Recent Excellus Hack

Excellus Blue Cross Blue Shield, a local Rochester based health insurance provider that operates in Central and Western New York State has learned of a major breach within their system. According to the Excellus website, they insure about 7 million customers and patients, but over 10 million people were affected because the breach also included associates Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies, and Univera.

It has been found that there was unauthorized access to Excellus’ IT systems as early as December 2013 and it is estimated that 10.5 million records have been compromised. With help from Mandiant, a cyber-security firm, it was found that names, birth-dates, Social Security numbers, addresses, phone numbers, member id numbers, financial  information and even medical records were affected. However, it has not yet been determined if this information was removed from the Excellus systems, and there have been no reports of any of this information being used in any malicious or inappropriate way.

Executives from Exellus stated that their data was encrypted but hackers gained unauthorized administrative access to their systems, allowing them to access the data. On the home page of the Excellus website as well as all of it’s affected associates’, a notice appears giving information about the recent cyber attack. Excellus is offering free identity protection to all who are affected, and the FBI is currently investigating this attack.

Excellus Website: https://www.excellusbcbs.com/wps/portal/xl/

Article on SC Magazine: http://www.scmagazine.com/excellus-bluecross-blueshield-announces-breach-105m-records-at-risk/article/437651/

Robert Abbott

Apple Malware Theft

Today Apple had what quickly becoming know as their largest account theft, due to malware. Palo Alto Networks and Weip Tech came across a server that held over 225, 000 valid user names and passwords that had been stolen via a new malware family named KeyRaider in the iOS.

The malware only effects users with jailbroken iOS devices has struck users in 18 countries. According to Claud Xiao, “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

KeyRaider is also stealing Apple’s push notifications and private keys, but it’s also sharing the App store’s purchasing information. These stolen credentials eventually allow users to make purchases for free using iOS jailbreak tweaks.

They’ve also been locking down devices, and holding them for ransom. It disables unlocking operations, and demands a ransom without going through the Apple push servers.

According to Jonathan Sander (the Lieberman Software VP), and Tim Erlin (Tripwire’s Director of IT Security and Risk Strategy), jailbreaking your iPhone paints a target on your back, and in this case it was taken advantage of.

~ Kathleen Justen

http://www.esecurityplanet.com/mobile-security/225000-apple-credentials-stolen-via-ios-malware.html

Chip and Pin Bank Cards

US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
emv-credit-card~126313
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt

Source: http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

JPMorgan Chase Bank Hacked

JPMorgan, the largest bank in the United States, was hacked over the summer. Earlier this year we saw reports that a hack had potentially occurred and the perpetrators were Russian, and back in August the bank made a statement that it was cooperating with law enforcement officials over the suspected incident, which happened in July.

Just a few days ago, it was revealed that a hack had actually occurred. The damage? 76 million households and 7 million small businesses had their information stolen during the breach.

Interestingly, this comes during a string of other attacks targeting other banking organizations in the United States, and after the attacks on Target and Home Depot.

While JPMorgan states that no financial data has been obtained by the hackers, the user contact information compromised included names, addresses, phone numbers, email addresses and internal customer data. There’s no evidence, however, that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised. Further, there has been no fraud seen related to the breach, and JPMorgan has said that customers are not liable for any fraudulent charge.

Even without any direct banking information being compromised, JPMorgan fears that the hackers will come back with a wave of spear phishing attempts and seeks to push awareness of such an attempt – along with other methods – to the forefront of customer minds.

A JPMorgan official says: “Customers of all banks should be more worried about identity theft, that someone in Eastern Europe or Russia or elsewhere steals your identity to get a credit card to say, buy a car or any other item.”

This person notes that “JPMorgan along with all other banks has teams of workers specifically monitoring both customer credit and debit card accounts to detect and stop fake charges as well as cyber hacking activity.”

Thankfully they, along with the FBI, are working on the case. They had better be.

http://www.cnet.com/news/jpmorgan-cyberbreach-exposed-contact-info-for-75m-households/

http://www.foxbusiness.com/industries/2014/10/06/jpmorgan-bracing-for-spear-phishing-campaign-sources/

Old identity protections still apply

Echoing the latest topics in the newspaper, my mother recently remarked how unsettling it was that anyone (criminals included) could see your house on the internet (using Google Maps, Street View).  I then “Googled” her name to show her what the layperson could find out about her on-line.  She was surprised to see the information and even some pictures of herself, as a child that one of her sisters had posted.  I told her that bad people were more likely to use a computer to steal her identity rather than rob her house.

As smug as I was about pointing out how little my parents knew about the cybercrime, I am sure that they have done a far better job of managing their cyber-identity than I have.  They have never done any on-line banking, and usually use the house phone to call websites to place orders.  Receipts of checks and financial statements are shredded and even address labels are removed from envelops before going in the trash.  My parents do not have smart phones and only recently have learned to text.  As old-fashioned as it seems, it has made their cyberfoot prints nearly non-existent and reduced their exposure to cybercriminals.

Are my parents 100% safe from identity theft?  Not completely.  Nevertheless, what they have done is avoid storing their personal financial data on an unprotected computer.  The avoidance of storing personal data on one’s computer is one of the ways to protect your identity at school, as stated by Todd Feinman’s article in USA Today (“Protect your cyberidentity”, Aug 31, 2009).  There are numerous articles, from industry experts, that echo the idea of protecting our personal data.  Despite the ability of many applications to store personal information, we should adhere to the idea that we should make sure our information is protected on-line.

Although I do not see myself pulling away from the conveniences of using the internet, my parents have taught me to slow down and consider my vulnerabilities to identity theft.  What seems like a perfectly safe and convenient way to do my banking and on-line purchases now deserves a little more scrutiny.  You can never be too careful.  Some words that my parents can be proud to hear me say!

Other ways to protect your identity at school can be found at:

http://www.tulsaworld.com/business/article.aspx?subjectid=51&articleid=20090831_51_A2_USATod19272

Enhanced by Zemanta