Hacked federal files couldn’t be encrypted because government computers are too old


A great deal of attention has been given to the recent government data breach, which put a reported 14 million current and former government workers’ sensitive data at risk. While the details continue to be sorted out, this incident—along with other highly-publicized breaches—hammer home the fact that strategies that focus on “keeping the bad guys out” or on monitoring data crossing a network perimeter alone are not enough anymore to protect an organization’s sensitive data.

The telltale evidence supporting this assertion is that despite the growth in traditional security spending, breach sizes and frequencies are on the rise. Consider data from the recent IBM-sponsored 2015 Cost of Data Breach study by Ponemon:

  • 65 percent of organizations surveyed say the attack evaded existing preventive security controls
  • 95 percent of organizations surveyed did not discover even their breaches for at least three months

Despite best efforts to keep intruders at bay, organizations recognize that blockading their networks is only one part of a larger data protection strategy. The study also suggests that the average breach in the US costs $6.5M, with catastrophic breaches well exceeding the largest loss amount of $29M that the study had sampled.

What’s clear is that a holistic approach that addresses sensitive data management is just as important as traditional security concerns—encryption, prevention, etc. Only focusing on security strategies that prevent infiltration and/or exfiltration leaves a critical flank unguarded, and can lead to a false sense of security. If the locations of sensitive data are precisely known and preventive measures to protect such sensitive data are taken, such as quarantining, destroying or redacting data, there is nothing for them to find or steal should they make it “past the gate.”

The end result is a significant reduction in the post-breach losses associated with sensitive data breaches. Further, sensitive data management strategies don’t require a complete redo of an organization’s security strategy. While not all breaches are “mega breaches,” every organization has sensitive data it wishes to protect. Making sure that this critical data is where it should be and eliminating all sensitive data that should no longer be present is an important key to overall data risk management.

How Jeb Bush Exposed 12,564 SSNs from a Decade Old Data Breach

In 2003, a PowerPoint presentation containing 12,564 Names, Social Security Numbers, and Dates of Birth was attached to an email sent by an employee of Florida’s Development Disabilities Program to then Governor Jeb Bush and 47 other recipients.  In addition to Florida state government email recipients, the message was sent to email addresses at aol.com, comcast.net, juno.com, hotmail.com, netzero.net, att.net, earthlink.net, rr.com, mindspring.com, and bellsouth.net.  Due to the historical challenges when attempting to precisely discover sensitive data and accurately classify it, it was extremely difficult to find and control sensitive data.  But today, solutions can automate these processes and help organizations prevent sensitive data leaks such as the incident with Mr. Bush and the recent Sony attack.

Identity Finder researchers used its recently announced Sensitive Data Manager 8.0 software to automatically analyze the email messages and attachments posted to the Internet by Mr. Bush and quickly and precisely identify sensitive personal information.  The results included the discovery of a single file that has exposed over 12,000 individuals to the long term risks of identity fraud. Click the image to enlarge it.


That file was a presentation was a single slide displaying a chart depicting the district level trends for a waitlist.  That chart was pasted from Excel into PowerPoint as a “Microsoft Office Excel Worksheet Object,” which Microsoft states “provides access to the entire worksheet in the presentation, including data that you may want to keep private.”  As you can see from the below screenshot, it only appears as if a picture of a bar graph exists, but in reality there is a wealth of underlying data from a large Excel file embedded into the PowerPoint file.  This functionality makes it very difficult for organizations to control information but extremely easy for hackers and identity thieves to gain access to unintentionally exposed, sensitive data.


This example spotlights an extremely common data problem in organizations today:  employees forget, or never knew, that confidential information exists causing their sensitive data footprint to unintentionally grow thereby creating additional targets for cyberattacks.  This problem is extremely difficult to solve for enterprises with poor data discovery and classification tools.

As noted in the screenshot below, the chart is editable, not simply a picture.  The underlying Excel data becomes visible when the chart is double-clicked:


Notice at the top it shows Column N, O, P, etc.  By scrolling to the left, A, J, K, L and M appear.  Columns B through I are hidden from view but are still there and contain a wealth of data:


By unhiding Columns B through I, multiple columns of sensitive data are exposed.  These include Social Security Numbers, Last Names, Full Names, Middle Initials, and Dates of Birth; all the information needed to commit identity theft – such as filing a fraudulent tax return to claim a tax refund.


There are 12,594 people listed in these columns and their personally identifiable information has been exposed outside the State of Florida since 2003 and were exposed to the world when Mr. Bush posted his Outlook PST files (containing over 300,000 e-mail messages and attachments) online publicly. Those individuals should check their credit report immediately to see if they are already a victim, start monitoring their credit, and potentially place a freeze on their credit report.

