Paige Leskin – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Cleaning up after a cyber hack http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/20/infographic-cleaning-up-after-a-cyber-hack/ Fri, 20 Mar 2015 20:16:11 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21155 Continue reading ]]> WASHINGTON — The attacker inevitably has the upper hand when trying to hack a company, cybersecurity experts say.

A company must install security that proactively protects itself from attempted breaches coming in from all sides. A hacker has to find a single weak spot to gain access to the information he or she wants, whether that’s Social Security numbers or data to start a cyberwar.

When companies are facing hundreds of thousands of attempted hacks a day, it’s common for a successful breach to occur, said Mark Rasch, a former federal prosecutor of cyber crimes. Big names such as Home Depot, Target and Anthem Health Insurance have all recently been subject to data breaches.

Cyber experts agreed that companies need to have a step-by-step process in place to use following a hack. A fixed system ensures the attack is fully understood and prevents it from happening again, they said.

An important part in a company’s immediate reaction to a breach is having a quick response team “in place and ready to go,” said Paul Tiao, a partner in law firm Hunton and Williams’ global privacy and cybersecurity practice. Fast mobilization allows the team to stabilize the security system and address legal issues. The company may also wish to contact law enforcement in connection with its internal investigation.

This phase, which Rasch identifies as a step to “stop the bleeding,” lets the company launch an investigation into the details of the hack: how it happened and what was compromised.

Attackers seek all kinds of information on varying levels of importance and secrecy. Some are looking for personal information, including Social Security numbers and bank account numbers. These details are often accessed through credit card numbers, such was the case of Target, or theft of identities, such as with Anthem, Rasch said.

Others attempt to take trade secrets, private corporate intelligence and copyright information — all which can be used by a competing entity to infiltrate the company network. Attackers could use the data to damage the company or for personal gain.

Although attacks involving credit card and personal identity thefts attract media attention, breaches involving corporate information are actually more common, Rasch said.

“The reason we hear about those attacks has nothing to do with the size of the organization,” he said. “It has to do with the fact that there are laws that require those kinds of data breaches to be disclosed.”

Forty-seven states, with the exceptions of Alabama, New Mexico and South Dakota, have some sort of law that requires entities to tell affected individuals when their personal information has been compromised. However, the statutes do not extend to private company information, which allows these groups to hide such breaches from the public eye, Rasch said.

Tiao attributed some recent breaches to security lapses associated with outside vendors used by companies, as well as to company employees victimized by social engineering schemes.

Tiao’s latter point is supported by a recent paper titled “Hacking the Human Operating System” from Raj Samani, vice president and chief technology for the computer security software company McAfee. Samani identifies humans as the “weakest link in system security,” through which attackers infiltrate companies’ networks. Hackers can manipulate company employees and users through various persuasion techniques, Samani says, including using peer pressure on social media and sending catchy emails as clickbait.

With attackers’ strategies and technologies becoming more advanced and complex, it’s difficult for companies to be a step ahead of evolving hackers.

“In the 70s and 80s, hackers were typically lone experimenters,” Rasch, the former prosecutor, said. “In the 90s and 2000s, you started seeing organized groups of people hacking for profit. The next thing you started seeing is state-sponsored hacking, electronic espionage and now hacking as a tool of warfare.”

Even individual hackers are now part of bigger groups and organizations, Rasch said. Communities existing in the dark web allow hackers to exchange advice and tools that allow them to better their strategy.

Formal bands of hackers rally around an “ill-defined common scheme,” whether it’s political or social, Rasch said. He named Anonymous, a “hacktivist” group, and the Syrian Electronic Army, which uses pop-up messages to notify users they’ve been hacked, as some prominent organized sects that have emerged recently.

But more recently, hacking is being used for cyberwar and cyberterrorism — as in the case of North Korea infiltrating Sony Pictures Entertainment in late 2014. Rasch anticipates that cyber attacks will soon trickle into war and be used successfully hand-in-hand with physical combat.

“It could be as simple as using viruses or worms or malware to jam or shut down a nation’s air defenses, so that you can launch an attack and not get your plane shot out of the air,” Rasch said. “All the things you can do with a bomb, you can do with a logic bomb.”

Similar cyber attacks could be used to disrupt nations’ communications, transportation systems and power grids, Rasch said.

So what happens when a company realizes it’s been attacked?

The company must start to repair the existing damaging and notify affected customers in compliance with federal and state data breach notification laws — a process that must be done carefully, yet quickly, Tiao said.

It’s common for companies to send mass letters to their users after a hack has occurred. Days after a major attack affected more than 40 million credit cards at Target, the company sent out a letter in December 2013, disclosing what information had been compromised and advising users to be “vigilant for incidents of fraud and identity theft.”

