Are you Compliant with the New York SHIELD Act?

The New York Shield Act has broadly increased the scope of how “private information” is defined, and how it must be dealt with by any business that maintains the customer data of any citizen of the state of New York. The “Stop Hacks & Improve ELectronic Data Security” Act is an attempt to modernize the way that financial data is secured. It also expands the definition of a breach, and changes the threshold at which a company is obligated to disclose the theft of data to the state and to citizens of New York.

While there are many federal and state laws across the country with varying standards, SHIELD intermingles with some, but is written in such a way that it supersedes older laws, and applies more broadly than existing law in New York. Any business, of any size, in any state that collects Social Security numbers, W2 forms or other relevant financial data of a New York citizen breach notification components came into effect on October 23, 2019. The security safeguard requirements of the SHIELD Act will be in effect on March 21, 2020.

The new law broadly expands on requirements and specifies many new steps that companies must go through in the reporting of a data breach, and offers plenty of suggestions to create reasonable safeguards against malicious attack.

Data Breach Notification

The SHIELD Act amends New York’s existing laws to broaden the obligations of all businesses to notify customers of a breach. The big change in the definition of “private information” now includes e-mail addresses, biometrics, as well as security questions and answers for password and identity authentication in addition to the more typical definition that includes financial account numbers and personal contact data. SHIELD also expands the definition of a “data breach” from unauthorized acquisition to merely unauthorized access to private information. If any unauthorized person in the business environment could view the protected information of client, the data should be considered compromised.

Another significant change is that rather than simply notifying customers of a breach, the offending business party must also provide relevant links, phone numbers or other contact information for the agencies most appropriate to compensate for the specific types of compromised data. In some circumstances, this could include mandatory credit monitoring, but it could go as far as reporting specific cases to state and federal agencies for recovery and compensation of the individual affected parties.

Another shift is that for health care organizations which are bound to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are currently required to notify the Secretary of Health and Human Services of breaches under those regulations, the SHIELD Act adds the requirement to provide notification to the state Attorney General within ten business days of notifying the Secretary.

In-state businesses that experience a breach must also notify the New York State Office of Information Technology Services, who will provide a report on the scope of the breach and recommendations to improve the security of the system to the offending New York based business.

With such a large step in reporting requirements, it is crucial to make sure your compliance with SHIELD is up to par. If you are unsure, GoVanguard offers compliance assessment consultation and reporting as a first step to limiting your company’s exposure.

Safeguards

The SHIELD Act requires businesses to first be compliant with all other existing regulations like HIPPA… Businesses must also implement administrative, technical and physical safeguards to minimize risk.

This includes the following:

  • SHIELD requires staff to be trained to be in compliance with the new law.
  • Businesses must also have sufficient software and hardware controls, and they must maintain malware detection and protection tools. We recommend regular pentesting intervals to confirm the effectiveness of these systems.
  • The law may also mean records must be stored in a locked and monitored room and disposed of in accordance with very tight procedures.

While the law gives no leniency on penalties for small business, it does give some slack on standards that are “reasonable” and “appropriate” for the size of the business and the value of the data to comply with security standards.

Penalties

The SHIELD Act does not eliminate private rights to pursue restoration in court, but it does double the civil penalty from $10 to $20 per incident or $5,000, whichever is greater, for businesses who fail to sufficiently report a data breach. SHIELD also increases the statutory cap on the penalty from $150,000 to $250,000.

But even with the new and increased regulations and penalties, not everyone feels the Act goes far enough! Crane’s New York editorialist, Fouad Khalil, states:

“…the Shield Act, though a promising first step, is still very much a stopgap in the fight for complete consumer privacy. Organizations will still have more “control” over our private data because of a lack of enforcement.”

He goes on:

“At a time where consumer data protection is more important than ever, organizations trying to maintain sanity with all the laws and regulations must keep their privacy and security programs up to date. And government must be clear and forceful with the laws it is instituting. If both can play their part, this would be a victory for both consumers and businesses in New York.”

