TIME White House

Obama Signs Order to Secure Government Credit Cards From Data Breaches

US-POLITICS-OBAMA-CFPB
President Barack Obama signs an Executive Order to implement enhanced security measures on consumers' financial security following remarks at the Consumer Financial Protection Bureau (CFPB) in Washington, DC, October 17, 2014. SAUL LOEB—AFP/Getty Images

"Identify theft is now America's fastest growing crime," said Obama.

President Obama signed an executive order Friday to improve security measures for government credit and debit cards, equipping them with microchips in place of the standard magnetic strips and PINs. Obama discussed the new order during remarks at the Consumer Financial Protection Bureau Friday.

“Last year . . . more than 100 million Americans had information that was compromised in data breaches in some of our largest companies,” said Obama, referring to high-profile security breaches at Target and Home Depot. “Identify theft is now America’s fastest growing crime. These crimes don’t just cost companies and consumers billions of dollars every year, they also threaten the economic security of middle class Americans who worked really hard for a lifetime to build some sort of security.”

“The idea that somebody halfway around the world could run up thousands of dollars in charges in your name just because they stole your number or because you swiped your card at the wrong place at the wrong time—that’s infuriating,” said Obama. “For victims it’s heartbreaking. And as a country we’ve got to do more to stop it.”

Obama highlighted the efforts of Home Depot and Target to secure their systems after being hit by breaches this year. They will join Walmart and Walgreens in installing chip and PIN technology in all their stores, most by the beginning of next year. Obama also noted that the Federal Trade Commission will develop IdentityTheft.gov for victims to aide the reporting and remediation process with credit bureaus.

“Identity theft has been American consumers’ number one complaint for more than a decade, and it affects people in every community across the nation,” said Federal Trade Commission Chairwoman Edith Ramirez. “I welcome the opportunity for the Federal Trade Commission to participate in this new initiative advancing efforts to address this insidious problem on behalf of consumers.”

The White House also called on Congress to pass data breach and cybersecurity legislation. “The current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one,” wrote the White House in a statement.

With reporting from Sam Frizell

 

 

 

TIME Security

Here’s How Home Depot Could Have Combated Hacking

Experts say retailers should invest in detection rather than prevention

As Home Depot continues to assess the damage caused by a security breach that gave hackers access to 56 million credit and debit cards, tech experts say large retailers should turn their attention to addressing breaches quickly instead of trying to prevent all of them.

“Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?” asked cyber crime expert Brian Krebs, framing the issue rhetorically. “The best you can do is stop the bleeding as soon as possible when they do get in.”

At Home Depot, where hackers used malware to collect customer data at cash registers, it reportedly took nine months for the breach to be identified and stopped allowing for the damage to affect millions of customers.

Companies face myriad and evolving ways their data can be breached, making protecting data akin to a game of whac-a-mole. Once one potential threat is identified, hackers have already begun trying to get through another way. Instead of devoting all their resources to chasing the threats, companies should focus on minimizing the time it takes to identity those breaches, said Brian Foster, chief technology officer at cyber security firm Damballa.

“There are two types of companies: those that have been breached and those that don’t know they’ve been breached yet,” he said. “The attackers only have to find one door in whereas Home Depot has to secure all their doors and before they do that they need to know where all the doors are at.”

But even if retailers like Home Depot switch focus to detection from protection, experts say they need to do a better job securing data. And, for retailers, the first place to look is the “point of sale system” where the transaction occurred (the cash register for traditional retailers).

“Some enhancement of that logical access in the point of sale would have been able to harden the system significantly,” said Guy Levy, senior vice president at technology security firm Usher. “This is part of what any big retailer that employs pos systems should be doing now. They should all be scrutinizing their systems very, very hard.”

Despite the recommendations of security experts, many companies remain reluctant to devote the funding to change. But dealing with massive security breaches almost always costs more in the long-term than instituting preventive measures would have cost. Home Depot said the breach at the company will cost at least $62 million.

“It takes awhile to update your technology, to understand the threat,” said Anup Ghosh, founder and CEO of technology security firm Invincea. “But the most expensive dollar spent in security is spent after a breach.”