Target also included a list of Frequently Asked Questions for customers, one of the common communications measure that Tiao suggested in response to a breach of customer personal information. He also recommended consulting public relation experts to deal with the risks, as well as designing a plan for communicating with the media. Litigation and disputes with regulatory agencies and customers are possible, Tiao said, so companies must be prepared to address those.

Entities must also look internally to complete the process of recovering from a hack. Rasch said that companies will assess their vulnerabilities to ensure they won’t experience a similar hack again.

“Every company, no matter their size, has to go back and look at ‘what are our family jewels?’ in terms of information.” Rasch said. “What we’re seeing now is that information security is critical to the operations of businesses of all sizes. There has to be an appreciation for that and a commitment of resources to protect that theft and to recover from breaches.”

By conducting an extensive review of a company’s information assets, its staff can address the most important cybersecurity vulnerabilities, Tiao said. Companies can strengthen their network security policies and practices, and train employees to be more secure and aware in cyberspace, he said.

However, Tiao stressed the need to be prepared before the attack comes and not to be entirely reactive in their approach to cybersecurity for a company. By being ready before the hack, the damage will not be as bad after an attack, he said.

Rasch echoed Tiao, saying that it can only be more beneficial to entities to be more aware and knowledgeable in cybersecurity efforts.

“Every organization needs to be able to understand the benefits and the risks associated with electronic commerce,” Rasch said. “That goes to McDonalds’ Corporation and all the way down to [Chicago-based] Edzo’s Burger Shop.”

]]>
New talking doll puts kids’ privacies in danger, experts say http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/new-talking-doll-puts-kids-privacies-in-danger-experts-say/ Thu, 19 Mar 2015 13:49:07 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21107 Continue reading ]]> A new Barbie doll expected to go on sale in the fall is raising concerns among experts over the privacy of society’s “vulnerable and protected population” — children.

“Hello Barbie” is designed to have conversations with its young users through recording, storing and analyzing their voices and then responding to them. This creates a “creepy concept” in which children’s intimate conversations can be kept and listened to, said John M. Simpson, the director of the privacy project at Consumer Watchdog, a nonprofit consumer advocacy group.

“That potential there is tremendously privacy invasion,” he said. “It’s not clear yet all the things they may do if they start to have further data analysis of the kids’ voices and what they’re talking about.”

The latest toy from Mattel uses voice-recognition software to receive and process the audio transmitted from the doll’s built-in microphone. Soon after the introduction of the Barbie doll at a New York City toy fair in February, a petition emerged online calling on Mattel’s CEO to halt the production of the toy.

The advocacy group calling for the doll’s demise, Campaign for a Commercial-Free Childhood, says it generates mechanically-designed play and inhibits children from developing and being creative.

“Computer algorithms can’t replace — and should not displace — the nuanced responsiveness of caring people interacting with one another,” pediatrician Dipesh Navsaria said in a statement. “Children’s well-being and healthy development demand relationships and conversations with real people and real friends.”

Privacy experts questioned why parents would buy such a toy when in-person interactions are readily available and children’s imaginations run wild without the use of technology

The privacy of children is compromised as Mattel is able to have access to recordings and could use the information for personal gain or sell it off, said Jeffrey T. Child, an associate professor of communication studies at Kent State University in Ohio.

“We’re in an era of big data. Companies pay all the time for whatever they can get about people,” Child said. “Any piece of our identity really have some sort of value.”

Child conceded that Mattel seems to be within legal and ethical bounds when it comes to privacy by disclosing to customers the functions of the toy and the information that the company receives.

However, children’s privacy can still be at risk.

The company does require that a parental permission form is signed before the doll is used, a move that verifies Mattel is not in violation of the Children’s Online Privacy Protection Act, known as COPPA, Simpson of Consumer Watchdog said. Parents are given the opportunity through Mattel to listen into the doll’s recordings on a regular basis — something that may not be told to children who tell the toy intimate details of their lives they don’t necessarily want their moms and dads to know.

“Maybe the kid’s being vulnerable, talking about their friends,” Child said. “They don’t anticipate their parents to have ownership over that type of private information that they would disclose to this object.”

Private information that children tell the doll could be used to figure out more personal data that could lead to identity theft and family information being compromised, Child said. Mattel should be doing all it can do, he said, to ensure the data is secure and protected from third parties and potential hackers.

The advancement in technology has both its benefits and drawbacks. Child said the iPads his nephews and nieces possess have allowed him to easily talk and interact with them while seeing their faces, even if they are separated by several states. It’s up to people to decide if the technology’s advantages outweighs its risk, he said.

But Child said the privacy that is being given up to Barbie is too drastic to make the toy a good purchase. He predicted that Mattel would not make a profit off the toy once it was released into the buyer’s market.

“In the world of hi-tech, just because you can do something does not necessarily mean you ought to or even want to,” Simpson, the director at Consumer Watchdog, said. “Sometimes I fear that some of our hi-tech people say, ‘oh we can do this, let’s do it.’ That isn’t necessarily the best outcome.”

]]>