TIME cybersecurity

U.S. Intelligence Chief Points Finger at China for Data Hack

Director Of Nat'l Intelligence James Clapper Speaks At Council On Foreign Relations
Bryan Thomas—Getty Images Director of National Intelligence James Clapper speaks at the Council on Foreign Relations on March 2, 2015 in New York City.

Large data breach left millions of Social Security numbers exposed

The most senior U.S. intelligence official has openly implicated China in a large hack of U.S. government data.

James Clapper, the U.S. Director of National Intelligence, said Thursday that China was a “leading suspect” in a recent security breach that saw millions of personnel records of Americans stolen from government computers.

Previously, U.S. officials hadn’t named a suspect for the breach, which was disclosed in early June. Clapper mentioned China at an intelligence conference in Washington, D.C. “You have to kind of salute the Chinese for what they did,” he said, noting the difficulty of the attack.

Earlier this year Barack Obama signed an executive order that grants the Treasury greater ability to impose sanctions on countries who conduct cyberattacks against the U.S. China has denied involvement in the attack, which may have exposed as many as 18 million Social Security numbers.


TIME Security

Cybersecurity Firm LastPass Hacked; User Data Stolen

The strongest argument yet against using "1234567" as a password

In an era of infinite passwords, each with slightly different requirements, LastPass — a company that allows customers to store their password collections online and access them with master passwords — seemed to many like a godsend. Until Monday, that is, after the company announced that hackers had broken into its system, gaining access to password reminders, e-mail addresses and even encrypted master passwords.

The combination of stolen data makes the hacking comparatively serious: simple codes such as “123456” can be hacked easily, regardless of encryption, while reminders like “Where were you born?” can be easily solved using public information from social media or records. Many other passwords can be guessed through so-called “brute forcing,” or using rented computer server firepower to crack encryption, CNN reports.

The company discovered the digital security breach on Friday. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist, LastPass CEO and co-founder, wrote in a blog post Monday. “Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.”

Siegrist went on to encourage users who have reused their master passwords on other websites to replace those passwords and to encourage users to set up two-step authentication, which involves sending a passcode via text message to a user’s phone, to prevent future data losses.


TIME cybersecurity

Edward Snowden Answered the Question We’ve All Been Wondering

The New Yorker Festival 2014 - Edward Snowden Interviewed by Jane Mayer
Bryan Bedder—Getty Images for The New Yorker General view of atmosphre at Edward Snowden Interviewed by Jane Mayer at the MasterCard stage at SVA Theatre during The New Yorker Festival 2014 on October 11, 2014 in New York City.

He talked about Rand Paul, too

In case you were curious, Edward Snowden still enjoys pizza in Russia.

“Do you miss pizza? Favorite thing about Russia so far? If you could be an insect, which would you be and why?” a Reddit user asked Snowden in a recent AMA, or “Ask Me Anything.” Snowden’s response was short and sweet: “This guy gets it. Russia has Papa John’s. For real.”

But Snowden also took the opportunity to answer questions on more serious subjects. After all, the conversation was centered around Section 215 of the Patriot Act. That’s one section Snowden brought to the public’s attention in 2013 when he leaked information about the NSA’s telephone records collection program.

Snowden took the AMA opportunity to respond to a question about Senator Rand Paul’s filibuster against the Patriot Act. Snowden wrote:

It represents a sea change from a few years ago, when intrusive new surveillance laws were passed without any kind of meaningful opposition or debate. Whatever you think about Rand Paul or his politics, it’s important to remember that when he took the floor to say “No” to any length of reauthorization of the Patriot Act, he was speaking for the majority of Americans — more than 60% of whom want to see this kind of mass surveillance reformed or ended.

Snowden conducted the Reddit conversation along with Jameel Jaffer, the deputy legal director of the ACLU.