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to comply with The Shield Act, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.

The Wawa credit card data breach is one of the worst retail failures of data security in recent history. 

Last week we reported on the consumer side of the Wawa credit card data breach that, as far as we can tell, affected every single swiped payment card between March and December 2019. In a nutshell, Wawa discovered a security breach back on December 10th, 2019 involving all of their POS systems, fast-forward to January 28th2020 and Wawa released a statement acknowledging that the recently stolen card holder data was featured on “Joker’s Stash”, a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches. 

 This week, we will take a quick dive into some of the likely causes of the credit card data breach, baseline security controls that should have been in place, and some of the ways that GoVanguard recommends to help prevent security incidents like this from happening to your organization. 

Jokers Stash

Wawa Credit Card Data For Sale on “Joker's Stash”

 

So What Happened?

The root cause behind most data breaches perpetrated by external malicious actors (including this one) is typically poor implementation of administrative, technical and physical security controls. In the case of Wawa, malware was installed on multiple POS (point of sale) terminals – which is a common asset for malicious actors to target. 

The concerning part of the security incident, as told from Wawa’s own narrative, is that the malware was able to laterally move across multiple Wawa stores and all the way to central POS payment processing servers This means that it is likely that Wawa had no or poor network segregation in place which violates a core requirement of PCI-DSS: the standards which apply to all organizations that process card holder data (credit card and debit card transactions). It seems that Wawa did not have basic security and network segregation mechanisms in place like robust access control lists (ACLs) because physical stores should not be able to directly communicate between one another. Basic security controls like ACLs help prevent the lateral movement of malicious actors between information systems and contain the malicious actor to a specific location or system domain. 

Furthermore, the fact that the security breach went undetected for over nine months suggests that Wawa did not have any NIDS (network intrusion detection software) systemin place or it was not being monitored by staff – another PCI-DSS requirement for an organization like Wawa 

Lastly, Wawa unable to specify which stores were affected and which stores were not affected by the security breach. Wawa’s inconclusive response suggests that they had very little logs to analyze and pinpoint the exact lateral movement path of the malicious actor behind the security breachThis means there was probably no centralized logging facilities or SIEM (security information event management) in place – another PCI-DSS requirement for an organization like Wawa. 

Malicious Actor Attack Process

What Happens Next?  

The reputational and financial damage that this security breach will cause Wawa in the mid-long term is inestimable but Classaction.org says that the retailer is “swamped” with litigation; noting at least 11 major, federal lawsuits at this current moment.  

On January 29, 2019, Inspire Federal Credit Union added themselves to the list of plaintiffs. An unnamed, but official spokesman for Inspire Federal Credit Union stated 

“Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.” 

Concisely put, it iapparent that Wawa had an immature information security program with deficiencies across many security controls including network segregation, malware detection, intrusion detection and centralized systems logging. All of these deficient security controls could have been enumerated and analyzed easily with a cybersecurity risk assessment, information security program gap assessment or network penetration test.  

 

What Can My Company Do To Avoid a Similar Breach?

The Wawa security breach demonstrates worst-case scenario for a retailer that depends on the trustworthiness of their brand, especially given the failure of so many basic security principles. 

GoVanguard is a cybersecurity provider on the forefront of an ever-changing, complex security landscape. We provide both snapshot-based and continuous security testing services including risk assessments and web/network penetration tests. 

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure. 

Many retail data breaches leak partial customer data, partial credit card numbers or other bits of information that malicious actors can scrape and use as part of broader attacks. But the Wawa data breach is different. Every single customer that used their physical credit or debit card at a Wawa store since the spring of 2019 has had their card number stolen by malware on Wawa's point-of-sale servers, and the info is already for sale on the darkweb!

GoVanguard Recommendations to Protect Yourself:

1.      For those affected, we highly recommend replacing your credit or debit card. If you choose not to do so, we recommend watching your payment transaction statements closely.