Between this innocent mistake, the collateral damage from Sony, and the targeted attacks at JP Morgan Chase, Target, Home Depot, and the hundreds of other breaches in 2014, organizations must start to understand the critical importance of reducing their sensitive data footprint and shrinking the target!  Businesses can no longer believe that they can block cyberattacks and keep the bad guys out of their networks.

Sony Pictures’ breach is turning into a horror movie

As you may have heard, Sony Pictures was recently breached. Today’s story in the Wall Street Journal and other media outlets indicates how bad the Sony breach was. If you haven’t heard about this breach, it initially looked like Sony’s intellectual property was the only sensitive data stolen: a number of their unreleased Christmas “blockbusters” were posted online with millions of downloads/views on all the sites that people are using to share media. It turns out, however, that movies were only the beginning of Sony’s sensitive data breach nightmare: more than 33GB of sensitive data belonging to the firm was also posted by hackers.

The folks here at Identity Finder used our enterprise software, Sensitive Data Manager, to discover that more than 600 files that contained social security numbers (these included Acrobat PDFs, Excel spreadsheets, and Word docs) with more than 47,000 unique SSNs were publicly available as recently as Wednesday. In total, those same SSNs were referenced over 1.1 million times in the files, making it quite easy for hackers hoping to steal SSNs to be successful.

Most files containing SSNs were accompanied by other personally identifiable information, such as full names, dates of birth, and home addresses, which creates a clear path for criminals intent on committing identity fraud. Much of this data belonged to more than 15,000 current or former employees of Sony.  Through no fault of their own, deeply personal information such as salary and termination dates and reasons (where applicable) is in the wild and there is very little that these victims can now do about it.

Unlike other forms of sensitive data, such as debit and credit card numbers, Social Security numbers cannot be easily replaced or reissued once compromised. Organizations that experience such a breach are exposing employees and customers to potential identity fraud, which can take many years for victims to remediate. This particular breach serves as yet another example of the importance of proactively discovering and classifying or remediating unprotected sensitive data to prevent theft by cyber criminals.

There’s a good chance that in addition to the employee data, you will also hear something about “celebrity data” that was stolen in this breach because that’s what gets the headlines. It’s certainly unfortunate that their data was also leaked. However, the takeaway from this is that in 2014, the so-called “Year of the Breach,” it has become even more apparent that breaches are inevitable, but what doesn’t have to be a foregone conclusion is that this very important, very sensitive information will be stolen. A comprehensive sensitive data management program that addresses data discovery, data classification, and data protection will minimize the sensitive data footprint and shrink the target. Managing sensitive information can easily keep the crown jewels of an organization right where they belong: safe and secure, no matter who breaks into the network.

Although this was terrible news to find, it doesn’t lessen Identity Finder’s commitment to furthering research that promotes the mission-critical nature of sensitive data management. In 2014 alone, Identity Finder utilized Sensitive Data Manager to uncover more than 630,000 Social Security numbers exposed on IRS Form 990 tax returns and commissioned a Javelin Research survey that examined post-breach customer attrition in three critical industries.

We certainly hope we don’t find any more data out there. If you are one of the victims whose SSN was made public during this data breach, you can freeze your credit so that it cannot be used, or sign up for credit alerts when your SSN is used.

Sensitive data: it’s what hackers want

Bloomberg News, USA Today, and other news sources are reporting that banking giant JP Morgan has suffered a major breach, reportedly gigabytes of sensitive data.

Although law enforcement agencies are still sorting out the cause, early reports indicate that the origin of the attack might involve gaining access to the JP Morgan network via a single employee’s personal computer. Unfortunately, this is a common cause of breaches because there is typically a weak link when trying to penetrate an organization’s perimeter—and that weak link could be as small as one employee’s password enabling remote access to his or her system and the network.

It is all too common to see hackers using a small amount of data to access a system, then farming for sensitive data that could gain access to the entire network. In addition, there are oftentimes a great deal more passwords that are buried in the data stored on a computer, and these passwords can be used as a launching pad to attack other machines in the network. Those machines ultimately pave a path toward whatever data the hacker’s ultimate goal is.

Hackers are harvesting sensitive data such as passwords to gain further access to an organization, but once they have access, they’re then taking other sensitive data such as credit card numbers, account information, social security numbers, trading information, and intellectual property.  A large enterprise like JP Morgan typically has all of the above—and with the number of customers JPMC has, it is a huge target for stealing information that could lead to identity theft.

Stealing social security numbers provides a quick win for hackers, as opposed to a different piece of data that could be used for insider trading, simply because selling an SSN on underground websites is harder to trace than buying and selling stock using insider secrets on the market. As we saw with Target, one contractor’s password ultimately led to the theft 40 million credit cards.  While Target suffered not only from a great legal and recovery expense, but also loss of revenue, the hackers have been profiting selling that sensitive information ever since.