TIME cybersecurity

This Massive Healthcare Company Just Got Hacked

Insurer CEOs Head to White House to Discuss Obamacare Woes
Bloomberg—Bloomberg via Getty Images Chet Burrell, chief executive officer of CareFirst BlueCross BlueShield, waits to go through security near the White House in Washington, D.C., U.S., on Wednesday, Oct. 23, 2013. Health insurance executives including WellPoint Inc. Chief Executive Officer Joseph Swedish will meet with top White House officials today as President Barack Obama seeks to contain political damage over the rollout of online enrollment for his health-care expansion. Photographer: Andrew Harrer/Bloomberg via Getty Images

It's the third Blue Cross and Blue Shield insurer targeted in recent years

Hackers have targeted yet another healthcare company.

CareFirst Blue Cross and Blue Shield, a healthcare insurer that provides service for residents in Maryland, Washington and parts of Virginia, said Wednesday that it’s suffered a cyberattacking compromising the records of 1.1 million customers. Modern Healthcare reported Wednesday that hackers compromised a company database last year and could have accessed member usernames, names, birth dates, e-mail addresses and identification numbers.

Social security numbers, financial records, passwords and credit card numbers were reportedly not accessed, CareFirst said in a statement.

The security firm Mandiant discovered the attack occurred in June of last year and was hired to examine the company after hackers targeted other healthcare insurers in recent days, including Premera Blue Cross and Anthem. According to the article, “CareFirst is the third Blue Cross and Blue Shield insurer to acknowledge a cyberattack this year, following record-breaking hacks at Premera and Anthem, which affected 11 million people and 80 million people, respectively.”

“We deeply regret the concern this attack may cause,” said CareFirst CEO Chet Burrell in a statement. “We are making sure those affected understand the extent of the attack—and what information was and was not affected.”

TIME Security

This Tech Keeps You Safe From Hackers

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Encryption is the one thing standing between hackers and your data

From Edward Snowden to Anthem Healthcare, data security has been a hot-button topic the past couple of years. But between politics and personal data, one thing tying these two massive breaches together is encryption — or lack thereof.

Encryption is effectively scrambling up information and making it only decipherable with a key. This information could be a message, as it was in World War II with the Nazis using the Enigma Machine to mix up their communications, or it could be a computer file, as it should be with personal documents emailed to you by your accountant, for instance. An overly simple example of encryption, says Trent Telford, CEO of enterprise encryption provider Covata, would be a word search game.

“To look at it visually, you would just see a big block of 1,000 letters that meant nothing,” Telford says. “But when you decipher it you can see that there are words hidden in there.”

Take that analogy a step further by looking at an encrypted Word document loaded with personal information. Using complex algorithms, this multi-page file with your social security number, your address, and other data is encrypted, and as a part of that process an encryption key is generated. This key is the password required to unlock the algorithm and de-scramble the information within the computer file.

The key and the file should be kept separate from each other to ensure the data’s safety. For example, if someone breaks into your computer and copies that file, it would be useless without the key — all they would see is nonsensical characters, not the personal data that actually exists there.

So, if encrypting files is as easy as that sounds, why isn’t it done all the time?

“Organizations are either lazy or don’t want to affect change in their business,” says Telford. For instance, imagine a company has millions of files all over the place that are used either by people, computer systems, or applications. These files are useless when they’re encrypted, so the company has to find a way to work with the data while allowing automated business processes to keep workflows moving.

“You would need to enable those systems to have the power within that application to decrypt, use the information, and then let that file stay encrypted,” he says. “Organizations now need to put the projects in place and the priorities in place to do this.”

Recent hacks like the ones at at Anthem, Home Depot, and Target have shown how companies sometimes leave data unencrypted. And, Telford points out, the government data that Edward Snowden snagged wasn’t scrambled up either.

End-to-end encryption is a term that consumers have become more familiar with, especially as they’ve done more banking online. The idea that their data could be intercepted as it criss-crosses the Internet is terrifying, but Telford says data is more at risk when it sits on companies’ servers.

“It’s pretty rare that someone steals information in the transport layer, in the tunnel, moving it from A to B,” he says. “It’s when it’s sitting in the clear at either end that it tends to get compromised or stolen.”

