Businesses need to wake up and smell the hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.independent.co.uk/news/business/analysis-and-features/businesses-need-to-wake-up-and-smell-the-hackers-9422300.html

Know you should change your password but can't be bothered? Your inertia
may be stirred. The hacking of between 120 million and 145 million eBay
accounts, revealed this week, is the latest in a series of huge data leaks
to have hit corporate giants.

The leaking of 40 million of its customers' credit card details cost the
chief executive of the US retailer Target, Gregg Steinhafel, his job
earlier this month and has dented company performance. The US department
store group Neiman Marcus, British grocer Morrisons and the social network
LinkedIn have also been hit by large-scale data breaches as their goldmines
of customer details have been drained, causing corporate humiliation. From
"spear phishing" to "sprite" hacks, the types of data breaches are becoming
more frequent and more varied.

The perpetrators of the attack on eBay are yet to be discovered but the
auction site said criminals elicited customers' names, encrypted passwords,
email addresses, physical addresses, phone numbers and dates of birth. It
may not seem greatly sensitive but could equate to a mortgage being taken
out in your name or your identity being used to commit crime.

Although no financial information was involved, fears are rising that the
data could be used in conjunction with information from other hacks –
traded on the black market – to build a detailed profile of a victim.
Customers have been told to change their password urgently as the hack
actually occurred three months ago.

In the meantime, the impact of the Heartbleed bug – thought to have hit 17
per cent of the internet's secure servers – has come to light. Although it
is unlikely to be connected to the eBay attack, it heightens the sense that
online security is looking shaky.

Reports suggest that eBay users rushing to change their password have
swamped the site. "Even if every hacked user changed their password, that
would still take six days and many have been unable to change them," says
Ian Shaw, managing director of the consultant MWR InfoSecurity.

The cost of hacking to businesses worldwide is escalating. A report on
cyber crime and espionage by the Center for Strategic and International
Studies in Washington last year estimated that it costs the global economy
$300bn (£180bn) a year. An industry is growing around hacking. Research by
the accountancy firm PwC shows cyber insurance is the fastest-growing
speciality cover ever – worth around $1.3bn a year in the US and anywhere
between £50m and £130m in the EU.

The seismic ripples of hacks will have struck fear into the hearts of those
in charge of protecting priceless data in large financial institutions. The
Financial Policy Committee, the regulator, has recommended that additional
studies are made of cyber crime.

In November, the Bank of England told banks to strengthen their defences
against online saboteurs and invited 100 bankers, regulators and government
officials to take part in a "war game" simulation dubbed "Waking Shark 11'
in the City.

Hackers are also raising their profile. Large-scale organisations including
Anonymous and the Syrian Electronic Army have become global names and, in
the latter's case, fed off the recession in hitting out at large corporate
organisations online. However, big companies are also often being
outsmarted by small, organised gangs, causing further embarrassment.

On the surface, companies appear remarkably vulnerable to attacks. EBay
said its systems were infiltrated via the accounts of a "small number of
employee log-in credentials", from which hackers could gain access to an
entire database.

"It's like saying 'I'm a little bit pregnant'," said Andrew France, chief
executive of the cyber defence company Darktrace. "If the accounts hacked
are the chief technology officer or chief executive then the information
could be vital."

Businesses are even more vulnerable when suffering deliberate data leaks.
In March, the details of thousands of Morrisons' customers were leaked
online and to a local newspaper by a disenchanted employee who had
legitimate access to the data. "That was a malicious case but often
employees are just ignorant about how systems work," says Mr France.
"Security needs to spot unusual behaviour, deliberate or otherwise."

The huge eBay security breach also raises a question over public
communications as the attack dated back to February. David Emm, a senior
researcher at the internet security firm Kaspersky Lab, said: "While it
might seem as though eBay has been slow to respond, if the company has only
just discovered the full extent of the attack it is now doing the right
thing by notifying customers in a timely manner."

Cyber crime seems as if it is inexorably on the up, as does the cost of
preventing it. However, if large companies and consumer alike are to
prevent it, decisive and frequent action will need to be taken quickly
before bank accounts are drained. The latest swathe of hacks may just spark
a few more sceptics into action.

Need to know: What to do to stop the hackers

"Change your password, change your password, change your password," says
Andrew France at Darktrace. "I know it's a pain but change it every month,
use upper and lower case letters and different numbers. It's the only
absolute way to avoid hacking."

Brian Krebs, who writes the blog Krebs on Security, which exposed the
Target data breach, also advises changing all passwords, but adds: "Be
extra wary of phishing emails that spoof eBay and PayPal and ask you to
click on some link or download some security tool; attackers are likely to
capitalise on this incident to spread malware and to hijack accounts."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!