargets

What is OurMine After?

What separates OurMine from other hacktivists is their claim for hacking. In each of the group’s attacks, they claim they are a security firm that is testing their target’s security, and have even gone as far to say they were going to offer security services to their victims. The hacking group even has a website advertising their services.

OurMine has shown an aptitude for hacking. In several of their hacks — like Mark Zuckerberg’s social media — they were able to take advantage of a weak password to compromise the account. In other attacks — such as the attack against Google’s CEO Sundar Pichai’s Quora account — they have been able to exploit website platform vulnerabilities.

The group isn’t only after high profile businessman. OurMine has also targeted Minecraft player accounts, defaced websites like TechCrunch, and completely disabled the servers of HSBC bank.

It appears that all of these attacks are used as a method to promote their services. OurMine has yet to cause significant damage with any of their attacks other than a minor nuisance. Is this group’s supposed white hat hacking attempts really an effort to promote their security services and point out security weaknesses for companies? Only time will tell.

Cyber Skills Shortage Continues To Be An Issue

It has been long documented that cybersecurity organizations are struggling to hire qualified personnel. A recent study on the cybersecurity professional gap has reaffirmed this dilemma.

Intel Security and the Center for Strategic and International Studies (CSIS) released a global report that outlined the cybersecurity talent shortage crisis. The report, Hacking the Skills Shortage, outlined how the talent shortage crisis has impacted both companies and nations. Eighty-two percent of respondents said there is a clear shortage in cybersecurity, while 71 percent of respondents said this talent shortage has been a primary contributor to the amount of cyber-attacks — because organizations who lack qualified personnel are more desirable hacking targets.

“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at CSIS. “This is a global problem. A majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization.”

As we noted in June, more companies need talent, so companies are going to continue to be easier targets.

The lack of qualified candidates makes using the resources your organization does have that much more important. That’s one of the many reasons SurfWatch Labs stresses the importance of threat intelligence.

The Hacking and Skill Shortage report also mentioned diversity as being a huge challenge in the cybersecurity skills gap. The report referenced a 2014 Taulbee Survey and an ISC report to address the women and minority diversity challenge:

“In North America, a dearth of women and minorities in the cybersecurity industry mirrors trends in academia, according to a survey of academic institutions that provide degrees in computer science and engineering or information security. In this study, only 2.6% of doctoral graduates of these programs in 2014 were non-Asian minorities, a decrease from 3% in 2013. Women comprise only 17 to 18% of doctoral graduates in computer science, engineering, and information security. This mirrors industry trends, as an (ISC) study of 306,000 professionals in cybersecurity revealed only 11% were women. Anecdotal evidence from our interviews suggests that while relevant technical programs are slowly adding more women, black and Hispanic students remain in short supply.”

If women and minorities are so poorly represented in the cybersecurity workforce, organizations need to recognize this issue and put a plan in action. This is the same with threat intelligence; it’s not enough to do the bare minimum and meet security requirements, you have to recognize where your organization is vulnerable and address those threats head on with practical tools and intelligence.

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

2016-07-27_thirdparty.png
SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

o2
Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups
While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

  • Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
  • Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.” 

Cyber-Insurance, Threat Intelligence and the Wendy’s Breach: Interview with Larry Bowman

Data breaches and other cyber threats have plagued business over the past decade often resulting in a long and expensive recovery process. Luckily for businesses, cyber-insurance can help alleviate some of the financial burden of these cyber-attacks.

“If you were to Google top ten losses due to data breaches in 2015 you would start off with a low of about $46 million for the Home Depot, move into the hundreds of millions with Anthem and Target, and as you get closer to Epsilon you get into the hundred to a billion mark,” said  Larry Bowman, Director at Kane Russell Coleman and Logan PC. “The Veteran’s Administration hack was valued at about $500 million.  These totals are for notification costs, response, cleaning up the computer system, implementing changes to increase encryption and security protection in the system. But, this does not take into account the loss of business and revenue.”

We had a chance to speak with Bowman about cyber-insurance: what is it, what it covers, and how threat intelligence fits into the equation. Bowman also provides some insight on the current Wendy’s point-of-sale data breach. Our conversation follows.

To kick things off, can you explain what cyber-insurance is and what exactly it covers?

To explain cyber-insurance, it’s helpful to first start with a brief explanationLarry Bowman of traditional insurance and then explain the difference between it and cyber-insurance. Traditionally, insurance is for tangible property – such as if you own a home, business, or rent space. You insure property against the risk of loss, and that property is typically tangible property. So, you’ll see language in first-party property insurance – which is insurance industry lingo for like your homeowner’s policy – that is set up to protect you from that. The core insuring agreement – in exchange for premium money – insures the risk of loss which is usually defined in terms as direct physical loss to tangible property.

Secondly, there is a form of insurance called liability insurance. The industry acronym for it is CGL – commercial general liability insurance. And once again, if you act negligently – you being the insured – and you cause damage to some third party’s tangible property, your liability insurance will indemnify you for your legal obligation, which will then indemnify the people you hurt for the damage that you caused to their property.