Attacks today are less about defacing a website, shutting down a system with denial of service, or sabotaging a company: they are more about data.  Stealing the data for illicit use such as breaking into other systems or selling the data to other criminals is the end game, and once you understand that, it is easy to see that sensitive data management must be a high security priority.

Target breach – 40 Million Card Numbers can’t all come from POS machines….

Aaron Titus, Chief Privacy Officer at Identity Finder provided commentary on the breach reported on Dec 18th.

“Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”

“Organizations that strictly follow PCI-DSS 2.0, and PCI-DSS 3.0 should be able to prevent most of these sorts of breaches, so I imagine Target has already begun the process of locking down, analyzing and securing their systems,” Identity Finder’s Titus said. “The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”

Additional expert commentary:

- Experts suggest its an inside job and not merely skimming POS devices at stores
- Experts suggest that better controls and processes would limit the risk and prevent a massive breach of this size

Article here

Identity Finder’s Sensitive Data Manager is a critical element to evaluate these controls, or refine these processes as Sensitive Data Manager is incredibly accurate and effective in discovering and classifying credit card data stored on the internal network

Identity Finder and Javelin new research draw correlation between data breaches and consumer identity theft

In a recent study by Javelin Research commissioned by Identity Finder, we show results that data breaches within healthcare and retail environments do correlate to identity theft. In plain English, it means that if a criminal is able to steal data from your healthcare provider, pharmacy or any merchant you do business with, that your identity is in jeopardy of fraud and theft.

The study shows that healthcare and retail are two business segments that are most likely sources for consumer identity theft. Here are some eye opening statistics from 2012:

  • 4.4 million Americans were both notified that their payment card information was compromised in a data breach and suffered fraud on their existing credit or debit cards.
  • 1.26 million Americans were both notified that their Social Security numbers (SSN) were compromised in a data breach and became victims of identity fraud.
  • 270 thousand Americans were both notified that their online banking credentials were compromised in a data breach and suffered fraud on their financial accounts, including checking and savings accounts.
  • 324 thousand Americans were both notified that their bank account numbers were compromised in a data breach and became victims of fraud incurred against their checking, savings, or other financial accounts.

Identity Finder recommends that businesses in these segments follow some basic steps to minimize chances of a data breach:

  • Locate and identify sensitive data. Sensitive data is any data that has value to the organization or can expose them to risk if compromised. Sensitive data should include consumer bank account information, payment card data, SSNs and other types of personally identifiable information (PII), as well as trade secrets.
  • Classify sensitive data accordingly. Categorize the information using a naming convention appropriate to the organization. This step can ease efforts to control the access, routing and storage of different types of data.
  • Secure data based on risk profile. Deploy security measures commensurate to the risks associated with the loss of respective categories of data.
  • Develop policies to mitigate future data management issues. Implement and enforce policies designed to prevent unprotected data from being stored outside of approved locations.

For complete findings and survey methodology, please download the research paper at: www.identityfinder.com/us/Files/JavelinDataRiskPart1.pdf

Forthcoming Identity Finder research shows correlation between business data breaches and consumer identity theft

In an upcoming study by Javelin Research commissioned by Identity Finder, we show results that data breaches within healthcare and retail environments do correlate to identity theft. In plain English, it means that if a criminal is able to steal data from your healthcare provider, pharmacy or any merchant you do business with, that your identity is in jeopardy of fraud and theft.

The complete study will be available on Oct 29

Leveraging technology to serve community needs

Here is a great post about disaster recovery at a real personal and community level. Identity Finder’s Counsel, Aaron Titus, put together a solution that empowers communities to effectively organize and clean up after a natural disaster. This feature is quite apropos as we are coming up upon the 1st anniversary of SuperStorm Sandy.

We’re proud to be associated with you Aaron.

How would you coordinate 30,000 volunteers in 5,000 locations across an arc 500 miles long in just eight weeks?
That was the challenge Aaron Titus faced in the wake of Superstorm Sandy. Undaunted, he went to work. Realizing he couldn’t do it alone, he focused on building a solution that decentralized the coordination process, worked across agencies, and empowered leaders in the field. He succeeded…

Read more at CSOOnline blog

Identity Finder Discovers Google Chrome Users Are Vulnerable to Sensitive Data Theft

Last week, Identity Finder security researchers performed in-depth scans on several employee computers using the latest version of Sensitive Data Manager (SDM). During the scan, SDM pinpointed several Chrome SQLite and protocol buffers storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers.  SDM found similar data among all employees who consistently use Chrome as their primary browser.