The reason for this is that data is fundamentally stored in two ways. The first is on big file server networks, which are essentially enormous hard drives full of all kinds of data that can be encrypted. The second way is in databases, which in most cases can’t be encrypted. Databases are built to have queries run against them so the systems can go and pick out what information they want, quickly. Moving from a database architecture to a server setup is costly and time consuming, which is why companies haven’t been doing it.

But consumers can protect their own computers very easily by encrypting their data too. Windows users can use the BitLocker application to encrypt their drives, while Apple offers a program called FileVault2 to do the same thing on Macs. Still, with the Internet of Things promising to bring us lots more web-connected devices, this is only the beginning for encryption technologies. With millions if not billions more computing devices coming online — only some of which are encrypting their communications — a lot more data is in danger of being exposed. “There’s a whole other vector of attacks from a privacy perspective,” says Telford.


How to Avoid Getting Hacked Next Time You Leave Home

Hero Images—Getty Images/Hero Images

The world is a dangerous place — especially if you’re not careful with your gadgets

How times have changed. It used to be that when you packed for a trip, you wanted to be sure not to forget vitals like your toothpaste, swimsuit, or even travelers’ checks. But if forgotten, those things can be replaced on the road.

Instead, these days, we obsess about packing our smartphones, tablets, and even laptops. However, bringing tech on a trip can expose your entire life to hackers and cyber-crooks. So before you book your next vacation, consider these six tips on how to stay cyber-safe while traveling:

1. Don’t check your device: Make sure you keep your smartphone, tablet, or computer with you, rather than placing it in your checked luggage. “There’s a number of things that could happen to it — getting damaged or stolen — once it’s out of your sight,” says Stacey Vogler, managing director for Protect Your Bubble, a company that provides insurance for everything from cell phones to identity theft. In addition, RFID-blocking products like those made by Silent Pocket can protect everything from your tablet to your passport from digital snoops using over-the-air technology to get at your data.

2. Keep it encased: While keeping your smartphone in a case is great advice for everyday life, it’s especially appropriate when you’re traveling. Firstly, when you’re moving around the world and out of your comfort zone, your phone is especially susceptible to being dropped. Also, thieves eye well-heeled tourists with high-priced handsets whom may not know where to turn if their phone gets lifted. Cases can help camouflage your top-of-the-line model. And finally, you’re more likely to use GPS and other memory-intensive features when you’re out and about, so a battery case is especially helpful on the road.

Incipio makes a line of rugged, battery-boosting cases for a wide range of smartphones that make for great travel partners. Also, if you’re going someplace warm and watery, get a protector that can shield your device from liquids as well as drops. According to data from Protect Your Bubble, water damage claims rise in the summer months.

3. Watch your Wi-Fi: It’s tempting to tap into local wireless networks to cut back on data charges when you’re traveling, especially when you’re abroad. “Be careful which Wi-Fi network that you access,” says Vogler. “Make sure that it’s a secure one, and one that you’ve been given a password for.” If the network you’re connecting to doesn’t require a password, anyone could be on it, and have access to the information you’re sending or receiving. So the rule of thumb is if it doesn’t ask for a password, it’s not secure.

This primer on using public Wi-Fi from Internet security company Kaspersky Labs can help you protect down your phone or tablet if you must use these networks, but the safest bet is to get your access from a trusted, secure source, like your hotel.

4. Password protect your device: Sure, it might be a pain, but password protecting your phone, tablet, and PC is a goal-line defense for keeping cyber-thieves from your personal information. If you think about it, while your phone or tablet may fetch a crook hundreds of dollars; your identity can be worth thousands more. Make sure to enable every safety mechanism available for your device, from iOS’s Find My iPhone to the Android Device Manager used to locate Google-compatible phones. These apps also work for tablets as well, so make sure your slate is set up to be detected, too.

5. Bank the old-fashioned way: More than ever, people need access to and information about their money when traveling. That makes tourists and business travelers alike great targets for data theft. The best way not to expose your financial information is to bank the old-fashioned way: use cash if you can, hit a teller for balance inquiries if possible, or call into your institution’s telephone services if you need remote access. Using the app, as secure as banks make them out to be, only makes you a possible target for identity theft.