Along comes hacking and cybercrime and data breaches. The people who are victimized by these third-party attacks make claims to their property insurance coverage. In most instances, whether it is a claim submitted under a traditional property or liability insurance policy , the courts look at these policies’ language  and say there is no coverage because there is no loss to direct tangible property. This doesn’t exist in the virtual world of data and data breaches. There have been some cases where damage has been done to a computer system that looks like it is physical damage. Stuxnet is a great example of how a computer program can damage tangible property. In those cases, traditional policies may cover an insured’s losses.  The bottom line is though, with the outlying cases aside, most cases say for there to be property or liability insurance coverage you have to have physical damage to tangible property, and that doesn’t exist when the insured has lost electronic data.

The losses from companies who suffer a data breach and the lack of insurance from the traditional market created  a market for cyber-insurance. What has happened over the last few years has been the development of specialty insurance products designed to insure against the losses companies face when their computer systems or data is breached or hacked. These policies operate like traditional property or liability policies. But, there is no longer a requirement to have direct physical loss to tangible property. Cyber-insurance policies cover things like the cost of notifications to people affected by a data breach, the cost of hiring security professionals and lawyers to deal with the situation, and the cost of government compliance. It may or may not cover lost revenues or profits. Of course, the scope of coverage is specific to the policy itself.

What are some of the problems with the cyber-insurance industry?

There are a couple problems the insurance industry currently faces. First, the industry only has about  a decade of experience in covering cyber losses – which isn’t a lot of time in the historical knowledge-base of the insurance industry – that makes pricing policies difficult. However, that is a problem in the process of being solved because the quantifiers are coming up with increasingly better models and formulas to allow an insurance company to set up a policy and price it accordingly. The insurance companies like certainty; they like probability. As time goes by and as data improves, this will be easier and easier to do – within reason.

The second problem is the lack of a consensus standard of care for data protection; although there are numerous proposed standards and guidelines for data protection – such as NIST’s cybersecurity framework.   What I am talking about here is that it is nice to know what the rules are. The SEC, FDIC, and FTC have all pronounced in the last couple of years that they think cybersecurity is a board of directors-level issue that requires hands-on knowledge and attention and an effective remedy at the board of high management level. When you fill in the blanks, there are conflicting messages about what a board should do to enable reasonable cyber protections.

At SurfWatch Labs, we believe that robust security features such as firewalls and antivirus software are paramount to a well-rounded cybersecurity strategy. Perhaps just as important, we believe cyber threat intelligence – knowing what threats are out there and knowing how to proceed with security – is just as important. Some of the problems you mentioned with cyber-insurance is a lack of understanding around reasonable cyber protections. Do you believe cyber threat intelligence is a logical step in solving that issue?

As part of the initial application for cyber-insurance a lot of insurance companies will require the company applying for insurance to fill out a detailed form describing what its current cybersecurity policies are. I don’t know if those forms require cyber threat intelligence, but that would be a source of beneficial information. And it may be something that insurance companies should require from insurance applicants.

Are companies utilizing cyber-insurance to protect their assets in case of a data breach?

If you were to Google the amounts spent on cyber-insurance it started out small, but it really started to get off the ground with these well-publicized data breaches. In a few years, this is going to be a multi-billion dollar market. As a matter of fact, I believe it is already up to the billion-dollar mark already, and it is expected to get to about $5 billion by 2020. As the consensus standard gets better defined, using due diligence to protect your company’s assets and customer’s assets is certainly going to be a part of liability cyber-insurance coverage.

I would love to get your take on the current events tied to the Wendy’s data breach. It seems like the number of restaurants affected by point-of-sale malware increases every week.

The loss to Wendy’s is similar to the Target loss. The bad guys have gotten control of point-of-sale information, which means they have people’s credit card information. So what is the exposure to Wendy’s? Wendy’s gets sued by multiple customers who are saying they failed to implement reasonable measures and allowed our payment card information to be obtained by these hackers.

Now, their insurance policy will define what out-of-pocket costs are covered. That’s part of the fun right now is defining what those costs are. Some of those costs are driven by state and federal laws – like notification. If you are a retail company in possession of thousands of credit cards and those cards are obtained by a third-party, you have to notify all of those people about the event.

It’s not just notification costs; it’s everything that is done to investigate the data breach. They might have to pay experts, lawyers, and pay for forensic measures to make sure a breach doesn’t happen again.  There may be costs with complying with regulatory action or government investigations.  Those are just some of the out-of-pocket costs from the breach. Who knows, maybe people won’t trust Wendy’s anymore with their credit card information and consumers may simply avoid the restaurant.

 

 

Podcast: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 76: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends:

The popular Pokemon Go was this week’s top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici’s Pizza’s point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.

Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: info.surfwatchlabs.com/cyber-threat-…eport-1h-2016

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.