TIME cybersecurity

Chinese Hackers Infiltrated U.S. Defense Contractors, Senate Report Says

Army Lt. Col. Cecil Durbin (left) and Air Force Lt. Col Tom
Army Lt. Col. Cecil Durbin (left) and Air Force Lt. Col Tom Borowiec, a reservist, man the NorthCom Operations Desk inside the Deployment and Distribution Operations Center on Thursday May 1, 2008 at USTRANSCOM, located at Scott AFB in Illinois. Belleville News-Democrat—MCT/Getty Images

Hackers staged at least 20 attacks on private firms involved in the movement of U.S. troops and equipment

Chinese hackers infiltrated U.S. defense contractors on 20 separate occasions and were only twice noticed by authorities, according to the findings of a year-long Senate investigation released on Wednesday.

The Senate probe revealed that hackers targeted private airlines, technology companies and firms that have been contracted by the U.S. Defense Department to transport troops and defense equipment.

“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” said Sen. Carl Levin in a public statement accompanying the report. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”

Read the Senate panel’s full report here.

 

TIME cybersecurity

Nearly 5 Million Google Passwords Leaked on Russian Site

Google Reports Quarterly Earnings
A sign is posted outside of Google headquarters on Jan. 30, 2014, in Mountain View, Calif. Justin Sullivan—Getty Images

The usernames and passwords of 4.93 million users were posted in a Russian Bitcoin security forum

Almost 5 million usernames and passwords purportedly for Google accounts were uploaded to a Russian online forum by hackers late Tuesday.

The International Business Times reports that data for 4.93 million Google accounts of English-, Spanish- and Russian-speaking users was leaked and published on a Russian-language Bitcoin security online forum. The posters said about 60% of the accounts were active.

In a statement sent to TIME, Google said it had “no evidence that our systems have been compromised.”

“The security of our users’ information is a top priority for us,” the statement reads. The company said that whenever it is alerted that accounts may have been compromised, “we take steps to help those users secure their accounts.” Email users are encouraged to utilize two-step verification when logging into accounts, as well as to create strong passwords.

According to Russian news service RIA Novosti, this leak followed another large hack of Russian email accounts. Several million accounts of Russia-based email services were also posted in a Bitcoin security forum.

TIME Security

Home Depot Confirms Credit-Card Data Hack

Home Depot credit card breach
The Home Depot home improvement store in Portland, ME on Thursday, September 4, 2014. Home Depot is currently investigating a potential credit card breach, and determining whether customers' card numbers were collected and sold by hackers. Portland Press Herald—Press Herald via Getty Images

The construction-equipment retailer says anyone who shopped there since April could be a victim

Hackers infiltrated Home Depot’s payment system and stole an untold amount of shopper information, perhaps including credit-card numbers, the construction-equipment retail giant confirmed in a statement Monday.

The hack “could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward,” Home Depot said in a statement, adding that shoppers online or at stores locations in Mexico do not appear to have been affected.

The firm joins the ranks of other major stores, like Target and others, that have been the victims of successful, large-scale cyberattacks.

Home Depot disclosed it was looking into reports of “unusual activity” on Sept. 2 and has offered free identity-theft protection and credit-monitoring services to anyone who shopped at a Home Depot store during the months in question.

“We apologize for the frustration and anxiety this causes our customers,” Home Depot said.

TIME cybersecurity

Surveillance in the Movies: Fact vs. Fiction

Experts at a hacker conference answer the question every spy-movie watcher has asked: “Can they really do that?”

For those of us who don’t work at a spy agency, the “intel” we’ve gathered on what state surveillance is like comes primarily from movies and TV shows. But just how realistic are those portrayals? A panel of experts at Defcon, one of the world’s top hacker conferences taking place in Las Vegas over the weekend, had some answers.

The Simpsons Movie (2007)

“You’re collecting all this hay. How many needles are you finding in the hay?” says Kevin Bankston, policy director for the Open Technology Institute at the New America Foundation, describing the practice of bulk collection. The answer? Not many. Bulk collection has led to “one case where they convicted a cabdriver in San Diego for donating less than $10,000 to a Somali terror group,” Bankston said. “So the question is: Is it worth collecting all of our phone records for that conviction?”