6. Stay off social media: Everyone loves sharing vacation photos, but consider showing off your sunset selfie after you touch back down in your hometown. That’s because posting your on-location photos tells people that your home is left unattended. You might think your friends would never use that against you, but if your privacy settings are public (or friends of friends) on Facebook, or if you don’t have a locked-down Twitter account, you’re basically telling the world that you’re not home.

TIME cybersecurity

Cyberattacks Against Big Companies Surged by 40% in 2014, Report Finds

Rafe Swan—Getty Images/Cultura RF

New malware threats crop up at a rate of 1 million a day, according to annual survey of cyberthreats

The number of cyberattacks against large companies rose by 40% last year, according to a new report, which finds hackers have honed spear-phishing and fraudulent email campaigns to focus attacks on larger targets with more precision.

Five out of six companies employing more than 2,500 people were targets of cyber attacks last year, according to Symantec’s annual Internet Security Threat Report. Even as the number of attacks surged, analysts found that the hackers were waging more efficient campaigns, deploying 14% less email to infiltrate an organization’s network.

The authors estimate that in addition to targeted attacks, non-targeted malware continues to proliferate online at a rate of 1 million new threats a day.

TIME White House

Obama Administration Can Now Sanction Foreign Hackers

President Obama Holds News Conference At The White House
Leigh Vogel—WireImage President Barack Obama holds a press conference during which he discussed Sony Pictures' decision not to release "The Interview" in wake of the alleged North Korean hacking scandal at The White House on December 19, 2014 in Washington, DC.

President Obama added a new tool to respond to cyber attacks, authorizing the federal government to levy sanctions against suspected hackers.

Under an executive order signed Wednesday, the Secretary of Treasury can freeze assets of those who engage in “malicious cyber-enabled activity” anywhere in the world so long as that activity is dangerous to the national security, foreign policy or economic stability of America.

The White House is not currently targeting anyone for cyber-related sanctions, but Administration officials said on a conference call they felt it was important to have the framework in place.

The sanctions come in the wake of several high-profile cyber-attacks including Target andJ.P. Morgan Chase as well as a hack of entertainment giant Sony that was blamed on North Korea.

Though the Sony hack led to the first U.S. government imposed sanctions related to a cyber attack, White House officials said Wednesday they have never before had the authority to punish individuals based on the activity, rather than the region or country responsible.

“What we’re trying to do is enable us to have a new way of both deterring [action] and imposing new costs against cyber actors wherever they may be,” said Michael Daniel, a special assistant to the President and cyber-security coordinator.

White House officials say the new sanctions are not meant to replace the existing tools that the Obama administration has put in place to confront cyber threats, but rather to “fill in the gaps.” Under the authority, officials would also be able to target businesses that use illegally obtained trade secrets or information to gain an unfair edge, and individuals and companies that give or attempt to give serious hackers a financial boost.

“We don’t want to just deter those with their fingers on the keyboard,” he said.

MONEY cybersecurity

Hackers Use Malware to Steal $300 Million From Banks

Hackers used malware attached to phishing emails to compromise the security systems of more than 100 banks across the world, according to a new report from security firm Kaspersky.

TIME cybersecurity

Twitter Hackers Announce Start of World War III

By announcing that US and Chinese ships are in "active combat"

Hackers appear to have infiltrated the Twitter accounts of two news organizations Friday to announce a fictional battle between China and the United States.

Identical tweets posted to the feeds of the New York Post and news agency United Press International about “active combat” between U.S. and Chinese navy vessels in the South China sea appear to be the work of hackers:

Screen Shot 2015-01-16 at 1.14.46 PM
Screen Shot 2015-01-16 at 1.14.30 PM

The New York Post announced they had been hacked in a follow-up tweet:

UPI’s Twitter also posted a tweet saying that Pope Francis had declared “World War III has begun,” also presumably the work of hackers.

Screen Shot 2015-01-16 at 1.37.16 PM

The U.S. Navy confirmed to the Military Times that the USS George Washington was in port, and not engaged in battle in the South China Sea.

Your browser is out of date. Please update your browser at http://update.microsoft.com