TIME cybersecurity

This Massive Healthcare Company Just Got Hacked

Insurer CEOs Head to White House to Discuss Obamacare Woes
Bloomberg—Bloomberg via Getty Images Chet Burrell, chief executive officer of CareFirst BlueCross BlueShield, waits to go through security near the White House in Washington, D.C., U.S., on Wednesday, Oct. 23, 2013. Health insurance executives including WellPoint Inc. Chief Executive Officer Joseph Swedish will meet with top White House officials today as President Barack Obama seeks to contain political damage over the rollout of online enrollment for his health-care expansion. Photographer: Andrew Harrer/Bloomberg via Getty Images

It's the third Blue Cross and Blue Shield insurer targeted in recent years

Hackers have targeted yet another healthcare company.

CareFirst Blue Cross and Blue Shield, a healthcare insurer that provides service for residents in Maryland, Washington and parts of Virginia, said Wednesday that it’s suffered a cyberattacking compromising the records of 1.1 million customers. Modern Healthcare reported Wednesday that hackers compromised a company database last year and could have accessed member usernames, names, birth dates, e-mail addresses and identification numbers.

Social security numbers, financial records, passwords and credit card numbers were reportedly not accessed, CareFirst said in a statement.

The security firm Mandiant discovered the attack occurred in June of last year and was hired to examine the company after hackers targeted other healthcare insurers in recent days, including Premera Blue Cross and Anthem. According to the article, “CareFirst is the third Blue Cross and Blue Shield insurer to acknowledge a cyberattack this year, following record-breaking hacks at Premera and Anthem, which affected 11 million people and 80 million people, respectively.”

“We deeply regret the concern this attack may cause,” said CareFirst CEO Chet Burrell in a statement. “We are making sure those affected understand the extent of the attack—and what information was and was not affected.”

TIME Aviation

Feds Probe Security Expert Who Claims to Have Hacked Numerous Flights

The suspect says he penetrated up to 20 flights during the past four years

Federal authorities have launched an investigation into the actions of a cyber security consultant who claims to have hacked several commercials flights’ computer systems, even causing one aircraft to bank sideways.

According to an official search warrant application, Chris Roberts told the FBI in April that he compromised commercial flights during 15 to 20 occasions from 2011 to 2014 by hacking the vessels’ in-flight entertainment systems.

During one such incident, Roberts allegedly was able to access a plane’s navigational system and caused the craft to veer sideways briefly mid-flight.

On Sunday, Roberts tweeted that his actions were motivated by his desire to help make aircraft security safer, but refrained from commenting further.

In a report published last month, the U.S. Government Accountability Office warned that new aircraft might be susceptible to having their in-flight computer systems penetrated via onboard wi-fi networks.

TIME Innovation

What’s Behind the Russia-China Cyber Deal

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. Should we be worried about the new Internet security pact between China and Russia?

By Cyrus Farivar in Ars Technica

2. Here’s a roadmap for building an innovation ecosystem in Africa.

By Jean Claude Bastos de Morais in IT News Africa

3. What if junk food actually kills off the bacteria that keeps us healthy?

By Luke Heighton in the Telegraph

4. We’re about to lose the best way to measure how well we educate poor kids.

By Jill Barshay in the Hechinger Report

5. Want to end the War on Drugs? Don’t talk to Washington. Lobby your local police department.

By Ben Collins in the Daily Beast

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

Has Your Browser Been Hijacked by Fraudsters?

Heartbleed Extensions

It's not unlikely, according to a sobering new study

Illicit “ad injectors” are infecting a not-insignificant proportion of Web browsers, according to a study by Google and the University of California.

The pieces of software replace the ads you’re supposed to be seeing with different, unapproved ones, hurting not only Internet surfers, but advertisers like Amazon and Wal-Mart (and many others), as well as publishers who lose revenues, the study authors said.

Ad injectors make their way into browsers through software downloads and browser extensions. Many users might not even know their browsers are afflicted with them. Google says it has identified more than 50,000 browser extensions and 34,000 software applications that send the fraudulent ads to browsers, pushing aside the ads that were supposed to show up.