When it comes specifically to this Simpsons clip, Nicole Ozer, technology and civil liberties policy director for the American Civil Liberties Union, says there have indeed been cases of “local surveillance being rolled out in the buses.”

The Bourne Supremacy (2004)

No clip available online, but, to summarize: high-tech devices listening in on conversations around the world pick up on a single phrase — “blackbriar” — that tips off the government.

“As a civil libertarian, this movie was like cinematic crack to me,” Bankston said. With the quantity of data the NSA intercepts and the data-mining abilities of modern computers, picking out a keyword from a random conversation overheard by a surveillance program is not far fetched, he said. “This is not fiction.”

Brazil (1985)

The scene above depicts government agents discussing the use of surveillance tools to eavesdrop on a love interest.

“This brings me back to my days inside the belly of the beast,” says Timothy Edgar, who from 2006 to 2009 served as the first deputy for civil liberties in the Office of the Director of National Intelligence. “It’s a very realistic depiction of the kinds of compliance issues we had to address,” he said, though in reality “the technology was only slightly more obsolete.” According to Edgar, a review of NSA practices by the agency’s inspector general found that over a 10-year period there were 12 instances of intentional misuse of NSA surveillance, all relating to love interests.

The Dark Knight (2008)

A program that uses the microphones in the cell phones to create a sonar map of the city is mostly, but not entirely, insane.

“It’s a great mixture of actual plausible technology and really stupid technology,” Bankston said. Law-enforcement and intelligence agencies routinely take control of cell phones by remote in order to turn on microphones and cameras to spy on targets, but doing so with every phone in town at once would probably overwhelm the network. Bankston adds that if 30 million citizens of Gotham brought a class-action lawsuit against Bruce Wayne for this violation of the Wiretap Act, he’d be on the hook, per damages prescribed in the law, for $300 billion.

The Company You Keep (2012)

“This is a pretty straightforward depiction of cell-phone tracking,” Bankston said, which is “routinely done by local law enforcement, as well as the Feds, as well as the intelligence community.”

Minority Report (2002)

This kind of government search — thermal imaging followed by spider robots scurrying through a building and terrifying its inhabitants — is clearly unconstitutional, not to mention creepy. What’s interesting, Edgar notes, is the question of why it’s creepy.

“Is it the fact that they could find Tom Cruise by extracting this data from people in the apartment or the fact that they did it in a creepy way?” he said. (I.e., with bots that look like insects many find terrifying in their own right.) “What if we could just extract the data from the Internet of things that [were] already in your house?” With our homes becoming smarter and more wired, it’s easy to see how timely that question is.

Enemy of the State (1998)

In this scene, the head of the NSA tries to persuade a Congressman not to stop a bill that would give the agency broad new surveillance powers. The Congressman makes the argument — which we hear echoed today by firms like Google and Facebook — that the surveillance state doesn’t just invade privacy, but is bad for business at companies that depend on the trust of clients, including people outside the U.S.

Bankston noted that in the film, (spoiler alert) the NSA goes on to assassinate the Congressman. Edgar pointed out that any such assassination attempt would clearly step on Central Intelligence Agency toes.

“They would object very strongly to the NSA’s doing that,” he said.

TIME

5 Easy Ways to Hacker-Proof Your Home

Refrigerators hijacked to send malicious emails. TVs tapped to spy on their watchers. Baby monitors remotely rigged to stream a stranger’s voice.

These aren’t outtakes from a cheesy sci-fi horror flick. They’re real situations that have happened in homes around the world–made hackable, so to speak, by flawed smart devices. Although there are many advantages to buying gadgets that connect to the Internet, “many of them are not built with security in mind,” says Cesar Cerrudo, an executive at security firm IOActive. And that makes their owners vulnerable: a bit of outdated software in your connected security camera, and a hacker could use it to case your home; a weak password on your connected thermostat, and a hacker could use it as a back door into your wi-fi network–and anything on it.