Chrome's History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you'd want to keep to yourself.

Chrome’s History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you’d want to keep to yourself.

We confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites. Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.”  On Windows machines, these files are located at %localappdata%\Google\Chrome\User Data\Default\.

Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware. There are dozens of well-known exploits to access payload data and locally stored files. To see whether Chrome data was at risk of theft, Identity Finder researchers created a small proof-of-concept exploit that would upload Chrome cache data to a third party site (See screenshot below). In this attack scenario, an attacker would only have to trick a user into permitting access to their file system. Attackers could acquire vast amounts of personal information without requiring users to enter anyting into a form, or system credentials.

In addition, someone with access to a hard drive, for example after a computer is sold on Craigslist, would have access to all of this information, even if it is deleted.

In this scenario, an attacker creates a fake, trustworthy-looking website, and convinces a user to allow heightened access. As soon as the user clicks “Yes,” all of the data is transmitted to a third party.

Strictly speaking, these Chrome vulnerabilities aren’t “new” or completely unknown to technologists. However, Identity Finder is the first security company to demonstrate real-world, non-theoretical risks to sensitive information stored by the Chrome browser. By connecting the dots, we hope to educate all Chrome users that Chrome stores sensitive data unencrypted, alert users of the risks of stored Chrome data, and encourage individuals and enterprises to engage in sensitive data management best practices.


Chrome Sensitive Data Risks

Infographic. Click to enlarge.

We notified Google of the risk, but have not yet heard back.

As of now, Chrome is the only browser we have analyzed in-depth. We may analyze other browsers in the near future. But the fact that these risks have been around since version 2.0 of Chrome, or that similar vulnerabilities may be shared by other browsers, only adds to the urgency for browser makers to secure all stored browser data.

We’ve taken the liberty of compiling a quick infographic illustrating one potential attack vector, and why it’s vital for individuals and enterprises to engage in sensitive data management practices.

Protecting Yourself

Employees, employers, and consumers can easily protect themselves by following good sensitive data management practices. Anytime you enter a credit card number or other PII into a form, be sure to “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history” from the past hour and the information you typed will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.

Open Chrome, click “Customize and control Google Chrome”, then Settings, then scroll down to “Show advanced settings” then click “Clear browsing data…”. Once the Clear browsing data dialog popup appears, enable the checkmark for “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history”. Configure the time setting to include when you typed sensitive data such as “the past hour” then click the button on bottom right: “Clear browsing data”. Finally, restart Google Chrome:





Daniel Tosh: Please Change Your Credit Card in the Next 30 Minutes!

Identity Finder Warns Comedian that Identity Theft is no Laughing Matter

On Monday, September 3rd, Daniel Tosh of Comedy Central’s TOSH.O show issued a challenge the Identity Finder team couldn’t resist:

(Courtesy Comedy Central)

(Courtesy Comedy Central)

Daniel Tosh offered to retweet the first person to get the right answer. That night he retweeted:

While 40,320 is the mathematically correct number of permutations of 8 digits in 8 places, it is the wrong answer to the question, “What is the maximum number of guesses it would take before you could live the good life?” In less than one second, Identity Finder found the answer: It’s actually just 144. If he owns a Discover Card there are only 129 possibilities, and if owns a MasterCard, Identity Finder narrowed it down to just 36 guesses. In short, Daniel, even if it took 10 seconds to try each one, your credit card could be hacked in less than a half hour.

The Identity Finder team started with a list of all 40,320 possible permutations, but it took Identity Finder’s Sensitive Data Manager 7.0 just one second to narrow the list to 472 possibilities:

It took just 1 second for Sensitive Data Manager to eliminate 99.6% of the false positive results.

It took just 1 second for Sensitive Data Manager to eliminate 99.6% of the false positive results.

Thanks to a series of powerful validation algorithms that eliminate false positive results, Sensitive Data Manager is the fastest and most accurate solution for PCI and HIPAA compliance.

Next, many of those 472 are obsolete or older cards such as Diners Club. We know Tosh is way too young and cool for those, so Sensitive Data Manager automatically eliminated older and obsolete card types. That leaves us with a list of just 144:

Diner's Club Card for Tosh? No way...

Tosh Way too Cool for Diner’s Club

Of those 144, 129 are Discover and 36 are MasterCard. Especially knowing Daniel’s secret penchant for Discover Card, a hacker could be living the high life in less than 30 minutes, by testing each one (even if it took 10 seconds per try).

So, assuming that Daniel Tosh has a healthy line of credit, and his credit card isn’t maxed out, some identity thief could already be “living the good life.”

Thanks for helping us “get smarter, faster“, Mr. Tosh.