In a prior post on digital threats we discussed that there are two types of cyber crimes, “Access” and or “Disruption”. In the following case studies we will review the type of crime committed, the nature of the data that was either stolen and/or the nature of the disruption. Quite often events where information is accessed and stolen lead to a follow on event that leads to disruption in service or as a nuisance to governance risk and compliance mechanisms in organizations.
What has enabled an increase cyber crime is the decreased cost of computing and increased convenience offered by data aggregation.(41) While the cost of automating processes has decreased due to advancements in processing and storage technology, it has also increased the efficiency of money laundering, terrorism, coordination of criminals, and identity theft.(42) Our privacy and security has been threatened because the cost of collecting this information is now inexpensive and quick to acquire.(43) In parallel, security technologies have remained expensive and antiquated. The theft of master cryptography keys to RSA Security’s SecureID system is emblematic of this conundrum and will be the first case we will look at.
Case 1: RSA Security – Master Cryptographic Keys Stolen
Date of Event: March 2011
Event Type: Access crime that lead to subsequent Access crimes
RSA Security is one of the largest Internet authentication and security companies in the world. With approximately forty million individual end users of their products the recent compromise of their master cryptographic authentication keys gave many people and organizations reason to take a moment of pause.(44) The RSA technology requires that a physical random number generation key fob be utilized in order for customers to securely access sensitive systems. Many of RSA’s customers are in data sensitive industries such as:
- Financial Services, Insurance, and Banking (FSIB)
- Public Utilities
- Electronic Commerce (eCommerce)
This physical piece of equipment is both expensive to purchase, administrate, and the majority of them had to be replaced.(45) The breach of RSA compromised a number of other critical institutions such as the large government defense contractor Lockheed Martin. Level 3 Communications, who is one of the primary Internet backbone providers in the United States was also breached.(46)
While acquiring the one-time-password number generator is a serious compromise, hackers would also need to acquire additional “username” and “password” login information specific to users in order to fully authenticate and illegally access or disrupt systems.(47) Subsequent successful attacks by hackers after the RSA event strongly suggest the level of sophistication and bravado of this attack originated by a nation state actor.(48)
This was a most troubling revelation. However, strongly supports the notion that more intelligent security systems are needed that take into consideration more than just access parameters that the user knows (username and password) and has (Key Fob). Incorporating Geo-location and user behavioral parameters into the security systems neural decision making would reduce the risks of fraudulent access, even when one parameter or even two are compromised.
Case 2: US Department of Defense – Pentagon Files Stolen
Date of Event: March 2011
Event Type: Access crime that lead to data theft
The US Department of Defense is one the largest customers of RSA Security. In March 2011, the same month RSA had their master cryptography keys stolen, the US Department of Defense was the victim of a hack where twenty four thousand data files were stolen.(49) It has not been confirmed this was due to RSA Security’s SecureID tokens being compromised, but the timing does strongly suggest the two events are related.(50) The type of data that was stolen were some of the most sensitive systems in the United States including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.(51)
Given the bravado of this specific cyber crime it is readily apparent that effective immediately the technology security holes need to be remedied. If the US Department of Defense is susceptible to this type of crime then it is not unreasonable to believe that all systems are potentially in a position of compromise. As I stated earlier the commanding heights of industry and government- regulated industries need to expeditiously make protecting their core technological systems priority number one. Lockheed Martin is one of these organizations and lets now take a look at their case.