To be sure, actual horror stories are few and far between. Of the millions of Americans who own at least one connected device, only a small fraction have publicly come forward as victims of malicious home-gadget attacks. And when they do, manufacturers like Samsung–whose smart products were targeted in the past–have been quick to correct security flaws, since consumer trust is paramount for good business.

But it never hurts to be prepared. Here are five expert tips on how to safeguard your smartest devices.

 

  • Do Your Research

    It may sound too simple, but your home’s first–and often best–line of defense is Google. Before you purchase a connected gadget, search its name plus words like security or vulnerability to “give yourself an idea of what you’re up against,” says Daniel Crowley of info-security firm Trustwave. More important, Cerrudo says, you should investigate how effectively the gadgetmaker responded to any breaches. If the issue was neutralized quickly, you’re probably fine. If a company took weeks to fix its mistake, buy something else.

  • Update Your Software

    In one of the most publicized connected-home hacks, security researchers broke into early models of Samsung’s smart TV, which allowed them to control its camera and access files and apps. Samsung quickly issued a software update to fix the vulnerability, but–as with smartphone apps–it’s often up to users to make sure that a patch is downloaded. The longer you wait, the larger the “window of opportunity” for hacking becomes, says Cerrudo.

  • Strengthen Your Password

    Many people want their connected devices to work right out of the box, so they don’t bother to change the default user names and passwords (or they type a simple one to get going). That makes you extraordinarily vulnerable to hacking, says Crowley, noting that weak passwords were responsible for 31% of the security compromises Trustwave investigated in 2013.

  • Hire a Professional

    If all else fails, soliciting help from an expert to install and configure your devices–and the networks they tap into–can be “the best option,” says Cerrudo. Best Buy’s Geek Squad, for example, can set up your wireless network for about $90 to $130, ensuring that you have the most up-to-date firmware, among other details. As Geek Squad specialist Derek Meister puts it, “We look over all the little settings.”

  • Guard Your Wi-Fi

    Even if your smart devices are secure on their own, hackers can still break into your control network through a lost smartphone (if you’ve used it to control your gadgets) or unsecured home wi-fi (which many gadgets use to sync with the cloud), enabling all kinds of mischief. To add another layer of difficulty for would-be hackers, Crowley suggests setting up a separate, secure wi-fi network exclusively for your connected devices.

TIME Security

U.S. Organizations Falling Behind in Fight Against Cyber Crime, Study Says

The 2014 U.S. State of Cybercrime Survey says that "common criminals, organized crime rings, and nation-states" have the upper hand when it comes to cyberthreats

A new report finds that American businesses and institutions are failing to meet the cybersecurity threat posed by hackers at home and abroad.

“One thing is very clear: The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries,” finds the 2014 U.S. State of Cybercrime Survey. “Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect.”

Syria, Iran and Russia are cited as a “a particularly pernicious threat.”

The authors of the report—PricewaterhouseCoopers, the CERT division of software engineering at Carnegie Mellon, CSO magazine, and the U.S. Secret Service—say their findings are based on a survey of more than 500 U.S. business executives, law enforcement services and government agencies, as well as previous research and recommendations provided by the National Institute of Standards and Technology.

The report lays out the mounting threat to infrastructure systems like gas pipelines and the electrical grid as well as the disproportionately high financial costs of cybercrime in America compared to the rest of the world’s organizations.

The report advises companies to invest in protecting the “crown jewels” of a company, such as customers’ financial information for a retailer and trade secrets for a pharmaceutical company. Several large companies, including Target and eBay, have recently admitted being infiltrated by hackers. In Target’s case, an estimated 40 million customers had credit and debit card data stolen.

 

TIME trade

What Chinese Cyber-Espionage Says about the Chinese (and U.S.) Economy

The Obama Administration's outrage over Chinese hacking has its roots in conflicting views of the government's role in private business. So don't expect a meeting of the minds anytime soon.