Most alarmingly, about a third of the injectors are equipped to steal account credentials and hijack Web searches, returning results meant to benefit the fraudsters. More than 1,000 networks distribute the injectors, Google said, with many of them pushed by “affiliates” who get paid some pittance whenever somebody clicks on one of the ads.

The ads come from so-called “injection libraries,” often via legitimate ad networks. Advertisers big and small end up paying for injected ads they have no knowledge of.

Sometimes, the ads appear even on Web pages, such as Wikipedia, that don’t normally feature advertisements.

Google says that so far in 2015, it has received more than 100,000 complaints about injectors in its Chrome browser. The study indicates that all the major browsers are vulnerable.

And you’re not safe if you’re on a Mac. According to the study, 5.1% of all pageviews involving injected ads came from a computer running Windows. Macs accounted for 3.4%.

Fixing the problem isn’t easy. Google says it stepping up its monitoring of extensions for Chrome to ensure that they don’t run afoul of policy. Other browser makers do the same. But with so many extensions out there, much of the responsibility falls on users themselves to be hyper-vigilant when downloading software.


TIME Security

This Tech Keeps You Safe From Hackers

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Encryption is the one thing standing between hackers and your data

From Edward Snowden to Anthem Healthcare, data security has been a hot-button topic the past couple of years. But between politics and personal data, one thing tying these two massive breaches together is encryption — or lack thereof.

Encryption is effectively scrambling up information and making it only decipherable with a key. This information could be a message, as it was in World War II with the Nazis using the Enigma Machine to mix up their communications, or it could be a computer file, as it should be with personal documents emailed to you by your accountant, for instance. An overly simple example of encryption, says Trent Telford, CEO of enterprise encryption provider Covata, would be a word search game.

“To look at it visually, you would just see a big block of 1,000 letters that meant nothing,” Telford says. “But when you decipher it you can see that there are words hidden in there.”

Take that analogy a step further by looking at an encrypted Word document loaded with personal information. Using complex algorithms, this multi-page file with your social security number, your address, and other data is encrypted, and as a part of that process an encryption key is generated. This key is the password required to unlock the algorithm and de-scramble the information within the computer file.

The key and the file should be kept separate from each other to ensure the data’s safety. For example, if someone breaks into your computer and copies that file, it would be useless without the key — all they would see is nonsensical characters, not the personal data that actually exists there.

So, if encrypting files is as easy as that sounds, why isn’t it done all the time?

“Organizations are either lazy or don’t want to affect change in their business,” says Telford. For instance, imagine a company has millions of files all over the place that are used either by people, computer systems, or applications. These files are useless when they’re encrypted, so the company has to find a way to work with the data while allowing automated business processes to keep workflows moving.

“You would need to enable those systems to have the power within that application to decrypt, use the information, and then let that file stay encrypted,” he says. “Organizations now need to put the projects in place and the priorities in place to do this.”

Recent hacks like the ones at at Anthem, Home Depot, and Target have shown how companies sometimes leave data unencrypted. And, Telford points out, the government data that Edward Snowden snagged wasn’t scrambled up either.

End-to-end encryption is a term that consumers have become more familiar with, especially as they’ve done more banking online. The idea that their data could be intercepted as it criss-crosses the Internet is terrifying, but Telford says data is more at risk when it sits on companies’ servers.

“It’s pretty rare that someone steals information in the transport layer, in the tunnel, moving it from A to B,” he says. “It’s when it’s sitting in the clear at either end that it tends to get compromised or stolen.”

The reason for this is that data is fundamentally stored in two ways. The first is on big file server networks, which are essentially enormous hard drives full of all kinds of data that can be encrypted. The second way is in databases, which in most cases can’t be encrypted. Databases are built to have queries run against them so the systems can go and pick out what information they want, quickly. Moving from a database architecture to a server setup is costly and time consuming, which is why companies haven’t been doing it.

But consumers can protect their own computers very easily by encrypting their data too. Windows users can use the BitLocker application to encrypt their drives, while Apple offers a program called FileVault2 to do the same thing on Macs. Still, with the Internet of Things promising to bring us lots more web-connected devices, this is only the beginning for encryption technologies. With millions if not billions more computing devices coming online — only some of which are encrypting their communications — a lot more data is in danger of being exposed. “There’s a whole other vector of attacks from a privacy perspective,” says Telford.


How to Avoid Getting Hacked Next Time You Leave Home

Hero Images—Getty Images/Hero Images

The world is a dangerous place — especially if you’re not careful with your gadgets

How times have changed. It used to be that when you packed for a trip, you wanted to be sure not to forget vitals like your toothpaste, swimsuit, or even travelers’ checks. But if forgotten, those things can be replaced on the road.

Instead, these days, we obsess about packing our smartphones, tablets, and even laptops. However, bringing tech on a trip can expose your entire life to hackers and cyber-crooks. So before you book your next vacation, consider these six tips on how to stay cyber-safe while traveling:

1. Don’t check your device: Make sure you keep your smartphone, tablet, or computer with you, rather than placing it in your checked luggage. “There’s a number of things that could happen to it — getting damaged or stolen — once it’s out of your sight,” says Stacey Vogler, managing director for Protect Your Bubble, a company that provides insurance for everything from cell phones to identity theft. In addition, RFID-blocking products like those made by Silent Pocket can protect everything from your tablet to your passport from digital snoops using over-the-air technology to get at your data.

2. Keep it encased: While keeping your smartphone in a case is great advice for everyday life, it’s especially appropriate when you’re traveling. Firstly, when you’re moving around the world and out of your comfort zone, your phone is especially susceptible to being dropped. Also, thieves eye well-heeled tourists with high-priced handsets whom may not know where to turn if their phone gets lifted. Cases can help camouflage your top-of-the-line model. And finally, you’re more likely to use GPS and other memory-intensive features when you’re out and about, so a battery case is especially helpful on the road.

Incipio makes a line of rugged, battery-boosting cases for a wide range of smartphones that make for great travel partners. Also, if you’re going someplace warm and watery, get a protector that can shield your device from liquids as well as drops. According to data from Protect Your Bubble, water damage claims rise in the summer months.

3. Watch your Wi-Fi: It’s tempting to tap into local wireless networks to cut back on data charges when you’re traveling, especially when you’re abroad. “Be careful which Wi-Fi network that you access,” says Vogler. “Make sure that it’s a secure one, and one that you’ve been given a password for.” If the network you’re connecting to doesn’t require a password, anyone could be on it, and have access to the information you’re sending or receiving. So the rule of thumb is if it doesn’t ask for a password, it’s not secure.

This primer on using public Wi-Fi from Internet security company Kaspersky Labs can help you protect down your phone or tablet if you must use these networks, but the safest bet is to get your access from a trusted, secure source, like your hotel.

4. Password protect your device: Sure, it might be a pain, but password protecting your phone, tablet, and PC is a goal-line defense for keeping cyber-thieves from your personal information. If you think about it, while your phone or tablet may fetch a crook hundreds of dollars; your identity can be worth thousands more. Make sure to enable every safety mechanism available for your device, from iOS’s Find My iPhone to the Android Device Manager used to locate Google-compatible phones. These apps also work for tablets as well, so make sure your slate is set up to be detected, too.

5. Bank the old-fashioned way: More than ever, people need access to and information about their money when traveling. That makes tourists and business travelers alike great targets for data theft. The best way not to expose your financial information is to bank the old-fashioned way: use cash if you can, hit a teller for balance inquiries if possible, or call into your institution’s telephone services if you need remote access. Using the app, as secure as banks make them out to be, only makes you a possible target for identity theft.

6. Stay off social media: Everyone loves sharing vacation photos, but consider showing off your sunset selfie after you touch back down in your hometown. That’s because posting your on-location photos tells people that your home is left unattended. You might think your friends would never use that against you, but if your privacy settings are public (or friends of friends) on Facebook, or if you don’t have a locked-down Twitter account, you’re basically telling the world that you’re not home.

TIME Innovation

This Is Why Fingerprints Are Forever

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. You can change your password if someone steals it, but you’re stuck with your fingerprints forever.