Case 3: Lockheed Martin
Date of Event: June 2011
Event Type: Access crime that lead to theft of top-secret information
The largest information technology management company to the US government is Lockheed Martin. Lockheed Martin is also a customer of RSA Security.(52) The attack was successful and accomplished by compromising Lockheed’s Virtual Private Network that utilizes RSA SecureID authentication.(53) Both the US government and Lockheed Martin are not publishing the amount and type of data that was stolen, however it has been admitted that data stolen was highly sensitive in nature. Additional remediation by RSA and Lockheed Martin to shore up their security authentication tokens was done, however this does not guarantee the sovereignty of systems.(54) It has also been disclosed this was a defense/nation state motivated attack.(55) It is expected to take at least three months for replacement security tokens to be attributed and distributed to users within Lockheed Martin.(56)
This is one early demonstration for the requirement for a new system for authentication that does not solely rely upon cryptographic algorithms. The economic costs of this breach cannot be measured, but top-secret data is certainly of interest to hackers to sell in the black market or nation state actors for deviant purposes. All authentication systems can be compromised to some degree and solely relying on one or even two means of authentication protection is still not sufficient enough obviously.(57) Post the RSA, US Department of Defense, and Lockheed Martin breaches; the International Monetary Fund was hacked with critical and privileged economic data being stolen.(58)
Case 4: International Monetary Fund
Date of Event: March – June 2011
Event Type: Access crime that lead to theft of sensitive economic data
The International Monetary Fund in 2011 was at the center of the global economic and financial crisis.(59) The organization wass in the midst of aiding debt heavy European nations with bailout loans and economic information to navigate the crisis.(60) The sensitivity of the data obtained by hackers is of the nature that it could potentially help a person or organization move markets.(61) While apparently not related to the RSA security breach, the problem of rampant data theft knows no bounds.
The IMF has experienced an increased number of cyber attacks since the global financial crisis.(62) With strict austerity measures being issued by the IMF to nations seeking financial bailouts, it is conceivable those countries who receive strict austerity could be sufficiently motivated, however competing economic nations could be motivated as well to seek this data.(63) The IMF reported this was a very sophisticated attack with software specifically built for its systems.(64) This sophistication strongly suggests that a defense/nation state actor was at play, however private organizations should not be ruled out. Again, this case strongly suggests that managing user rights based on a weighting of trust would have sufficiently mitigated risk. While economic data is useful personal identifiable information theft can have immediate impacts on individuals. In the computer gaming industry, the Sony Play Station network was compromised with the personal identifiable information of over seventy million subscribers to their service being stolen.(65)
Case 5: Sony Play Station Gaming Network
Date of Event: May – June 2011
Event Type: Access crime that lead to a complete disruption of service for three weeks and personal information theft of seventy million subscribers
Sony’s Play Station network has approximately seventy million paying subscribers.(66) The gaming network was taken down by hackers which compromised the efficacy of the service, account-billing information and personal identifiable user information was confirmed to be stolen as well.(67) Subsequent hacks of the network have occurred since the original but already subscribers have been reporting credit card and identity theft fraud due to the breach in the systems security.(68) The service was restored after it was completely turned off by Sony for three weeks until systems and infrastructure could be analyzed and recovered.(69)
The already multi-billion-dollar business of Internet gaming is still growing thanks to mobile Internet devices. While Microsoft Xbox, Nintendo, and other gaming companies with large subscriber bases have experienced breaches in the past, none have been as severe both in disruption of service and theft of data as Sony. This is one of a recent slew of account information being stolen from commercial and electronic commerce driven companies. Both Facebook and eBay/Paypal recently experienced releases of some of their stolen customer account username and password information too.(70)
Case 6: Facebook & PayPal
Date of Event: June 2011
Event Type: Access crime that lead to the release of thousands of username and passwords to customer accounts
Though it was not a disruption of service, recently stolen usernames and passwords of Facebook and PayPal accounts were openly released to the Internet.(71) While no reports of account damage or financial damage have been reported, this case demonstrates the sensitivity to the current security mechanisms in place for accounts.(72) Username and password as security will be around for some time, but it is also easily compromised without additional security. RSA provides additional security, however their system has been widely compromised and is financially cost prohibitive for these types of consumer services. It would be wise if all data in motion and data at rest were encrypted to help mitigate thefts to help further mitigate risk.
This case brings us to the question of what is the nature of Internet security and how can the “personalization” aspects of the Internet be meaningfully used for other purposes? “Personalization”(73) is comprised of a number of widely available data factors automatically collected when a person goes to a website. These factors can also be utilized in providing intelligent multi-factor authentication security. In essence, intelligent multi-factor authentication technology utilizes the same data parameters that technology and data aggregation companies use in order to truly authenticate users. In the case where account information is exposed to the public as in this situation, with an effective security approach the downside risk can be mitigated. So what is Intelligent Multi-Factor Authentication Technology? I will address this question in the next few posts.