2.      Wawa is required to provide free Identity Protection Services to those who are affected. If you do not already have ID Theft and Credit Monitoring (like LifeLock), navigate to https://www.experianidworks.com/credit and sign up with the activation code 4H2H3T9H6.

3.      We recommend consumers switch to making in-store purchases with a digital wallet or mobile payment app like Apple Pay, Google Pay or  Samsung Pay. With these apps, the merchant does not receive the details of your credit, debit card or checking account. They only receive a unique, one-time code for that specific purchase. Even if the merchant’s point-of-sale system is hacked, you will not have to worry about your card number being stolen.

4.      For online retail purchases we recommend using Privacy.com (it’s free! They make money from interchange fees paid by merchants) that can generate merchant-specific card numbers and “burner” card numbers for online purchases so that you never have to use your real card number!

Next week, we will go over the details of the specific malware attack and how a systematic approach to monitoring and penetration testing would likely have mitigated the attack entirely. We will also discuss why a rigorous security protocol is crucial in all retail point-of-sale environments.

See you next week!

The US Department of Defense issued multiple warnings for all US Military personnel this month; banning the viral Chinese social media app TikTok! Due to various threats of data leakage, Chinese Communist Party censorship and the potential for exploits, the DoD has demanded that all government-issued smartphones have the application removed immediately, and monitor their personal phones and their family members' devices for unusual and unsolicited texts, calls, direct messages and emails. Air Force Lt. Col. Uriah Orland stated, Any such messages should be deleted immediately.

 

 So why the sudden uproar?  

 

If you have tweens, teens or young adults in your household, you probably have the alleged Chinese surveillance app sitting within your walls and connecting to your Wi-Fi! TikTok is the 3rd most downloaded app of 2019, and it is chugging away at dethroning the social media titans of yesteryear even while the US “Committee on Foreign Investment” investigates censorship of TikTok’ed content critical of China’s Communist Party. But even as President Trump bans tech from Huawei and other Chinese firms from entering the US, jubilation abounds as American kids share videos – primarily lip-syncing pop music hits or creating short sketch comedy – over the Chinese powerhouse of social media! 

  

But this is not a scathing political piece of propaganda in the campaign to ensure that Americans suddenly resume “buying American.” Nor is it an analysis of the DoD’s reactions to the threat. Rather, this is a warning about a new and clever chain of exploits centered around Tiktok which targets a host of private user data! The initial exploit is devious because of its near perfect use of social engineering to trick a user into authenticating their app from a spoofed SMS. From there, the list of compromised data is long and insidious:    

   

With use of open redirection, and cross-site scripting (XSS), a malicious actor can:    

  

  • Delete any video from a victim’s TikTok profile.  
      
  • Upload unauthorized videos to the victim’s TikTok profile.  
      
  • Make the victim’s private, “hidden” videos public.  
      
  • Reveal personal information, such as private addresses and emails.  
      

The attack uses an insecure SMS system that TikTok offers through its website which asks users to send a message with the official link to download the popular app. An attacker can then send an SMS message to the victim’s phone number with the appearance of being sent on behalf of TikTok. The download URL will have been modified to direct to a malicious page that executes code on the targeted device with the already installed TikTok app.   

  

When this attack was unknown and unpatched in the wild, the exploit would execute JavaScript code as soon as they clicked the link sent by the TikTok server over SMS. This attack is called a “cross-site request forgery attack,” which aims to trick authenticated users into executing an unwanted action.   

   

GoVanguard CTO, Shane Scottcommented, “The beauty of the attack is that the authentication wasn’t unsolicited. The user requested the text message, and they followed directions correctly to authenticate the app. Why would they ever assume they had been attacked? This would even trick a lot of seen savvy people until they had a reason to assume there was something wrong.”   

   

In November 2019, this massive chain of vulnerabilities was responsibly disclosed to ByteDance, the company who maintains and distributes TikTok, who then released a patched version of its mobile app to protect its users from this string of attacks. If you are not running the latest version of TikTok available on official app stores for Android and iOS, we advise that you update your app as soon as possible.  