By Aarti Shahani at NPR

2. Can teaching kids to be tough make up for income inequality?

By Rachel M. Cohen in the American Prospect

3. You don’t need a nuclear arsenal to feel safe.

By Erlan Idrissov in the Diplomat

4. America’s high school dropouts are quitting school to go to work.

By Molly M. Scott at the Urban Institute

5. Here’s how AI will help your doctor diagnose cancer better.

By Adam Conner-Simons at MIT News

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Aviation

Here’s Why Wi-Fi on Planes Could Lead to a Terrifying Disaster

Getty Images

You'll never complain again about not having the Internet at 30,000 ft.

Yes, having access to Facebook on a long flight helps to pass the time, but it could also be putting passengers in the crosshairs of terrorists and hackers, according to a new report released this week by a U.S. watchdog agency.

In a dossier released Tuesday, the U.S. Government Accountability Office (GAO) said new aircraft may be susceptible to having their inflight computer systems hacked through onboard wi-fi networks or remotely by individuals elsewhere.

“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” read the 56-page report.

The GAO stated that planes possess firewalls designed to block cyberattacks and protect the craft’s avionics; however, that software is still susceptible to being penetrated.

“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” the report said.

The situation is made all the worse by the prevalent use of smartphones and other mobile devices by passengers and pilots alike on flights worldwide everyday.

“The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems,” stated the dossier.

The Federal Aviation Administration said it has already begun taking steps to make cockpits safer and is consulting security experts to single out areas of concern.

“This threat will continue to evolve and it is something that needs to be at the forefront of our thinking,” Michael Huerta, the FAA’s administrator, told a Senate oversight panel this week, according to Reuters.

Following the publication of the report, lawmakers demanded that the federal agencies act fast to counter any potential threats to the aviation industry.

“[The FAA] must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger wi-fi system,” Representative Peter DeFazio told CNN.

Read next: 9 Tips for Faster Wi-Fi Streaming

Listen to the most important stories of the day.

TIME Hacking

Hackers Steal $1 Billion in Massive, Worldwide Breach

Russian Retail-Sales Growth Unexpectedly Gains Amid Ruble Crisis
Bloomberg/Getty Images

A prominent cybersecurity firm says that thieves have infiltrated more than 100 banks in 30 countries over the past two years

Hackers have stolen as much as $1 billion from banks around the world, according to a prominent cybersecurity firm. In a report scheduled to be delivered Monday, Russian security company Kaspersky Lab claims that a hacking ring has infiltrated more than 100 banks in 30 countries over the past two years.

Kaspersky says digital thieves gained access to banks’ computer systems through phishing schemes and other confidence scams. Hackers then lurked in the institutions’ systems, taking screen shots or even video of employees at work. Once familiar with the banks’ operations, the hackers could steal funds without raising alarms, programming ATMs to dispense money at specific times for instance or transferring funds to fraudulent accounts. First outlined by the New York Times, the report will be presented Monday at a security conference in Mexico.

The hackers seem to limit their scores to about $10 million before moving on to another bank, Kaspersky principal security researcher Vicente Diaz told the Associated Press. This helps avoid detection; the crimes appear to be motivated primarily by financial gain. “In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

[New York Times]

TIME apps

This Is Why It’s Risky to Use a Dating App on Your Company Device

Tablet SmartPhobe Digital Love
iMrSquid—Getty Images

Think before you give an app access to your camera or microphone

Employees who use dating apps on their company’s smartphone or tablet could be exposing themselves to security threats such as hacking, spying and data theft, a study by IBM has found.

Researchers analyzed 41 dating applications and found that 60% were potentially vulnerable to cyberattacks, putting personal or corporate data at risk, reports Reuters.

IBM also highlighted problems with employees using their personal phone for work purposes, which is known as “bring your own device,” or BYOD.

“The trouble with BYOD is that, if not managed properly, the organizations might be leaking sensitive corporate data via employee-owned devices,” the report said.

One issue is that when people are looking for love on dating sites, they could be letting their guard down more than they would if they were using emails or on the phone, IBM says.

Many of these sites have access to a phone’s microphone, camera or GPS location and so if hackers find a security flaw in the app, they could eavesdrop on potentially sensitive conversations or confidential business meetings.


Your browser is out of date. Please update your browser at http://update.microsoft.com