Month: October 2016

Red Cross Blood Bank – Australia’s Largest Data Breach

By Jon Newson

On Friday October 28 2016, the ABC published a news report about the disclosure of private blood donor information from Australia’s Red Cross Blood Service (ABC 2016).  The personal information of about 550,000 blood donors had been stolen, including names, addresses, and details of “at-risk sexual behaviour”. This is believed to have been Australia’s largest security breach.

Public reports to date such as that written by Troy Hunt claim the breach was not the result of a hack or forceful act, rather a discovery resulting from a common type of scanning activity.  Whilst indications suggest the spread of the data leakage is low, it calls into serious question how such a critical service could have had such a lapse in data handling practices.

Upon reading the reports of the breach, the technically minded would have spotted the poor, or absent data handling practices.  As Hunt states, “most organisations have a raft of different, systems, processes, people and partners that handle their data” (Hunt 2016), and based on his experience “it’s not unusual to see data pass through many hands. It shouldn’t happen, but it’s extremely common” [Troy Hunt’s emphasis] (Hunt 2016).

Mitigation

To reduce the chances of similar events happening again, rigorous data handling practices are needed.  Some of these practices include:

Data Anonymity

Personally identifiable data should be used only as a last resort. The default treatment should be to anonymise personally identifiable information.

Information Classification Scheme

A simple information classification scheme that assigns data according to its sensitivity and privacy requirements. An onerous classification scheme becomes unwieldy and is susceptible to misuse.

Needs-Based Access

This is a simple control, that in contrast to the information classification scheme, effectively classifies the people that can access sensitive and private information.

Encryption of private information

This is a technical control that provides a safeguard should people oriented controls be ignored or fail. The engineering of unique encryption-based solutions is a discipline demanding thorough knowledge and study. Organisations should adopt encryption solutions based on well-studied standards that allow owners retain control of private keys and passwords at all times.

 

Response

Should there be a breach, a computer emergency incident response plan that has been drafted and approved by senior management is an important tool. This encourages a coordinated response, and provides a lens through which energies can be focused.  For organisations without dedicated computer security resources, an external computer emergency response team such as AusCERT, which was involved in the Red Cross breach can provide expert advise and resources.

That such a preventable event could have afflicted both the Red Cross Blood Service and its donors is tragic.  Not just for the damage to goodwill, but to the likely reduction in the short to medium term of blood donations.  The Red Cross Blood service have responded in a transparent and honest manner.  They have not sought to shift blame and “take full responsibility for this mistake and apologise unreservedly” (Australia Red Cross Blood Service 2016).

Sources

ABC, 2016. Red Cross Blood Service data breach. Available at: http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036.

Australia Red Cross Blood Service, 2016. blood-service-apologises-donor-data-leak. donateblood.com.au. Available at: http://www.donateblood.com.au/media/news/blood-service-apologises-donor-data-leak.

Hunt, T., 2016. The Red Cross Blood Service: Australia’s largest ever leak of personal data. Available at: https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/.

Leonia AG Lost €40 Million ($45M) to Whaling Phishing Scam

By Ali Raza

Leonia AG is a 100-year-old company headquartered in Nuremberg, Germany, and is a global supplier of wiring systems and cable technology with 76,000 employees in 32 countries and a market cap of €1,015 Million ($1,140 M) listed on the Frankfurt stock exchange.

Yet this behemoth fell prey to a fairly simple spoof email scam in August that cost them €40 Million cash ($45 M) and has unsurprisingly resulted in a profit warning.

The company reported that fraudsters used fake emails and identities to target one individual in a successful attempt to transfer funds from a company bank account to an account controlled by the fraudsters. They picked a factory in Romania, which is only one of the four in that country authorized to handle international money transfers. The spoof emails purported to come from a senior director in Germany and apparently were accepted without question by the officer in Romania.

Whaling is the term used for the type of phishing scam that targets just one individual in a corporation. In order to succeed, the fraudsters carry out in-depth investigation of the company, its mode of operation, styles of communication, security capabilities as well as the target victim’s roles, responsibilities, staff and so on. Whether or not insider assistance was involved is not known at this point but the required information can be obtained and pieced together by clever and patient fraudsters who may use social engineering to ferret out small elements of the overall picture, which may appear innocuous in isolation.

To achieve this level of sophistication, fraudsters often create domain names that are so close to the real company’s domain name that a quick glance does not detect the slight name difference. An email coming from that fake domain, formatted in an identical manner to genuine emails, with similar language style and so on, can easily be accepted as the genuine article.

The core of the problem is that the fatal email was accepted as being genuine without question. The fraudsters invested time and expertise in investigating Leoni AG. Con artists have been honing their email phishing skills for well over 20 years and many have perfected their technique to the extent that their fraudulent emails and other identification instruments are instantly accepted by the victims. Fraud has always moved with the times but the public has usually been slow to cotton on. These attacks have been on the increase, according to reports following a similar attack last year.

What precautions can we take to safeguard against this type of scam?

1. Watch out for email ID with fake domain names. For example, if the official Leonia AG domain is @leoniaag.com, fraudsters might use similar domain names such as @leoniag.com to phish victims.

2. If you receive an email requesting financial transactions, pick up the phone and call the person. Never enter sensitive information into pop-up browser windows.

3. Use an anti-phishing and anti-spam service. It’s easier to get caught when you’re focusing on mission-critical business operations and can’t spare a moment to double check authenticity of the email senders. Security solutions will make your life easier.

4. When you must click through a link, hover the mouse over the link and see the actual URL – bottom right of the browser if you’re using Chrome. Make sure the links you need to access are valid and secure. Check for the HTTPS certificate. Don’t click shortened URLs.

5. Educate employees on all levels to ensure that they are security aware and up to date with latest phishing threats, prevention practices and solutions.

6. Make sure the attachments are valid and secure before downloading.

It does appear unusual that an officer of a company would execute such a huge financial transaction on the basis of one email alone. One might expect some basic security countermeasures, such as at least a phone conversation with the authorizing director, or a second authorization such as when corporate checks are cut. Such sheer common sense precautions are easy to implement.

Phishing and social engineering is now so commonplace that security firms offer training course for company staff, educating them on how to recognize the likely warning signs of a scam. Corporations have no excuse for not engaging in at least an awareness program but, no doubt, some will only realize that when it is too late.