Monthly news roundup - August 2014 (TL;DR)

img_2014-08-29_HTTP-Shaming

NEWS

It’s been a big month for security and account compromise in the news. Whether it is the theft of patient information from a healthcare system or the possible compromise of over 1 billion credentials from sites across the web, this type of story is getting more and more common. But, as this thought piece from CNET states, that doesn’t mean we should stop paying attention. Here’s the TL;DR on a few stories that we found interesting:

  1. Russian hackers grab 1.2 billion credentials (or did they?): On August 5th, multiple outlets reported that a Russian group targeted everything from large corporations to small mom and pop businesses over a period of years to amass a massive amount of user data. In the days after the story broke, doubt surfaced around the legitimacy of the story. At the end of the day, whether or not this particular breach is as severe as originally reported doesn’t matter. The larger point holds: our data is at risk.
  2. Community Health Systems data breached: Community Health Systems, one of the largest health systems in the country, reported that hackers gained access to the personal data of 4.5 million patients. Although medical and clinical records were not compromised, the stolen data is still protected under HIPAA. As more health systems and private practitioners move to Electronic Health Records, the number of attacks on patient data will only increase.
  3. Major banks, including JPMorgan Chase, hacked: In mid-August, Bloomberg reported that hackers allegedly got hold of ‘gigabytes’ of data from JPMorgan Chase. As the story unfolded over subsequent days, it was revealed that the attack compromised 7 of the top 15 banks in the world. The bad guys used a zero-day vulnerability to gain a foothold and worked their way through layers of security to access the data. Security experts noted the sophistication of the attack and believe that it was far beyond the ability of ordinary hackers.
  4. Google releases its security audits to put corporate customers at ease: In an unprecedented move for a company of its size, Google released the results of a private security audit and of a security compliance certificate available to the public on its Enterprise site. According to Google, the move is part of the company’s dedication to increased transparency and will give customers a greater understanding of how Google is protecting their data. While security measures on Google’s end--and on the part of other vendors--may be strong, the greatest vulnerability to our data remains the browser. Even the strongest security is vulnerable to human-error and account compromise through phishing attacks and other tactics.
  5. A new website publicly shames sites and apps with lax security: A new website called simply HTTP Shaming launched this month to call out sites that do not encrypt user information. A report from security firm ioActive found that 36 out of 40 banking apps and sites had some pages with unencrypted links. As users, we often trust sites with our credentials and other information. While companies should certainly make sure everything is as secure as possible on their end, we should should also take greater responsibility for protecting ourselves by using services like Silo.