  

Or, if you are a 33-year-old professional, like myself, you can follow my lead and delete TikTok altogether.  

  

I didn’t “get it” anyways! 

What does an IT manager want for the holidays? Other than a stable internet connection, and some time off, the people responsible for network performance and security know that they need to be on alert for an uptick of attacks occurring over the holidays.  

Why is that?  

Large scale malicious attacks are often executed over the holidays because IT departments are understaffed in the days and weeks that surround the Christmas and New Year celebrations in most of the western hemisphere. It's important to remember, however, that the work of moving maliciously into a protected network had likely occurred long before the major damage was executed. To set up a multi-pronged and sustained take-over of critical systems and valuable data, a malicious actor may plan for months or years doing research, engaging in social engineering, spear phishing, inserting malware, and other maneuvering as a prelude to a critical data theft or sabotage over the holidays.  

The nature of the target will largely dictate the nature and voracity of the attack, but something that large custodians of data need to start focusing on is the simple, preventative maintenance of human and technological practices during the early part of the month of December.  

Here are five things to consider implementing in your organization before the holidays:  

 

1: AUDIT – Start by taking an inventory of existing systems and permissions, because no problem can be solved if the scope can’t be assessed. Internal company hardware like servers and desktop systems are easy, but it’s important to know what laptops, mobile devices and removable storage devices make their way through the front line of your secure environment regularly. Also, make sure nothing is running in default or debug modes, and double check that permissions, policy and session management protocols are all compliant with network specifications. 

2: UPDATE – If your organization is running a version of an application or operating system with a known exploit and an attacker discovers this, the attacker will start by leveraging known exploits. Take the time to go through each device and update all software to the most up-to-date, secure versions. This can also be a good time to standardize software and plugins across devices. 

3: CHANGE PASSWORDS – If your network is managed by one person or a small team, something as simple as all root access admins changing passwords at the beginning of December can mitigate the risk of a whole host of attacks that had been prepared for months by malicious actors.  

4: CREATE AN INCIDENT RESPONSE HIERARCHY – If there is a DDoS, ransomware attack, IoT takeover or some other attack over the holidays, make sure that every critical member of the mitigation team knows who needs to take the lead in solving problems in a crisis over the holidays, if that process is different than the rest of the year. Time is critical in these circumstances, so knowing exactly the nature of the chain of command is a critical step. It is also wise to go over incident reporting policies with the non-IT staff at your company so that other coworkers are reminded how incidents are to be reported.  

5: DO NOT OVERCOMPLICATE THINGS – The holidays are a good time to audit, update and make some simple changes. They are NOT a time where policies or architecture should be completely reconfigured. If this list makes you nervous, it might be time to rethink your security practices and start to implement a more systematic approach to securing your company’s assets, but they holidays may not be the right time for an overhaul.  

 

It’s important to remember that no system is perfect, and the weakest link is probably just a random person in the office accidentally creating exploit opportunities for malicious actors. Therefore, the best outcomes come from the best practices and simple systems. The above is a good place to start, but please let us know what you would do differently. We want to hear from you.  

Enjoy the holidays! 

On launch day for Disney Plus, the dark web lit up with the new Disney accounts for sale. From $3.00 – $11.00, hacked logins were offered (above the price directly from Disney, by the way) for sale in exchange for Bitcoin and Monero! The rollout itself was extremely bumpy without the leaks, but the Disney Plus launch was plagued by reports from media elites and the growing “Fandom Menace” unable to stay logged into their accounts. Disney customer support lines were jammed with reports of very strange activity on the platform. 

People began reporting that their logins were being changed, and even after account recoveries had taken place, that credentials became compromised again. Some users in the information security community even confirmed that accounts remained logged in even after their account's credentials had been changed. 

 

So, what happened? 

“We have found no evidence of a security breach,” a Disney rep said in a statement to Variety. “We continuously audit our security systems and when we find an attempted suspicious login we proactively lock the associated user account and direct the user to select a new password.” 

Well, the data obviously leaked somehow! Most likely, Disney handled their own cybersecurity in a professional manner given their experience in keeping important information (like the Rise of Skywalker Script) secure, so the user data leak will probably be found out as the product of bad user practices. 

Most notably, these sorts of things happen when users re-use passwords across multiple platforms. The LinkedIn hack, for example, exposed 117 million usernames and passwords that were sold on the dark web, but many users still have no idea. If these hacked users have not taken the steps necessary to secure themselves, their Disney Plus accounts may have been being hacked five years before Disney even had the idea to make a streaming service in the first place. To add to the frustration, Disney uses SSO (Single Sign On) across all their platforms for customer convenience. So, if you were a victim of the Disney+ credential leak. you might want to doublecheck your Fast Pass reservations on your upcoming Disney trip. 

This sort of attack is called “credential stuffing” which is low-hanging fruit for common malicious actors to exploit. This is the most likely culprit in the Disney Plus “hack,” since it is one of the easiest attacks to perform. But it’s also very simple to protect against because the way to make sure these sorts of exploits never get you in trouble is NEVER EVER RE-USE PASSWORDS. Instead, utilize tools like 1Password or LastPass and mitigate this threat almost entirely. 

We hope that this incident inspires Disney to  implement MFA (Multi Factor Authentication) across all their services to help their users better secure their accounts; something their main competitor, Netflix, has yet to do. To the poor Disney fans that had their accounts stolen, sold and used, here's an important quote from Walt Disney himself: “You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.” 

Now, go update your passwords! 

Extra Credit: Check if you’re credentials have shown up in any recent data leaks: https://haveibeenpwned.com/ 

 

This could be the most impactful national cybersecurity and data privacy legislation in the last couple years. Senator Ron Wyden from Oregon introduced this bill, the “Mind Your Own Business” Act. It has three core parts to the bill with each addressing a different need for both the US public and the cybersecurity industry.

 

1: It allows consumers the ability to opt out of data collection and sale with one click.

2: It forces corporations to be transparent with their consumer data collection, usage, and sale.

3: Harsh fines to corporations and prison sentences to executives that misuse or lie about how their consumer data is being used.

 

A lack of corporate transparency plays a huge part in all of this; it is often prohibitively difficult to understand what's happening with your data, even if that information is available at all.

 

With the power of consumer privacy rights exemplified in Europe by GDPR, individual states in the US have started to followed suit. First was California, a national leader in the technology space, who took lead on the issue with the California Consumer Privacy Act (CCPA), which goes into effect on January 1st 2020. Nevada followed shortly with the SB 220, which actually beat California on enacting their privacy laws as the SB 220 went into effect on October 1st 2019.  Many other states are in the process of passing legislation controlling the usage of their citizens data making for potentially tumultuous compliance and regulatory conditions for businesses that operate in multiple states. This national bill could be the standard for all US states that would simplify privacy laws for businesses and more importantly, open up the ability for US citizens nationwide to regain control of their data; something they have never had the option to do.

 

The last part of the bill is equally crucial, enforcing accountability in corporations and executives that abuse consumer information. HIPAA does this already for companies and C-levels in healthcare or who collect/use Protected Health Information (PHI) or Electronic Protected Health Information (ePHI). At GoVanguard, when we explain the accountability portion of HIPAA to healthcare executives, they are often surprised at the consequences of mismanaged PHI/ePHI both on a corporate level and personal. Executives place a higher priority on implementing best security practices and protecting PHI/ePHI when there are personal consequences. Similarly, when companies face impactful fines for mismanagement of their clients' information, they prioritize security.

This bill is a promising start to turning around the abuse of what should be private data as well as avoiding the regulatory minefield of differing individual state privacy laws.

 

https://www.vice.com/en_us/article/vb5qd9/new-bill-promises-an-end-to-our-privacy-nightmare-jail-time-to-ceos-who-lie