Imitation is the sincerest form of flattery, but that’s probably cold comfort to firms like Westinghouse and U.S. Steel, which the U.S. Justice Department says have been hacked by Chinese cyber-espionage teams. By indicting the Shanghai-based team allegedly responsible for the attacks, which are largely conducted in order to give the Chinese an edge in the global economy, Attorney General Eric H. Holder Jr. is trying to draw a line between the sort of snooping that the U.S. National Security Agency does for strategic security purposes, and the kind that the Chinese do, which often involves intellectual property theft or the culling of business secrets for competitive advantage.

The problem is that the Chinese don’t recognize that difference, because in China, the state is the economy. I was actually in China as the Edward Snowden story was breaking in 2013, and I remember the Chinese being indignant about what they perceived as U.S. hypocrisy around cyber-snooping.

The importance of the Chinese state in the Middle Kingdom’s economy, which has been growing over the last 15 years or so, is crucial to understanding the hacking affairs. During the period of China’s highest growth, in the years leading up to 1995, the country was all about unleashing the private sector, and paring back the public. A lot of public sector workers were laid off, Beijing liberalized various sectors of the economy, and the private sector took off. But since the mid 1990s, that trend has been shifting.

State-owned enterprises, or “SOEs” have been sucking up more of the countries financial resources (they get about 80% of all debt financing, while providing only 20% of employment), which is one of the reasons that the Chinese economy is slowing. That makes it harder for the country to move up the economic food chain, from lower-end manufacturing to higher-end products and services, which is what it needs to do to move from being a poor country to one in which most of its citizens are middle class. It’s telling that some of the highest levels of unemployment in China are amongst new white-collar college graduates; the country just isn’t creating enough high-level companies, or jobs.

Which goes right to the heart of the hacking indictments. Despite all the hoopla recently over the fact that the World Bank expects China to surpass the U.S. as the world’s largest economy this year, there’s a big difference between being big, and being rich. Average U.S. worker wages are between 6 and ten times what they are in China because U.S. companies produce higher end goods and services. The Chinese economy is still largely a copycat economy—albeit a very good one. Chinese companies tend to take ideas from developed country firms (either legally or otherwise) and try to tweak them slightly to make them cheaper, more suited to local markets, etc. That’s why Chinese hackers were searching for intellectual property secrets at Westinghouse, and probably countless other Western firms. It’s something that American firms in China complain constantly about, and have largely taken as a cost of doing business there.

What’s more interesting, though, are reports that Chinese hackers were also looking for things like the trade deals and strategies of U.S. steel firms. This may speak to one reason that the Obama administration decided to make a big deal of Chinese hacking now. In an age of slower global growth, when all boats are not rising, issues like intellectual property theft and trade tensions become more fractious. The U.S. has been complaining for some time now that China won’t play by the existing rules of the global economy, and that given its size and economic heft, this can’t be allowed to continue. Since the financial crisis and recession of 2008, analysts have been predicting that the U.S. and China would eventually come to blows over trade issues—and it’s interesting that many of the firms being hacked were also those that had approached the WTO about Chinese trade violations.

It will also be interesting to see how the Chinese respond to the Justice Department indictments; needless to say there’s no way they’ll be handing over any hackers and they’ve already pulled the plug on a cyber-espionage working group with the U.S. that was supposed to address some of the tensions between the two countries. One thing you can count on, says Conference Board China economist Andrew Polk, is that the slow growth, increasingly nationalistic environment in the Middle Kingdom is going to “make it tougher for foreign firms to do business there.” As if it was ever easy.

 

TIME Security

Microsoft Fixes Internet Explorer Security Bug

The security glitch that allowed data thieves using a network computer to get around security protections and access personal information has been taken care of

Microsoft has fixed the security glitch in Internet Explorer that caused the Department of Homeland Security to advise users not to use the browser until the problem was resolved, the tech giant announced on Thursday.

Most users will not have to take any action as the fix will be downloaded automatically, but customers who haven’t enabled automatic updates are encouraged to apply the update manually as quickly as possible.

The security glitch, which was announced by Microsoft last weekend, potentially gave data thieves using a networked computer the same level of access to personal information as the legitimate user.

Web users who are still using Windows XP were especially vulnerable.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser